Jump to content


Photo

my hotmail account and wow was hacked


  • This topic is locked This topic is locked
14 replies to this topic

#1 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 July 2009 - 11:38 AM

few days ago I could not get into neither my hotmail account nor my wow account. I got online and got stuff locked and have managed to retrieve my hotmail account. I got a forum link from blizzard http://forums.wow-eu...t...42401&sid=1 which stepped me through a clean up process. I was not aware of how lacking my security was, but being put to the knife like this kinda makes you jump so I am here to post my logs hoping that you can tell me things look abit brighter again.

I have run ATF-cleaner, spybot S&D, Adaware(not resident) , AVAST(resident), MAM, and Hijackthis. They all found a little here and there I am unable however to find a log in AVAST, but positn the other logs I got


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-07-04 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi
2009-06-02 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-05-19 Includes\Dialer.sbi
2009-06-02 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2009-06-23 Includes\HijackersC.sbi
2009-06-23 Includes\Keyloggers.sbi
2009-06-30 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-06-30 Includes\Malware.sbi
2009-06-30 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-06-30 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-06-02 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-04-07 Includes\Spyware.sbi
2009-06-02 Includes\SpywareC.sbi
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\Trojans.sbi
2009-06-30 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Sikkerhetsoppdatering for Windows Media Player (KB952069)
/ Windows Media Player 11: Sikkerhetsoppdatering for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hurtigreparasjon for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Sikkerhetsoppdatering for Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Kritisk oppdatering for Windows Media Player 11 (KB959772)
/ Windows Media Player 6.4: Sikkerhetsoppdatering for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Sikkerhetsoppdatering for Windows Media Player 9 (KB936782)
/ Windows XP: Sikkerhetsoppdatering for Windows XP (KB923689)
/ Windows XP: Sikkerhetsoppdatering for Windows XP (KB941569)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hurtigreparasjon for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB958215)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB960714)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB963027)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB969897)
/ Windows XP / SP0: Sikkerhetsoppdatering for Windows Internet Explorer 8 (KB969897)
/ Windows XP / SP0: Oppdatering for Windows Internet Explorer 8 (KB971930)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: High Definition Audio Driver Package - KB888111
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB923561)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB938464)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB938464-v2)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB946648)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB950760)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB950762)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB950974)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB951066)
/ Windows XP / SP4: Oppdatering for Windows XP (KB951072-v2)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB951376-v2)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB951698)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB951748)
/ Windows XP / SP4: Oppdatering for Windows XP (KB951978)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB952004)
/ Windows XP / SP4: Hurtigreparasjon for Windows XP (KB952287)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB952954)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB954211)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB954459)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB954600)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB955069)
/ Windows XP / SP4: Oppdatering for Windows XP (KB955839)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB956391)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB956572)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB956802)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB956803)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB956841)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB957095)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB957097)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB958644)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB958687)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB958690)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB959426)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB960225)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB960715)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB960803)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB961373)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB961501)
/ Windows XP / SP4: Oppdatering for Windows XP (KB967715)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB968537)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB969898)
/ Windows XP / SP4: Sikkerhetsoppdatering for Windows XP (KB970238)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0


--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F

Located: HK_LM:Run, Ad-Watch
command: C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
file: C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
size: 520024
MD5: 2CD3C21B57B2B1E5CC4C82519461C9D2

Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 81000
MD5: FC242DBD786557AC641726DC5C13F060

Located: HK_LM:Run, ExtraFilmHemmaAgent
command: "C:\Programfiler\ExtraFilm at Home\Agent.exe"
file: C:\Programfiler\ExtraFilm at Home\Agent.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, High Definition Audio Property Page Shortcut
command: HDAShCut.exe
file: C:\WINDOWS\system32\HDAShCut.exe
size: 61952
MD5: 21C8A24455FDAFC9D6D8BCD38D62B10B

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 8466432
MD5: 1E7BD636B297830582A5587CFD779784

Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\NvMcTray.dll
size: 81920
MD5: 33423165FDC8CCE60FF2659AF2F7BF70

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 1626112
MD5: C6B1971E12A35FB69D64D01B915E1AA1

Located: HK_LM:Run, QuickTime Task
command: "C:\Programfiler\QuickTime\qttask.exe" -atboottime
file: C:\Programfiler\QuickTime\qttask.exe
size: 413696
MD5: 0AB3C83FCB8EF6F56E4FB22089F0D3B9

Located: HK_LM:Run, SoundMAX
command: "C:\Programfiler\Analog Devices\SoundMAX\smax4.exe" /tray
file: C:\Programfiler\Analog Devices\SoundMAX\smax4.exe
size: 716800
MD5: F2C53B16FEFD00DC79A15871A5738573

