1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Help removing virus/malware. Can't use System Restore

Discussion in 'Malware and Virus Removal Archive' started by Arna, 2009/12/24.

Page 1 of 2
  1. 2009/12/24
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    [Resolved] Help removing virus/malware. Can't use System Restore

    Hi all!

    It seems that my computer has caught some bad viruses, spywares, adwares or what it might be. It keeps notifying about the computer being infected and automatically tries to install new virusprogrammes.

    I can't reach the System Restore-function. I've tried using safe mode, but here's the tricky part:
    I have a user connected to a certain domain that I can select on the log-in screen. And while running in Safe Mode it says that either my password is incorrect, or that I've chosen the wrong domain to log in to.And Safe Mode won't let me change anything on the log-in screen so that I may log in. At the log-in screen during normal startup, I can choose to log into either "JBESK" or "JBESK (My Computer)" where the "JBESK" is the domain name. If I choose the second alternative, I can't log in.

    Probably the Safe Mode log-in is set to the second domain.
    That's what I think is the problem with not being able to log in during Safe Mode. Are there any other ways to get access to Safe Mode, or just to get rid of the viruses/malwares?




    **DDS TEXT**


    DDS (Ver_09-12-01.01) - NTFSx86
    Run by marjoh01 at 2:58:06,82 on 2009-12-25
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2038.1392 [GMT 1:00]

    AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
    AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program\Intel\WiFi\bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program\Bonjour\mDNSResponder.exe
    C:\Program\Intel\WiFi\bin\EvtEng.exe
    C:\Program\Java\jre6\bin\jqs.exe
    C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    C:\Program\CyberLink\Shared Files\RichVideo.exe
    C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program\Intel\WiFi\bin\WLKeeper.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program\Intel\WiFi\bin\ZCfgSvc.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program\CyberLink\PCM4Everio\EverioService.exe
    C:\Program\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\DOCUME~1\marjoh01\LOKALA~1\Temp\richtx64.exe
    C:\DOCUME~1\marjoh01\LOKALA~1\Temp\wscsvc32.exe
    C:\Program\iPod\bin\iPodService.exe
    C:\Program\Java\jre6\bin\jucheck.exe
    C:\Documents and Settings\All Users\Application Data\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\marjoh01\Mina dokument\Hämtade filer\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = fronter.com;www.fronter.com;<local>;*.local
    uInternet Settings,ProxyServer = jbesk-student1:8080
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [QuickTime Task] "c:\program\quicktime\QTTask.exe" -atboottime
    uRun: [msnmsgr] "c:\program\windows live\messenger\msnmsgr.exe" /background
    uRun: [DAEMON Tools Lite] "c:\program\daemon tools lite\daemon.exe" -autorun
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [richtx64.exe] c:\docume~1\marjoh01\lokala~1\temp\richtx64.exe
    uRun: [Malware Defense] "c:\program\malware defense\mdefense.exe" -noscan
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [GrooveMonitor] "c:\program\microsoft office\office12\GrooveMonitor.exe "
    mRun: [Acrobat Assistant 8.0] "c:\program\adobe\acrobat 8.0\acrobat\Acrotray.exe "
    mRun: [<NO NAME>]
    mRun: [SunJavaUpdateSched] "c:\program\java\jre6\bin\jusched.exe "
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IntelZeroConfig] "c:\program\intel\wifi\bin\ZCfgSvc.exe "
    mRun: [IntelWireless] "c:\program\delade filer\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
    mRun: [ccApp] "c:\program\delade filer\symantec shared\ccApp.exe "
    mRun: [LVCOMS] c:\program\delade filer\logitech\qcdriver3\LVCOMS.EXE
    mRun: [EverioService] "c:\program\cyberlink\pcm4everio\EverioService.exe "
    mRun: [QuickTime Task] "c:\program\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program\itunes\iTunesHelper.exe "
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\marjoh01\start-~1\program\autost~1\dropbox.lnk - c:\documents and settings\marjoh01\application data\dropbox\bin\Dropbox.exe
    StartupFolder: c:\docume~1\alluse~1\start-~1\program\autost~1\window~1.lnk - c:\program\windows desktop search\WindowsSearch.exe
    uPolicies-system: HideLogonScripts = 0 (0x0)
    IE: Append to existing PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xportera till Microsoft Excel - c:\program\micros~2\office12\EXCEL.EXE/3000
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\program\micros~2\office12\REFIEBAR.DLL
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242115496953
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242115409765
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program\microsoft office\office12\GrooveSystemServices.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program\microsoft office\office12\GrooveShellExtensions.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program\windows desktop search\MSNLNamespaceMgr.dll

    ============= SERVICES / DRIVERS ===============

    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\delade filer\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
    R3 NAVENG;NAVENG;c:\program\delade~1\symant~1\virusd~1\20091123.037\NAVENG.SYS [2009-11-24 84912]
    R3 NAVEX15;NAVEX15;c:\program\delade~1\symant~1\virusd~1\20091123.037\NAVEX15.SYS [2009-11-24 1323568]
    S2 ccEvtMgr;Symantec Event Manager;c:\program\delade filer\symantec shared\ccSvcHst.exe [2009-5-12 108392]
    S2 ccSetMgr;Symantec Settings Manager;c:\program\delade filer\symantec shared\ccSvcHst.exe [2009-5-12 108392]
    S2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program\symantec\symantec endpoint protection\Rtvscan.exe [2009-5-12 2440632]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-5-12 23904]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2009-12-23 131072]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2009-12-23 79104]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]

    =============== Created Last 30 ================

    2009-12-25 01:18:57 2 --shatr- c:\windows\winstart.bat
    2009-12-25 01:18:32 0 d-----w- c:\program\UnHackMe
    2009-12-25 01:00:07 0 d-----w- c:\docume~1\marjoh01\applic~1\Uniblue
    2009-12-25 00:44:13 665 ----a-w- c:\windows\system32\krl32mainweq.dll
    2009-12-25 00:43:11 206 ----a-w- c:\windows\system32\srcr.dat
    2009-12-23 19:26:53 767328 ----a-w- c:\windows\system32\kdfinj.dll
    2009-12-23 19:26:50 79104 ----a-w- c:\windows\system32\drivers\Mkd2Nadr.sys
    2009-12-23 19:26:50 131072 ----a-w- c:\windows\system32\drivers\Mkd2kfNT.sys
    2009-12-23 19:09:26 0 d-----w- c:\program\NEXON
    2009-12-13 11:18:26 61528 ---ha-w- c:\windows\system32\mlfcache.dat
    2009-12-12 13:08:38 0 d-----w- c:\documents and settings\marjoh01\Bullfrog
    2009-12-12 13:07:52 0 d-----w- c:\windows\system\KEEPER
    2009-11-30 12:28:40 147 ----a-w- c:\documents and settings\marjoh01\.java.policy
    2009-11-30 12:28:40 0 d-----w- c:\docume~1\marjoh01\applic~1\Agency9

    ==================== Find3M ====================

    2009-12-10 10:54:28 466468 ----a-w- c:\windows\system32\perfh01D.dat
    2009-12-10 10:54:27 93064 ----a-w- c:\windows\system32\perfc01D.dat
    2009-11-19 16:45:48 38 ----a-w- c:\documents and settings\marjoh01\jagex_runescape_preferences.dat
    2009-11-19 16:44:49 63 ----a-w- c:\documents and settings\marjoh01\jagex_runescape_preferences2.dat
    2009-10-29 07:44:35 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-10-21 05:40:44 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:40:44 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-13 10:38:09 270848 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:40:17 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-12 13:40:17 150016 ----a-w- c:\windows\system32\rastls.dll
    2007-12-12 09:46:44 16384 --sha-w- c:\windows\system32\config\systemprofile\lokala inställningar\application data\microsoft\feeds cache\index.dat
    2008-05-19 10:03:53 32768 --sha-w- c:\windows\system32\config\systemprofile\lokala inställningar\tidigare\history.ie5\mshist012008051920080520\index.dat

    ============= FINISH: 2:58:33,53 ===============





    **ATTACH TEXT**


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2009-06-15 09:23:46
    System Uptime: 2009-12-25 02:40:24 (0 hours ago)

    Motherboard: Dell Inc. | | 0KU184
    Processor: Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz | Microprocessor | 1793/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 44 GiB total, 6,161 GiB free.
    D: is FIXED (NTFS) - 31 GiB total, 26,794 GiB free.
    E: is CDROM (CDFS)
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP44: 2009-10-17 17:17:52 - Systemkontrollpunkt
    RP45: 2009-10-18 17:34:28 - Systemkontrollpunkt
    RP46: 2009-10-19 20:49:21 - Systemkontrollpunkt
    RP47: 2009-10-21 00:51:45 - Systemkontrollpunkt
    RP48: 2009-10-22 15:48:28 - Systemkontrollpunkt
    RP49: 2009-10-23 11:39:48 - Software Distribution Service 3.0
    RP50: 2009-10-23 12:17:19 - Skrivardrivrutinen Microsoft XPS Document Writer installerad
    RP51: 2009-10-24 03:40:44 - Software Distribution Service 3.0
    RP52: 2009-10-25 04:12:48 - Systemkontrollpunkt
    RP53: 2009-10-26 04:19:47 - Systemkontrollpunkt
    RP54: 2009-10-27 22:19:46 - Systemkontrollpunkt
    RP55: 2009-10-29 00:50:42 - Systemkontrollpunkt
    RP56: 2009-11-02 10:15:45 - Systemkontrollpunkt
    RP57: 2009-11-15 08:01:57 - Systemkontrollpunkt
    RP58: 2009-11-04 11:52:53 - Systemkontrollpunkt
    RP59: 2009-11-05 11:23:37 - Software Distribution Service 3.0
    RP60: 2009-11-05 19:00:27 - Installed Project64 1.6
    RP61: 2009-11-06 20:39:47 - Systemkontrollpunkt
    RP62: 2009-11-07 21:11:22 - Systemkontrollpunkt
    RP63: 2009-11-09 13:07:33 - Systemkontrollpunkt
    RP64: 2009-11-10 13:23:42 - Systemkontrollpunkt
    RP65: 2009-11-11 21:33:16 - Systemkontrollpunkt
    RP66: 2009-11-12 00:15:39 - DirectX har installerats
    RP67: 2009-11-12 03:00:32 - Software Distribution Service 3.0
    RP68: 2009-11-13 11:08:11 - Systemkontrollpunkt
    RP69: 2009-11-14 12:12:36 - Systemkontrollpunkt
    RP70: 2009-11-16 16:32:00 - Systemkontrollpunkt
    RP71: 2009-11-17 21:16:19 - Systemkontrollpunkt
    RP72: 2009-11-19 01:29:01 - Systemkontrollpunkt
    RP73: 2009-11-19 11:07:28 - iTunes installerades
    RP74: 2009-11-20 17:06:12 - Systemkontrollpunkt
    RP75: 2009-11-23 12:02:35 - Systemkontrollpunkt
    RP76: 2009-11-24 20:46:26 - Systemkontrollpunkt
    RP77: 2009-11-26 14:24:59 - Software Distribution Service 3.0
    RP78: 2009-11-27 14:57:02 - Systemkontrollpunkt
    RP79: 2009-11-28 16:15:36 - Systemkontrollpunkt
    RP80: 2009-11-29 20:01:23 - Systemkontrollpunkt
    RP81: 2009-11-30 20:51:30 - Systemkontrollpunkt
    RP82: 2009-12-02 15:17:20 - Systemkontrollpunkt
    RP83: 2009-12-03 16:16:00 - Systemkontrollpunkt
    RP84: 2009-12-06 16:21:51 - Systemkontrollpunkt
    RP85: 2009-12-08 16:14:47 - Systemkontrollpunkt
    RP86: 2009-12-09 15:57:24 - Software Distribution Service 3.0
    RP87: 2009-12-10 00:56:30 - Software Distribution Service 3.0
    RP88: 2009-12-11 12:27:21 - Systemkontrollpunkt
    RP89: 2009-12-12 15:30:21 - Systemkontrollpunkt
    RP90: 2009-12-13 16:02:06 - Systemkontrollpunkt
    RP91: 2009-12-14 20:58:29 - Systemkontrollpunkt
    RP92: 2009-12-15 21:11:53 - Systemkontrollpunkt
    RP93: 2009-12-17 00:45:18 - Systemkontrollpunkt
    RP94: 2009-12-18 00:46:31 - Systemkontrollpunkt
    RP95: 2009-12-20 19:20:41 - Systemkontrollpunkt
    RP96: 2009-12-21 20:42:08 - Systemkontrollpunkt
    RP97: 2009-12-22 21:46:43 - Systemkontrollpunkt
    RP98: 2009-12-24 11:10:29 - Systemkontrollpunkt

    ==== Installed Programs ======================

    Add or Remove Adobe Creative Suite 3 Master Collection
    Adobe Acrobat 8 Professional
    Adobe Acrobat 8.1.4 Professional
    Adobe After Effects CS3
    Adobe After Effects CS3 Presets
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Creative Suite 3 Master Collection
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Fireworks CS3
    Adobe Flash CS3
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 9 ActiveX
    Adobe Flash Video Encoder
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3 Functional Content
    Adobe Premiere Pro CS3 Third Party Content
    Adobe Setup
    Adobe SING CS3
    Adobe Soundbooth CS3
    Adobe Soundbooth CS3 Codecs
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe WAS CS3
    Adobe Version Cue CS3 Client
    Adobe Video Profiles
    Adobe WinSoft Linguistics Plugin
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    AHV content for Acrobat and Flash
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    µTorrent
    Audacity 1.2.6
    Bonjour
    Broadcom Gigabit Integrated Controller
    Cheat Engine 5.5
    Conexant HDA D330 MDC V.92 Modem
    DAEMON Tools Toolbar
    Digital Photo Navigator 1.5
    Dropbox
    Dungeon Keeper
    Equation Grapher with Regression Analyzer
    Europe MapleStory
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB954550-v5)
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet för trådlösa WiFi-anslutningar
    iTunes
    Java(TM) 6 Update 13
    Java(TM) 6 Update 5
    LiveUpdate 3.3 (Symantec Corporation)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 1.1 Swedish Language Pack
    Microsoft .NET Framework 2.0 Language Pack - SVE
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.0 Swedish Language Pack
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (Swedish) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel 2007 Help Uppdatering (KB963678)
    Microsoft Office Excel MUI (Swedish) 2007
    Microsoft Office Groove MUI (Swedish) 2007
    Microsoft Office InfoPath MUI (Swedish) 2007
    Microsoft Office OneNote MUI (Swedish) 2007
    Microsoft Office Outlook MUI (Swedish) 2007
    Microsoft Office Powerpoint 2007 Help Uppdatering (KB963669)
    Microsoft Office PowerPoint MUI (Swedish) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (Finnish) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Swedish) 2007
    Microsoft Office Proofing (Swedish) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (Swedish) 2007
    Microsoft Office Shared MUI (Swedish) 2007
    Microsoft Office Word 2007 Help Uppdatering (KB963665)
    Microsoft Office Word MUI (Swedish) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (Swedish) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.5.6)
    mProSafe
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    mWlsSafe
    OGA Notifier 1.7.0105.35.0
    OZ776 SCR Driver V1.1.3.9
    PDF Settings
    PhotohomeDesigner
    PowerCinema NE for Everio
    PowerDirector Express
    PowerProducer
    Project64 1.6
    QuickTime
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB973704)
    Security Update for Microsoft Office Excel 2007 (KB973593)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB969693)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB969604)
    Security Update for Windows Search 4 - KB963093
    Segoe UI
    SigmaTel Audio
    Snabbkorrigering för Windows Internet Explorer 7 (KB947864)
    Snabbkorrigering för Windows Media Player 11 (KB939683)
    Snabbkorrigering för Windows XP (KB952287)
    Snabbkorrigering för Windows XP (KB961118)
    Snabbkorrigering för Windows XP (KB970653-v3)
    Snabbkorrigering för Windows XP (KB976098-v2)
    Säkerhetsuppdatering för Windows Internet Explorer 7 (KB938127)
    Säkerhetsuppdatering för Windows Internet Explorer 7 (KB942615)
    Säkerhetsuppdatering för Windows Internet Explorer 7 (KB956390)
    Säkerhetsuppdatering för Windows Internet Explorer 7 (KB963027)
    Säkerhetsuppdatering för Windows Internet Explorer 8 (KB971961)
    Säkerhetsuppdatering för Windows Internet Explorer 8 (KB974455)
    Säkerhetsuppdatering för Windows Internet Explorer 8 (KB976325)
    Säkerhetsuppdatering för Windows Media Player (KB911564)
    Säkerhetsuppdatering för Windows Media Player (KB952069)
    Säkerhetsuppdatering för Windows Media Player (KB954155)
    Säkerhetsuppdatering för Windows Media Player (KB968816)
    Säkerhetsuppdatering för Windows Media Player (KB973540)
    Säkerhetsuppdatering för Windows Media Player 11 (KB936782)
    Säkerhetsuppdatering för Windows Media Player 11 (KB954154)
    Säkerhetsuppdatering för Windows Media Player 6.4 (KB925398)
    Säkerhetsuppdatering för Windows XP (KB923561)
    Säkerhetsuppdatering för Windows XP (KB923689)
    Säkerhetsuppdatering för Windows XP (KB938464)
    Säkerhetsuppdatering för Windows XP (KB941569)
    Säkerhetsuppdatering för Windows XP (KB946648)
    Säkerhetsuppdatering för Windows XP (KB950762)
    Säkerhetsuppdatering för Windows XP (KB950974)
    Säkerhetsuppdatering för Windows XP (KB951066)
    Säkerhetsuppdatering för Windows XP (KB951376-v2)
    Säkerhetsuppdatering för Windows XP (KB951698)
    Säkerhetsuppdatering för Windows XP (KB951748)
    Säkerhetsuppdatering för Windows XP (KB952004)
    Säkerhetsuppdatering för Windows XP (KB952954)
    Säkerhetsuppdatering för Windows XP (KB954211)
    Säkerhetsuppdatering för Windows XP (KB954459)
    Säkerhetsuppdatering för Windows XP (KB954600)
    Säkerhetsuppdatering för Windows XP (KB955069)
    Säkerhetsuppdatering för Windows XP (KB956391)
    Säkerhetsuppdatering för Windows XP (KB956572)
    Säkerhetsuppdatering för Windows XP (KB956744)
    Säkerhetsuppdatering för Windows XP (KB956802)
    Säkerhetsuppdatering för Windows XP (KB956803)
    Säkerhetsuppdatering för Windows XP (KB956841)
    Säkerhetsuppdatering för Windows XP (KB956844)
    Säkerhetsuppdatering för Windows XP (KB957095)
    Säkerhetsuppdatering för Windows XP (KB957097)
    Säkerhetsuppdatering för Windows XP (KB958644)
    Säkerhetsuppdatering för Windows XP (KB958687)
    Säkerhetsuppdatering för Windows XP (KB958690)
    Säkerhetsuppdatering för Windows XP (KB958869)
    Säkerhetsuppdatering för Windows XP (KB959426)
    Säkerhetsuppdatering för Windows XP (KB960225)
    Säkerhetsuppdatering för Windows XP (KB960715)
    Säkerhetsuppdatering för Windows XP (KB960803)
    Säkerhetsuppdatering för Windows XP (KB960859)
    Säkerhetsuppdatering för Windows XP (KB961371-v2)
    Säkerhetsuppdatering för Windows XP (KB961373)
    Säkerhetsuppdatering för Windows XP (KB961501)
    Säkerhetsuppdatering för Windows XP (KB968537)
    Säkerhetsuppdatering för Windows XP (KB969059)
    Säkerhetsuppdatering för Windows XP (KB969947)
    Säkerhetsuppdatering för Windows XP (KB970238)
    Säkerhetsuppdatering för Windows XP (KB970430)
    Säkerhetsuppdatering för Windows XP (KB971486)
    Säkerhetsuppdatering för Windows XP (KB971557)
    Säkerhetsuppdatering för Windows XP (KB971633)
    Säkerhetsuppdatering för Windows XP (KB971657)
    Säkerhetsuppdatering för Windows XP (KB973354)
    Säkerhetsuppdatering för Windows XP (KB973507)
    Säkerhetsuppdatering för Windows XP (KB973525)
    Säkerhetsuppdatering för Windows XP (KB973869)
    Säkerhetsuppdatering för Windows XP (KB973904)
    Säkerhetsuppdatering för Windows XP (KB974112)
    Säkerhetsuppdatering för Windows XP (KB974318)
    Säkerhetsuppdatering för Windows XP (KB974392)
    Säkerhetsuppdatering för Windows XP (KB974571)
    Säkerhetsuppdatering för Windows XP (KB975025)
    Säkerhetsuppdatering för Windows XP (KB975467)
    Spotify
    Symantec Endpoint Protection
    System Requirements Lab
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Outlook 2007 Junk Email Filter (kb976884)
    Uppdatering för Windows Internet Explorer 8 (KB969497)
    Uppdatering för Windows Internet Explorer 8 (KB976749)
    Uppdatering för Windows XP (KB943729)
    Uppdatering för Windows XP (KB951072-v2)
    Uppdatering för Windows XP (KB951978)
    Uppdatering för Windows XP (KB955839)
    Uppdatering för Windows XP (KB961503)
    Uppdatering för Windows XP (KB967715)
    Uppdatering för Windows XP (KB968389)
    Uppdatering för Windows XP (KB971737)
    Uppdatering för Windows XP (KB973687)
    Uppdatering för Windows XP (KB973815)
    WebFldrs XP
    VideoLAN VLC media player 0.8.6d
    Viktig uppdatering för Windows Media Player 11 (KB959772)
    Windows Communication Foundation Language Pack - SVE
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live inloggningsassistenten
    Windows Live Messenger
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Presentation Foundation Language Pack (SVE)
    Windows Search 4.0
    Windows Workflow Foundation SV Language Pack
    Windows XP Service Pack 3
    WinRAR
    XML Paper Specification Shared Components Language Pack 1.0
    XML Paper Specification Shared Components Pack 1.0

    ==== End Of File ===========================
     
    Arna,
    #1
  2. 2009/12/24
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Is Norton your current security program, or I can see some leftovers?
    Who created the other account?
    Are you the main administrator?

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE. If Combofix asks you to install Recovery Console, please allow it.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/12/25
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    Norton is my security program. It was the standard, but I've been wondering if it's even active at all.

    The thing is that I use this computer to log in to a server at work. This is a computer assigned to me, and the account was created by our administrator. But I'm supposed to have administrator rights, but he is also able to log in to this computer with his username, if I'm connected to the server/domain at work.
    I could ask him to fix the computer for me, but he would just swipe the whole computer clean and I would have to install everything from the beginning. So I thought that I could get some help in resolving it on my own.

    I can't seem to get ComboFix to work. I downloaded it to my desktop, but when i try to run it, it doesn't start. I just get a security warning asking me if I want to run the program. After that nothing happens.
     
    Arna,
    #3
  5. 2009/12/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    DDS says, it's not updated, so it may be inactive. You need to find out its status, or if you have the authority to uninstall it and put something else instead.

    Delete your Combofix file. Download one from HERE
    I renamed it for a reason.
    Follow same instructions.
     
    broni,
    #4
  6. 2009/12/25
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    **ComboFix text**

    ComboFix 09-12-25.02 - marjoh01 2009-12-25 21:07:54.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2038.1538 [GMT 1:00]
    Körs från: c:\documents and settings\marjoh01\Skrivbord\7cftr56ey.exe
    AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\marjoh01\LOKALA~1\Temp\wscsvc32.exe
    c:\program\Cheat Engine\dbk32.sys
    c:\recycler\S-1-5-21-3495054330-2083259864-2121258603-500
    c:\recycler\S-1-5-21-3991436212-3495054330-4070995279-500
    c:\windows\system32\drivers\H8SRToyxyijbppq.sys
    c:\windows\system32\H8SRTacpeiunaor.dat
    c:\windows\system32\H8SRTdmlatveomp.dll
    c:\windows\system32\H8SRTgaryltfbcp.dll
    c:\windows\system32\krl32mainweq.dll
    c:\windows\system32\pagefileconfig.vbs
    c:\windows\system32\srcr.dat
    c:\windows\system32\winio.vxd

    .
    ((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_H8SRTd.sys
    -------\Legacy_H8SRTd.sys


    (((((((((((((((((((((((( Filer Skapade från 2009-11-25 till 2009-12-25 ))))))))))))))))))))))))))))))
    .

    2009-12-25 19:53 . 2009-12-25 19:53 -------- d-----w- c:\program\Malware Defense
    2009-12-25 19:48 . 2009-12-25 19:52 -------- d-----w- C:\7cftr56ey
    2009-12-25 03:53 . 2009-12-25 03:53 50968 ----a-w- c:\windows\system32\avgfwdx.dll
    2009-12-25 03:53 . 2009-12-25 03:53 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
    2009-12-25 02:31 . 2009-12-25 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2009-12-25 02:27 . 2009-12-25 02:27 -------- d-----w- c:\documents and settings\marjoh01\Application Data\AVG8
    2009-12-25 01:18 . 2009-12-25 01:18 2 --shatr- c:\windows\winstart.bat
    2009-12-25 01:18 . 2009-12-25 01:44 -------- d-----w- c:\program\UnHackMe
    2009-12-25 01:00 . 2009-12-25 01:00 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Uniblue
    2009-12-25 00:43 . 2009-12-25 00:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-12-23 19:26 . 2009-12-23 19:26 767328 ----a-w- c:\windows\system32\kdfinj.dll
    2009-12-23 19:26 . 2008-10-17 08:50 79104 ----a-w- c:\windows\system32\drivers\Mkd2Nadr.sys
    2009-12-23 19:26 . 2008-10-17 08:50 131072 ----a-w- c:\windows\system32\drivers\Mkd2kfNT.sys
    2009-12-23 19:09 . 2009-12-23 19:09 -------- d-----w- c:\program\NEXON
    2009-12-13 11:18 . 2009-12-13 11:18 61528 ---ha-w- c:\windows\system32\mlfcache.dat
    2009-12-12 13:08 . 2009-12-12 13:08 -------- d-----w- c:\documents and settings\marjoh01\Bullfrog
    2009-12-12 13:07 . 2009-12-12 13:07 -------- d-----w- c:\windows\system\KEEPER
    2009-11-30 12:28 . 2009-11-30 12:28 59904 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\zlib1.dll
    2009-11-30 12:28 . 2009-11-30 12:28 315392 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl.dll
    2009-11-30 12:28 . 2009-11-30 12:28 20480 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl_awt.dll
    2009-11-30 12:28 . 2009-11-30 12:28 20480 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\gluegen-rt.dll
    2009-11-30 12:28 . 2009-11-30 12:28 69632 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\SystemInfo.dll
    2009-11-30 12:28 . 2009-11-30 12:28 90112 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXPlugin.dll
    2009-11-30 12:28 . 2009-11-30 12:28 6656 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeDiskfree.dll
    2009-11-30 12:28 . 2009-11-30 12:28 61440 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeUnzip.dll
    2009-11-30 12:28 . 2009-11-30 12:28 57344 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXT.dll
    2009-11-30 12:28 . 2009-11-30 12:28 155648 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeJpegDecoder.dll
    2009-11-30 12:28 . 2009-11-30 12:28 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Agency9

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-25 20:30 . 2009-11-23 08:47 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Dropbox
    2009-12-25 20:14 . 2009-09-22 08:41 -------- d-----w- c:\program\Cheat Engine
    2009-12-25 19:44 . 2009-08-21 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Mozilla Firefox
    2009-12-25 12:25 . 2009-08-24 10:40 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Spotify
    2009-12-25 10:24 . 2009-11-17 16:11 79488 ----a-w- c:\documents and settings\marjoh01\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2009-12-25 01:04 . 2009-08-26 12:26 -------- d-----w- c:\program\thriXXX
    2009-12-25 00:39 . 2009-08-25 17:42 -------- d-----w- c:\documents and settings\marjoh01\Application Data\uTorrent
    2009-12-16 14:30 . 2009-09-16 14:40 -------- d-----w- c:\documents and settings\marjoh01\Application Data\U3
    2009-12-10 10:54 . 2004-08-04 12:00 466468 ----a-w- c:\windows\system32\perfh01D.dat
    2009-12-10 10:54 . 2004-08-04 12:00 93064 ----a-w- c:\windows\system32\perfc01D.dat
    2009-12-09 23:59 . 2007-10-31 10:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-12-07 14:37 . 2009-11-05 18:00 -------- d-----w- c:\program\Project64 1.6
    2009-11-28 16:30 . 2007-10-31 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2009-11-23 08:47 . 2009-11-23 08:47 89962 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\Uninstall.exe
    2009-11-19 16:45 . 2009-09-29 19:37 38 ----a-w- c:\documents and settings\marjoh01\jagex_runescape_preferences.dat
    2009-11-19 16:44 . 2009-09-29 19:38 63 ----a-w- c:\documents and settings\marjoh01\jagex_runescape_preferences2.dat
    2009-11-19 10:10 . 2009-11-19 10:09 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Apple Computer
    2009-11-19 10:08 . 2009-11-19 10:07 -------- d-----w- c:\program\iTunes
    2009-11-19 10:08 . 2009-11-19 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-11-19 10:07 . 2009-11-19 10:07 -------- d-----w- c:\program\iPod
    2009-11-19 10:07 . 2009-11-19 10:02 -------- d-----w- c:\program\Delade filer\Apple
    2009-11-19 10:07 . 2009-11-19 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2009-11-19 10:07 . 2007-10-31 10:57 -------- d-----w- c:\program\Bonjour
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin7.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin6.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin5.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin4.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin3.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin2.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin.dll
    2009-11-19 10:06 . 2007-10-31 10:10 -------- d-----w- c:\program\QuickTime
    2009-11-19 10:04 . 2009-11-19 10:04 -------- d-----w- c:\program\Apple Software Update
    2009-11-12 16:07 . 2009-11-12 16:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-11-11 23:16 . 2009-11-11 23:16 -------- d-----w- c:\program\Autodesk
    2009-11-08 19:25 . 2009-11-08 19:25 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Media Player Classic
    2009-11-05 18:00 . 2009-11-05 18:00 8854 ----a-r- c:\documents and settings\marjoh01\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
    2009-11-05 18:00 . 2009-11-05 18:00 40960 ----a-r- c:\documents and settings\marjoh01\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
    2009-11-05 18:00 . 2009-11-05 18:00 40960 ----a-r- c:\documents and settings\marjoh01\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
    2009-10-29 07:44 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-10-21 05:40 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:40 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-13 10:38 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:40 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-12 13:40 . 2004-08-04 12:00 150016 ----a-w- c:\windows\system32\rastls.dll
    2009-10-09 01:18 . 2009-10-09 01:18 26805255 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe
    2009-10-08 21:18 . 2009-10-08 21:18 499712 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\msvcp71.dll
    2009-10-08 21:18 . 2009-10-08 21:18 348160 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\msvcr71.dll
    2009-10-08 21:18 . 2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll
    .

    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* Tomma poster & legitima standardposter visas inte.
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "= "c:\program\QuickTime\QTTask.exe" [2009-11-10 417792]
    "msnmsgr "= "c:\program\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
    "DAEMON Tools Lite "= "c:\program\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp "= "stsystra.exe" [2007-02-19 303104]
    "GrooveMonitor "= "c:\program\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Acrobat Assistant 8.0 "= "c:\program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
    "SunJavaUpdateSched "= "c:\program\Java\jre6\bin\jusched.exe" [2009-05-12 148888]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "IntelZeroConfig "= "c:\program\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
    "IntelWireless "= "c:\program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
    "ccApp "= "c:\program\Delade filer\Symantec Shared\ccApp.exe" [2009-05-12 115560]
    "LVCOMS "= "c:\program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
    "EverioService "= "c:\program\CyberLink\PCM4Everio\EverioService.exe" [2007-06-06 151552]
    "QuickTime Task "= "c:\program\QuickTime\QTTask.exe" [2009-11-10 417792]
    "iTunesHelper "= "c:\program\iTunes\iTunesHelper.exe" [2009-11-12 141600]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\marjoh01\Start-meny\Program\Autostart\
    Dropbox.lnk - c:\documents and settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe [2009-10-9 26805255]

    c:\documents and settings\All Users\Start-meny\Program\Autostart\
    Windows Search.lnk - c:\program\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLogonScripts "= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3720637215-1519231276-860345815-2664\Scripts\Logon\0\0]
    "Script "=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3720637215-1519231276-860345815-2664\Scripts\Logon\0\1]
    "Script "=SEPInstall.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program\\Microsoft Office\\Office12\\GROOVE.EXE "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program\\Spotify\\spotify.exe "=
    "c:\\Program\\uTorrent\\uTorrent.exe "=
    "c:\\WINDOWS\\system32\\dpvsetup.exe "=
    "c:\\Program\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program\\iTunes\\iTunes.exe "=

    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\Delade filer\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
    S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-25 30104]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-25 30104]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-05-12 23904]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2009-12-23 131072]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2009-12-23 79104]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-09-06 721904]
    .
    ------- Extra genomsökning -------
    .
    uInternet Settings,ProxyOverride = fronter.com;www.fronter.com;<local>;*.local
    uInternet Settings,ProxyServer = jbesk-student1:8080
    IE: Append to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\Office12\EXCEL.EXE/3000
    .
    - - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

    HKCU-Run-Malware Defense - c:\program\Malware Defense\mdefense.exe
    SafeBoot-Symantec Antvirus
    AddRemove-DAEMON Tools Toolbar - c:\program\DAEMON Tools Toolbar\uninst.exe



    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- DLLer som "laddats" under processer som körs ---------------------

    - - - - - - - > 'winlogon.exe'(864)
    c:\windows\system32\netprovcredman.dll

    - - - - - - - > 'explorer.exe'(3864)
    c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    c:\program\Microsoft Office\Office12\1053\GrooveIntlResource.dll
    c:\program\Windows Desktop Search\wdsShell.dll
    c:\program\Windows Desktop Search\msnlExt.dll
    c:\program\Windows Desktop Search\sv-se\msnlExtRes.dll.mui
    c:\program\Windows Desktop Search\msnlExtRes.dll
    c:\windows\System32\tquery.dll
    c:\windows\System32\PROPSYS.dll
    c:\program\Windows Desktop Search\MSNLNamespaceMgr.dll
    c:\program\Windows Desktop Search\MSNLDl.dll
    c:\windows\System32\msshsq.dll
    c:\windows\system32\infosoft.dll
    c:\windows\system32\sv-se\tQuery.dll.mui
    c:\windows\system32\msls31.dll
    c:\windows\system32\mstime.dll
    c:\windows\system32\Dxtrans.dll
    c:\windows\system32\Dxtmsft.dll
    c:\program\Windows Desktop Search\WdsMktTools.dll
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\program\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program\Intel\WiFi\bin\S24EvMon.exe
    c:\program\Delade filer\Symantec Shared\ccSvcHst.exe
    c:\windows\System32\SCardSvr.exe
    c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program\Bonjour\mDNSResponder.exe
    c:\program\Intel\WiFi\bin\EvtEng.exe
    c:\program\Java\jre6\bin\jqs.exe
    c:\program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    c:\program\CyberLink\Shared Files\RichVideo.exe
    c:\program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    c:\program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program\Intel\WiFi\bin\WLKeeper.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\windows\stsystra.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\program\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Sluttid: 2009-12-25 21:34:33 - datorn startades om.
    ComboFix-quarantined-files.txt 2009-12-25 20:34

    Före genomsökningen: 5*972*041*728 byte ledigt
    Efter genomsökningen: 9*502*658*560 byte ledigt

    WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 21C0D59AB4215253342CC71C997DE4A9



    **HiJackThis text**

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:39:13, on 2009-12-25
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program\Intel\WiFi\bin\S24EvMon.exe
    C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program\Bonjour\mDNSResponder.exe
    C:\Program\Intel\WiFi\bin\EvtEng.exe
    C:\Program\Java\jre6\bin\jqs.exe
    C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    C:\Program\CyberLink\Shared Files\RichVideo.exe
    C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program\Intel\WiFi\bin\WLKeeper.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\WINDOWS\stsystra.exe
    C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program\CyberLink\PCM4Everio\EverioService.exe
    C:\Program\iTunes\iTunesHelper.exe
    C:\Program\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\All Users\Application Data\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jbesk-student1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fronter.com;www.fronter.com;<local>;*.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program\AVG\AVG9\avgssie.dll (file missing)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program\Intel\WiFi\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [EverioService] "C:\Program\CyberLink\PCM4Everio\EverioService.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Dropbox.lnk = C:\Documents and Settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242115496953
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242115409765
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jbesk.local
    O17 - HKLM\Software\..\Telephony: DomainName = jbesk.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jbesk.local
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program\AVG\AVG9\avgpp.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\S24EvMon.exe
    O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\WLKeeper.exe

    --
    End of file - 11251 bytes
     
    Arna,
    #5
  7. 2009/12/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'll need to know by the next step:
    1. Norton - If you're authorized to remove it altogether and install something else.
    2. I see some AVG 8 and 9 leftovers - what's the story here?

    ================================================================

    Upload following files to http://www.virustotal.com/ for security check:
    - c:\windows\winstart.bat
    - c:\windows\system32\kdfinj.dll
    Post results ONLY, if any threats found.
     
    broni,
    #6
  8. 2009/12/26
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    I don't think I'm authorized to remove Norton. Maybe I can, but I don't think that I'm allowed to remove it without consulting the IT-support at work. And it would unfortunately be very difficult getting a hold of him now during the holidays I'm afraid.

    I knew that I had Norton, but it was never active. So I tried to install AVG Free, but I had an error during the installation and left it after that.



    No errors on the kdfinj.dll, but the winstart.bat I just can't seem to find. I looked in the directory you wrote and I couldn't find anything. So I used the search-client. It could not find anything either.
     
    Arna,
    #7
  9. 2009/12/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Try to update it, so we can see, if it still has a valid subscription.

    Download and run AVG Remover: http://www.avg.com/us-en/download-tools

    Make sure, you have hidden and system files view enabled.
     
    broni,
    #8
  10. 2009/12/26
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    The winstart.bat was clean too.

    I ran the AVG Remover without any errors.

    Last update of Norton was a month ago, I believe that my subscription is still active. Though I think that it can only update itself if it's connected to the server at work.
     
    Arna,
    #9
  11. 2009/12/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Can you try to update it and let me know?

    When done, re-run Combofix and HJT and post fresh logs.
     
    broni,
    #10
  12. 2009/12/26
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    When I try to update Norton it says: "Symantec Endpoint Protection has requested new definitions from the management server. This problem will disappear after the server responds and the update is complete. "

    Should I still re-run ComboFix and HJT?
     
    Arna,
    #11
  13. 2009/12/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes, please.
     
    broni,
    #12
  14. 2009/12/26
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    Here we go!

    **ComboFix Text**

    ComboFix 09-12-25.05 - marjoh01 2009-12-26 19:35:18.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2038.1317 [GMT 1:00]
    Körs från: c:\documents and settings\marjoh01\Skrivbord\7cftr56ey.exe
    AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    (((((((((((((((((((((((( Filer Skapade från 2009-11-26 till 2009-12-26 ))))))))))))))))))))))))))))))
    .

    2009-12-25 20:38 . 2009-12-25 20:38 -------- d-----w- c:\program\Trend Micro
    2009-12-25 19:53 . 2009-12-25 19:53 -------- d-----w- c:\program\Malware Defense
    2009-12-25 19:52 . 2009-12-25 20:34 -------- d-----w- C:\7cftr56ey76247
    2009-12-25 19:48 . 2009-12-25 19:52 -------- d-----w- C:\7cftr56ey
    2009-12-25 03:53 . 2009-12-25 03:53 50968 ----a-w- c:\windows\system32\avgfwdx.dll
    2009-12-25 03:53 . 2009-12-25 03:53 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
    2009-12-25 02:31 . 2009-12-25 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2009-12-25 02:27 . 2009-12-25 02:27 -------- d-----w- c:\documents and settings\marjoh01\Application Data\AVG8
    2009-12-25 01:18 . 2009-12-25 01:18 2 --shatr- c:\windows\winstart.bat
    2009-12-25 01:18 . 2009-12-25 01:44 -------- d-----w- c:\program\UnHackMe
    2009-12-25 01:00 . 2009-12-25 01:00 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Uniblue
    2009-12-25 00:43 . 2009-12-25 00:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-12-23 19:26 . 2009-12-23 19:26 767328 ----a-w- c:\windows\system32\kdfinj.dll
    2009-12-23 19:26 . 2008-10-17 08:50 79104 ----a-w- c:\windows\system32\drivers\Mkd2Nadr.sys
    2009-12-23 19:26 . 2008-10-17 08:50 131072 ----a-w- c:\windows\system32\drivers\Mkd2kfNT.sys
    2009-12-23 19:09 . 2009-12-23 19:09 -------- d-----w- c:\program\NEXON
    2009-12-13 11:18 . 2009-12-13 11:18 61528 ---ha-w- c:\windows\system32\mlfcache.dat
    2009-12-12 13:08 . 2009-12-12 13:08 -------- d-----w- c:\documents and settings\marjoh01\Bullfrog
    2009-12-12 13:07 . 2009-12-12 13:07 -------- d-----w- c:\windows\system\KEEPER
    2009-11-30 12:28 . 2009-11-30 12:28 59904 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\zlib1.dll
    2009-11-30 12:28 . 2009-11-30 12:28 315392 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl.dll
    2009-11-30 12:28 . 2009-11-30 12:28 20480 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl_awt.dll
    2009-11-30 12:28 . 2009-11-30 12:28 20480 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\gluegen-rt.dll
    2009-11-30 12:28 . 2009-11-30 12:28 69632 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\SystemInfo.dll
    2009-11-30 12:28 . 2009-11-30 12:28 90112 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXPlugin.dll
    2009-11-30 12:28 . 2009-11-30 12:28 6656 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeDiskfree.dll
    2009-11-30 12:28 . 2009-11-30 12:28 61440 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeUnzip.dll
    2009-11-30 12:28 . 2009-11-30 12:28 57344 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXT.dll
    2009-11-30 12:28 . 2009-11-30 12:28 155648 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeJpegDecoder.dll
    2009-11-30 12:28 . 2009-11-30 12:28 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Agency9

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-26 17:35 . 2009-08-21 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Mozilla Firefox
    2009-12-26 16:46 . 2009-11-23 08:47 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Dropbox
    2009-12-25 20:14 . 2009-09-22 08:41 -------- d-----w- c:\program\Cheat Engine
    2009-12-25 12:25 . 2009-08-24 10:40 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Spotify
    2009-12-25 10:24 . 2009-11-17 16:11 79488 ----a-w- c:\documents and settings\marjoh01\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2009-12-25 01:04 . 2009-08-26 12:26 -------- d-----w- c:\program\thriXXX
    2009-12-25 00:39 . 2009-08-25 17:42 -------- d-----w- c:\documents and settings\marjoh01\Application Data\uTorrent
    2009-12-16 14:30 . 2009-09-16 14:40 -------- d-----w- c:\documents and settings\marjoh01\Application Data\U3
    2009-12-10 10:54 . 2004-08-04 12:00 466468 ----a-w- c:\windows\system32\perfh01D.dat
    2009-12-10 10:54 . 2004-08-04 12:00 93064 ----a-w- c:\windows\system32\perfc01D.dat
    2009-12-09 23:59 . 2007-10-31 10:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-12-07 14:37 . 2009-11-05 18:00 -------- d-----w- c:\program\Project64 1.6
    2009-11-28 16:30 . 2007-10-31 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2009-11-23 08:47 . 2009-11-23 08:47 89962 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\Uninstall.exe
    2009-11-19 16:45 . 2009-09-29 19:37 38 ----a-w- c:\documents and settings\marjoh01\jagex_runescape_preferences.dat
    2009-11-19 16:44 . 2009-09-29 19:38 63 ----a-w- c:\documents and settings\marjoh01\jagex_runescape_preferences2.dat
    2009-11-19 10:10 . 2009-11-19 10:09 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Apple Computer
    2009-11-19 10:08 . 2009-11-19 10:07 -------- d-----w- c:\program\iTunes
    2009-11-19 10:08 . 2009-11-19 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-11-19 10:07 . 2009-11-19 10:07 -------- d-----w- c:\program\iPod
    2009-11-19 10:07 . 2009-11-19 10:02 -------- d-----w- c:\program\Delade filer\Apple
    2009-11-19 10:07 . 2009-11-19 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2009-11-19 10:07 . 2007-10-31 10:57 -------- d-----w- c:\program\Bonjour
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin7.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin6.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin5.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin4.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin3.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin2.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin.dll
    2009-11-19 10:06 . 2007-10-31 10:10 -------- d-----w- c:\program\QuickTime
    2009-11-19 10:04 . 2009-11-19 10:04 -------- d-----w- c:\program\Apple Software Update
    2009-11-12 16:07 . 2009-11-12 16:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-11-11 23:16 . 2009-11-11 23:16 -------- d-----w- c:\program\Autodesk
    2009-11-08 19:25 . 2009-11-08 19:25 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Media Player Classic
    2009-11-05 18:00 . 2009-11-05 18:00 8854 ----a-r- c:\documents and settings\marjoh01\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
    2009-11-05 18:00 . 2009-11-05 18:00 40960 ----a-r- c:\documents and settings\marjoh01\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
    2009-11-05 18:00 . 2009-11-05 18:00 40960 ----a-r- c:\documents and settings\marjoh01\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
    2009-10-29 07:44 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
    2009-10-21 05:40 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:40 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-13 10:38 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:40 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-12 13:40 . 2004-08-04 12:00 150016 ----a-w- c:\windows\system32\rastls.dll
    2009-10-09 01:18 . 2009-10-09 01:18 26805255 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe
    2009-10-08 21:18 . 2009-10-08 21:18 499712 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\msvcp71.dll
    2009-10-08 21:18 . 2009-10-08 21:18 348160 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\msvcr71.dll
    2009-10-08 21:18 . 2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-12-25_20.29.23 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-12-26 16:45 . 2009-12-26 16:45 16384 c:\windows\Temp\Perflib_Perfdata_670.dat
    .
    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* Tomma poster & legitima standardposter visas inte.
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "= "c:\program\QuickTime\QTTask.exe" [2009-11-10 417792]
    "msnmsgr "= "c:\program\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
    "DAEMON Tools Lite "= "c:\program\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp "= "stsystra.exe" [2007-02-19 303104]
    "GrooveMonitor "= "c:\program\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Acrobat Assistant 8.0 "= "c:\program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
    "SunJavaUpdateSched "= "c:\program\Java\jre6\bin\jusched.exe" [2009-05-12 148888]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "IntelZeroConfig "= "c:\program\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
    "IntelWireless "= "c:\program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
    "ccApp "= "c:\program\Delade filer\Symantec Shared\ccApp.exe" [2009-05-12 115560]
    "LVCOMS "= "c:\program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
    "EverioService "= "c:\program\CyberLink\PCM4Everio\EverioService.exe" [2007-06-06 151552]
    "QuickTime Task "= "c:\program\QuickTime\QTTask.exe" [2009-11-10 417792]
    "iTunesHelper "= "c:\program\iTunes\iTunesHelper.exe" [2009-11-12 141600]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\marjoh01\Start-meny\Program\Autostart\
    Dropbox.lnk - c:\documents and settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe [2009-10-9 26805255]

    c:\documents and settings\All Users\Start-meny\Program\Autostart\
    Windows Search.lnk - c:\program\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLogonScripts "= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3720637215-1519231276-860345815-2664\Scripts\Logon\0\0]
    "Script "=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3720637215-1519231276-860345815-2664\Scripts\Logon\0\1]
    "Script "=SEPInstall.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program\\Microsoft Office\\Office12\\GROOVE.EXE "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program\\Spotify\\spotify.exe "=
    "c:\\Program\\uTorrent\\uTorrent.exe "=
    "c:\\WINDOWS\\system32\\dpvsetup.exe "=
    "c:\\Program\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program\\iTunes\\iTunes.exe "=

    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\Delade filer\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
    S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-25 30104]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-25 30104]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-05-12 23904]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2009-12-23 131072]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2009-12-23 79104]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-09-06 721904]
    .
    ------- Extra genomsökning -------
    .
    uInternet Settings,ProxyOverride = fronter.com;www.fronter.com;<local>;*.local
    uInternet Settings,ProxyServer = jbesk-student1:8080
    IE: Append to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\Office12\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-26 19:39
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLer som "laddats" under processer som körs ---------------------

    - - - - - - - > 'winlogon.exe'(864)
    c:\windows\system32\netprovcredman.dll

    - - - - - - - > 'explorer.exe'(3816)
    c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Sluttid: 2009-12-26 19:42:04
    ComboFix-quarantined-files.txt 2009-12-26 18:42
    ComboFix2.txt 2009-12-25 20:34

    Före genomsökningen: 9*424*338*944 byte ledigt
    Efter genomsökningen: 9*397*870*592 byte ledigt

    - - End Of File - - 43E92873079B17CD7D1D666A3E9DD239




    **HijackThis Text**

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:43:52, on 2009-12-26
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program\Intel\WiFi\bin\S24EvMon.exe
    C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program\Bonjour\mDNSResponder.exe
    C:\Program\Intel\WiFi\bin\EvtEng.exe
    C:\Program\Java\jre6\bin\jqs.exe
    C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    C:\Program\CyberLink\Shared Files\RichVideo.exe
    C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program\Intel\WiFi\bin\WLKeeper.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\WINDOWS\stsystra.exe
    C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program\CyberLink\PCM4Everio\EverioService.exe
    C:\Program\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\All Users\Application Data\Mozilla Firefox\firefox.exe
    C:\Program\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jbesk-student1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fronter.com;www.fronter.com;<local>;*.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program\Intel\WiFi\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [EverioService] "C:\Program\CyberLink\PCM4Everio\EverioService.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Dropbox.lnk = C:\Documents and Settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242115496953
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242115409765
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jbesk.local
    O17 - HKLM\Software\..\Telephony: DomainName = jbesk.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jbesk.local
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\S24EvMon.exe
    O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\WLKeeper.exe

    --
    End of file - 10983 bytes
     
    Arna,
    #13
  15. 2009/12/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\avgfwdx.dll
c:\windows\system32\drivers\avgfwdx.sys


Folder::
c:\documents and settings\All Users\Application Data\avg9
c:\documents and settings\marjoh01\Application Data\AVG8


Driver::
Avgfwdx
Avgfwfd


Registry::

RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
    broni,
    #14
  16. 2009/12/26
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    And so again!

    **ComboFix Text**

    ComboFix 09-12-25.05 - marjoh01 2009-12-26 20:33:45.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.46.1053.18.2038.1348 [GMT 1:00]
    Körs från: c:\documents and settings\marjoh01\Skrivbord\7cftr56ey.exe
    Använda kommandoväxlar :: c:\documents and settings\marjoh01\Skrivbord\CFScript.txt
    AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    FILE ::
    "c:\windows\system32\avgfwdx.dll "
    "c:\windows\system32\drivers\avgfwdx.sys "
    .

    ((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\avg9
    c:\documents and settings\All Users\Application Data\avg9\Log\avgldr.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgldr.log.lock
    c:\documents and settings\All Users\Application Data\avg9\Log\avgtdi.log
    c:\documents and settings\All Users\Application Data\avg9\Log\avgtdi.log.lock
    c:\documents and settings\marjoh01\Application Data\AVG8
    c:\windows\system32\avgfwdx.dll
    c:\windows\system32\drivers\avgfwdx.sys

    .
    ((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_Avgfwdx
    -------\Service_Avgfwfd


    (((((((((((((((((((((((( Filer Skapade från 2009-11-26 till 2009-12-26 ))))))))))))))))))))))))))))))
    .

    2009-12-25 20:38 . 2009-12-25 20:38 -------- d-----w- c:\program\Trend Micro
    2009-12-25 19:53 . 2009-12-25 19:53 -------- d-----w- c:\program\Malware Defense
    2009-12-25 19:52 . 2009-12-25 20:34 -------- d-----w- C:\7cftr56ey76247
    2009-12-25 19:48 . 2009-12-25 19:52 -------- d-----w- C:\7cftr56ey
    2009-12-25 01:18 . 2009-12-25 01:18 2 --shatr- c:\windows\winstart.bat
    2009-12-25 01:18 . 2009-12-25 01:44 -------- d-----w- c:\program\UnHackMe
    2009-12-25 01:00 . 2009-12-25 01:00 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Uniblue
    2009-12-25 00:43 . 2009-12-25 00:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2009-12-23 19:26 . 2009-12-23 19:26 767328 ----a-w- c:\windows\system32\kdfinj.dll
    2009-12-23 19:26 . 2008-10-17 08:50 79104 ----a-w- c:\windows\system32\drivers\Mkd2Nadr.sys
    2009-12-23 19:26 . 2008-10-17 08:50 131072 ----a-w- c:\windows\system32\drivers\Mkd2kfNT.sys
    2009-12-23 19:09 . 2009-12-23 19:09 -------- d-----w- c:\program\NEXON
    2009-12-13 11:18 . 2009-12-13 11:18 61528 ---ha-w- c:\windows\system32\mlfcache.dat
    2009-12-12 13:08 . 2009-12-12 13:08 -------- d-----w- c:\documents and settings\marjoh01\Bullfrog
    2009-12-12 13:07 . 2009-12-12 13:07 -------- d-----w- c:\windows\system\KEEPER
    2009-11-30 12:28 . 2009-11-30 12:28 59904 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\zlib1.dll
    2009-11-30 12:28 . 2009-11-30 12:28 315392 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl.dll
    2009-11-30 12:28 . 2009-11-30 12:28 20480 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\jogl_awt.dll
    2009-11-30 12:28 . 2009-11-30 12:28 20480 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\gluegen-rt.dll
    2009-11-30 12:28 . 2009-11-30 12:28 69632 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\SystemInfo.dll
    2009-11-30 12:28 . 2009-11-30 12:28 90112 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXPlugin.dll
    2009-11-30 12:28 . 2009-11-30 12:28 6656 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeDiskfree.dll
    2009-11-30 12:28 . 2009-11-30 12:28 61440 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeUnzip.dll
    2009-11-30 12:28 . 2009-11-30 12:28 57344 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\DXT.dll
    2009-11-30 12:28 . 2009-11-30 12:28 155648 ----a-w- c:\documents and settings\marjoh01\Application Data\Agency9\3DMapsK1\3DMapsK1\natives\32\NativeJpegDecoder.dll
    2009-11-30 12:28 . 2009-11-30 12:28 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Agency9

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-26 19:42 . 2009-11-23 08:47 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Dropbox
    2009-12-26 19:29 . 2009-08-21 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Mozilla Firefox
    2009-12-25 20:14 . 2009-09-22 08:41 -------- d-----w- c:\program\Cheat Engine
    2009-12-25 12:25 . 2009-08-24 10:40 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Spotify
    2009-12-25 10:24 . 2009-11-17 16:11 79488 ----a-w- c:\documents and settings\marjoh01\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2009-12-25 01:04 . 2009-08-26 12:26 -------- d-----w- c:\program\thriXXX
    2009-12-25 00:39 . 2009-08-25 17:42 -------- d-----w- c:\documents and settings\marjoh01\Application Data\uTorrent
    2009-12-16 14:30 . 2009-09-16 14:40 -------- d-----w- c:\documents and settings\marjoh01\Application Data\U3
    2009-12-10 10:54 . 2004-08-04 12:00 466468 ----a-w- c:\windows\system32\perfh01D.dat
    2009-12-10 10:54 . 2004-08-04 12:00 93064 ----a-w- c:\windows\system32\perfc01D.dat
    2009-12-09 23:59 . 2007-10-31 10:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-12-07 14:37 . 2009-11-05 18:00 -------- d-----w- c:\program\Project64 1.6
    2009-11-28 16:30 . 2007-10-31 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2009-11-23 08:47 . 2009-11-23 08:47 89962 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\Uninstall.exe
    2009-11-19 16:45 . 2009-09-29 19:37 38 ----a-w- c:\documents and settings\marjoh01\jagex_runescape_preferences.dat
    2009-11-19 16:44 . 2009-09-29 19:38 63 ----a-w- c:\documents and settings\marjoh01\jagex_runescape_preferences2.dat
    2009-11-19 10:10 . 2009-11-19 10:09 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Apple Computer
    2009-11-19 10:08 . 2009-11-19 10:07 -------- d-----w- c:\program\iTunes
    2009-11-19 10:08 . 2009-11-19 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-11-19 10:07 . 2009-11-19 10:07 -------- d-----w- c:\program\iPod
    2009-11-19 10:07 . 2009-11-19 10:02 -------- d-----w- c:\program\Delade filer\Apple
    2009-11-19 10:07 . 2009-11-19 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2009-11-19 10:07 . 2007-10-31 10:57 -------- d-----w- c:\program\Bonjour
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin7.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin6.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin5.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin4.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin3.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin2.dll
    2009-11-19 10:06 . 2009-11-19 10:06 159744 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\plugins\npqtplugin.dll
    2009-11-19 10:06 . 2007-10-31 10:10 -------- d-----w- c:\program\QuickTime
    2009-11-19 10:04 . 2009-11-19 10:04 -------- d-----w- c:\program\Apple Software Update
    2009-11-12 16:07 . 2009-11-12 16:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-11-11 23:16 . 2009-11-11 23:16 -------- d-----w- c:\program\Autodesk
    2009-11-08 19:25 . 2009-11-08 19:25 -------- d-----w- c:\documents and settings\marjoh01\Application Data\Media Player Classic
    2009-11-05 18:00 . 2009-11-05 18:00 8854 ----a-r- c:\documents and settings\marjoh01\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
    2009-11-05 18:00 . 2009-11-05 18:00 40960 ----a-r- c:\documents and settings\marjoh01\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
    2009-11-05 18:00 . 2009-11-05 18:00 40960 ----a-r- c:\documents and settings\marjoh01\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
    2009-10-29 07:44 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
    2009-10-21 05:40 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:40 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-13 10:38 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:40 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
    2009-10-12 13:40 . 2004-08-04 12:00 150016 ----a-w- c:\windows\system32\rastls.dll
    2009-10-09 01:18 . 2009-10-09 01:18 26805255 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe
    2009-10-08 21:18 . 2009-10-08 21:18 499712 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\msvcp71.dll
    2009-10-08 21:18 . 2009-10-08 21:18 348160 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\msvcr71.dll
    2009-10-08 21:18 . 2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll
    .

    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* Tomma poster & legitima standardposter visas inte.
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @= "{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @= "{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @= "{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "= "c:\program\QuickTime\QTTask.exe" [2009-11-10 417792]
    "msnmsgr "= "c:\program\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
    "DAEMON Tools Lite "= "c:\program\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp "= "stsystra.exe" [2007-02-19 303104]
    "GrooveMonitor "= "c:\program\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Acrobat Assistant 8.0 "= "c:\program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
    "SunJavaUpdateSched "= "c:\program\Java\jre6\bin\jusched.exe" [2009-05-12 148888]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "IntelZeroConfig "= "c:\program\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
    "IntelWireless "= "c:\program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
    "ccApp "= "c:\program\Delade filer\Symantec Shared\ccApp.exe" [2009-05-12 115560]
    "LVCOMS "= "c:\program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
    "EverioService "= "c:\program\CyberLink\PCM4Everio\EverioService.exe" [2007-06-06 151552]
    "QuickTime Task "= "c:\program\QuickTime\QTTask.exe" [2009-11-10 417792]
    "iTunesHelper "= "c:\program\iTunes\iTunesHelper.exe" [2009-11-12 141600]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\marjoh01\Start-meny\Program\Autostart\
    Dropbox.lnk - c:\documents and settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe [2009-10-9 26805255]

    c:\documents and settings\All Users\Start-meny\Program\Autostart\
    Windows Search.lnk - c:\program\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLogonScripts "= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3720637215-1519231276-860345815-2664\Scripts\Logon\0\0]
    "Script "=logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3720637215-1519231276-860345815-2664\Scripts\Logon\0\1]
    "Script "=SEPInstall.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program\\Microsoft Office\\Office12\\GROOVE.EXE "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program\\Spotify\\spotify.exe "=
    "c:\\Program\\uTorrent\\uTorrent.exe "=
    "c:\\WINDOWS\\system32\\dpvsetup.exe "=
    "c:\\Program\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program\\iTunes\\iTunes.exe "=

    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program\Delade filer\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-05-12 23904]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2009-12-23 131072]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2009-12-23 79104]
    S3 Smcinst;Symantec Auto-upgrade Agent;c:\program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-09-06 721904]
    .
    ------- Extra genomsökning -------
    .
    uInternet Settings,ProxyOverride = fronter.com;www.fronter.com;<local>;*.local
    uInternet Settings,ProxyServer = jbesk-student1:8080
    IE: Append to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xportera till Microsoft Excel - c:\program\MICROS~2\Office12\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-12-26 20:39
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLer som "laddats" under processer som körs ---------------------

    - - - - - - - > 'winlogon.exe'(884)
    c:\windows\system32\netprovcredman.dll

    - - - - - - - > 'explorer.exe'(1532)
    c:\documents and settings\marjoh01\Application Data\Dropbox\bin\DropboxExt.3.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\program\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program\Intel\WiFi\bin\S24EvMon.exe
    c:\program\Delade filer\Symantec Shared\ccSvcHst.exe
    c:\windows\System32\SCardSvr.exe
    c:\program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program\Bonjour\mDNSResponder.exe
    c:\program\Intel\WiFi\bin\EvtEng.exe
    c:\program\Java\jre6\bin\jqs.exe
    c:\program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    c:\program\CyberLink\Shared Files\RichVideo.exe
    c:\program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    c:\program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program\Intel\WiFi\bin\WLKeeper.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\windows\stsystra.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Sluttid: 2009-12-26 20:46:05 - datorn startades om.
    ComboFix-quarantined-files.txt 2009-12-26 19:46
    ComboFix2.txt 2009-12-26 18:42
    ComboFix3.txt 2009-12-25 20:34

    Före genomsökningen: 9*405*284*352 byte ledigt
    Efter genomsökningen: 9*281*953*792 byte ledigt

    - - End Of File - - 3C493334AB67CB7BCE30FC3C3A811852




    **HijackThis Text**

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:47:23, on 2009-12-26
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program\Intel\WiFi\bin\S24EvMon.exe
    C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program\Bonjour\mDNSResponder.exe
    C:\Program\Intel\WiFi\bin\EvtEng.exe
    C:\Program\Java\jre6\bin\jqs.exe
    C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    C:\Program\CyberLink\Shared Files\RichVideo.exe
    C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program\Intel\WiFi\bin\WLKeeper.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\WINDOWS\stsystra.exe
    C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program\CyberLink\PCM4Everio\EverioService.exe
    C:\Program\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\All Users\Application Data\Mozilla Firefox\firefox.exe
    C:\Program\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jbesk-student1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fronter.com;www.fronter.com;<local>;*.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program\Intel\WiFi\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [EverioService] "C:\Program\CyberLink\PCM4Everio\EverioService.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Dropbox.lnk = C:\Documents and Settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242115496953
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242115409765
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jbesk.local
    O17 - HKLM\Software\..\Telephony: DomainName = jbesk.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jbesk.local
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\S24EvMon.exe
    O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\WLKeeper.exe

    --
    End of file - 11036 bytes
     
    Arna,
    #15
  17. 2009/12/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Restart computer.

    ==========================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3.
    Post fresh HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #16
  18. 2009/12/26
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    Here are some new scan results.



    **SUPERAntiSpyware Text**

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 12/26/2009 at 11:02 PM

    Application Version : 4.32.1000

    Core Rules Database Version : 4412
    Trace Rules Database Version: 2243

    Scan type : Complete Scan
    Total Scan Time : 01:32:29

    Memory items scanned : 599
    Memory threats detected : 0
    Registry items scanned : 6456
    Registry threats detected : 0
    File items scanned : 147076
    File threats detected : 0



    **Malwarebytes Text**

    Malwarebytes' Anti-Malware 1.42
    Database version: 3436
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    2009-12-27 00:31:12
    mbam-log-2009-12-27 (00-31-12).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 285260
    Time elapsed: 1 hour(s), 16 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program\malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

    Files Infected:
    C:\System Volume Information\_restore{BBD05A42-211B-4D04-BFA9-5D4851BF8B7C}\RP98\A0058024.sys (Malware.Packer) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{BBD05A42-211B-4D04-BFA9-5D4851BF8B7C}\RP98\A0058025.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{BBD05A42-211B-4D04-BFA9-5D4851BF8B7C}\RP98\A0058026.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.



    **HijackThis Text**


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:37:17, on 2009-12-27
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program\Intel\WiFi\bin\S24EvMon.exe
    C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program\Bonjour\mDNSResponder.exe
    C:\Program\Intel\WiFi\bin\EvtEng.exe
    C:\Program\Java\jre6\bin\jqs.exe
    C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    C:\Program\CyberLink\Shared Files\RichVideo.exe
    C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program\Intel\WiFi\bin\WLKeeper.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\WINDOWS\stsystra.exe
    C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program\CyberLink\PCM4Everio\EverioService.exe
    C:\Program\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\iPod\bin\iPodService.exe
    C:\Program\Microsoft Office\Office12\WINWORD.EXE
    C:\Program\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jbesk-student1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fronter.com;www.fronter.com;<local>;*.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program\Intel\WiFi\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [EverioService] "C:\Program\CyberLink\PCM4Everio\EverioService.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Dropbox.lnk = C:\Documents and Settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242115496953
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242115409765
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jbesk.local
    O17 - HKLM\Software\..\Telephony: DomainName = jbesk.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jbesk.local
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\S24EvMon.exe
    O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\WLKeeper.exe

    --
    End of file - 11180 bytes
     
    Arna,
    #17
  19. 2009/12/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    - O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    - O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    - O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    - O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe "
    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe "
    - O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    - O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    - O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe "
    - O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll

    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
    broni,
    #18
  20. 2009/12/27
    Arna

    Arna Inactive Thread Starter

    Joined:
    2009/12/24
    Messages:
    11
    Likes Received:
    0
    Here we go again


    **HijackThis Text**


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:55:03, on 2009-12-28
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program\Intel\WiFi\bin\S24EvMon.exe
    C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program\Bonjour\mDNSResponder.exe
    C:\Program\Intel\WiFi\bin\EvtEng.exe
    C:\Program\Java\jre6\bin\jqs.exe
    C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    C:\Program\CyberLink\Shared Files\RichVideo.exe
    C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program\Intel\WiFi\bin\WLKeeper.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program\CyberLink\PCM4Everio\EverioService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program\Windows Live\Messenger\msnmsgr.exe
    C:\Program\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jbesk-student1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fronter.com;www.fronter.com;<local>;*.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program\Intel\WiFi\bin\ZCfgSvc.exe "
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program\Delade filer\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [EverioService] "C:\Program\CyberLink\PCM4Everio\EverioService.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - Startup: Dropbox.lnk = C:\Documents and Settings\marjoh01\Application Data\Dropbox\bin\Dropbox.exe
    O4 - Global Startup: Windows Search.lnk = C:\Program\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242115496953
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242115409765
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jbesk.local
    O17 - HKLM\Software\..\Telephony: DomainName = jbesk.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jbesk.local
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program\Delade filer\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\S24EvMon.exe
    O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\SNAC.EXE
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program\SigmaTel\C-Major Audio\WDM\StacSV.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program\Intel\WiFi\bin\WLKeeper.exe

    --
    End of file - 10047 bytes
     
    Arna,
    #19
  21. 2009/12/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...