Located: HK_LM:Run, SoundMAXPnP
command: C:\Programfiler\Analog Devices\Core\smax4pnp.exe
file: C:\Programfiler\Analog Devices\Core\smax4pnp.exe
size: 925696
MD5: 115332A83AC2726FA974D30DB4BFD8DE

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
file: C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
size: 132496
MD5: D4F0F7437327DBAA264338BAAFB5E5AF

Located: HK_LM:Run, Zboard
command: C:\Programfiler\Ideazon\ZEngine\Zboard.exe
file: C:\Programfiler\Ideazon\ZEngine\Zboard.exe
size: 57344
MD5: 2D451F4D04393013FD53262FC23BDFE1

Located: HK_CU:Run, ashservecie
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: C:\WINDOWS\system32\ashservec.exe
file: C:\WINDOWS\system32\ashservec.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, BitTorrent DNA
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: "C:\Programfiler\DNA\btdna.exe"
file: C:\Programfiler\DNA\btdna.exe
size: 321344
MD5: 7CF68169102EEE1C8C24C0CD495AD5BF

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DD0A3AC0339D222329CBF9CFE0FE6AA5

Located: HK_CU:Run, CurseClient
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: C:\Programfiler\Curse\CurseClient.exe -silent
file: C:\Programfiler\Curse\CurseClient.exe
size: 1934336
MD5: A6EEC57A8F783F2A1951F769EAA12847

Located: HK_CU:Run, explorer
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: C:\WINDOWS\systemq.exe
file: C:\WINDOWS\systemq.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, iexplorerskut
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: C:\WINDOWS\system32\dllhostc.exe
file: C:\WINDOWS\system32\dllhostc.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Mail.com
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: C:\Programfiler\mail.com\mcalert.exe -auto
file: C:\Programfiler\mail.com\mcalert.exe
size: 139264
MD5: 608D72BF9C37FA1DB6F638D310625699

Located: HK_CU:Run, MsnMsgr
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background
file: C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe
size: 5724184
MD5: 6B327AAECAEBB0D8FE78548ACBE52FB3

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, twumk.exe
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: C:\WINDOWS\system32\twumk.exe
file: C:\WINDOWS\system32\twumk.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, Shockwave Updater
where: S-1-5-21-1123561945-2111687655-725345543-1004...
command: C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)" -"http://www.cartoonne...me_02_ext.html"
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1123561945-2111687655-725345543-1006...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DD0A3AC0339D222329CBF9CFE0FE6AA5

Located: HK_CU:Run, Mail.com
where: S-1-5-21-1123561945-2111687655-725345543-1006...
command: C:\Programfiler\mail.com\mcalert.exe -auto
file: C:\Programfiler\mail.com\mcalert.exe
size: 139264
MD5: 608D72BF9C37FA1DB6F638D310625699

Located: HK_CU:Run, MSMSGS
where: S-1-5-21-1123561945-2111687655-725345543-1006...
command: "C:\Programfiler\Messenger\msmsgs.exe" /background
file: C:\Programfiler\Messenger\msmsgs.exe
size: 1695232
MD5: 2C94142AD7BA1BA71EDA76190892457E

Located: HK_CU:Run, msnmsgr
where: S-1-5-21-1123561945-2111687655-725345543-1006...
command: "C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Programfiler\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: 6B327AAECAEBB0D8FE78548ACBE52FB3

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1123561945-2111687655-725345543-1006...
command: C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: Startup (user), OpenOffice.org 2.2.lnk
where: C:\Documents and Settings\Gatinha\Start-meny\Programmer\Oppstart...
command: C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe
file: C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe
size: 393216
MD5: 97EDBCE5AC38D0F08BA42F56FFCA414B

Located: Startup (user), 3DO - Might and Magic VII Registration.lnk
where: C:\Documents and Settings\sjef\Start-meny\Programmer\Oppstart...
command: D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe
file: D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (user), OpenOffice.org 2.2.lnk
where: C:\Documents and Settings\sjef\Start-meny\Programmer\Oppstart...
command: C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe
file: C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe
size: 393216
MD5: 97EDBCE5AC38D0F08BA42F56FFCA414B

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Koblingshjelpeprogram for Adobe PDF Reader)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Koblingshjelpeprogram for Adobe PDF Reader
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com.../readstep2.html
info source: TonyKlein
Path: C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 23.10.2006 00:08:42
Date (last access): 04.07.2009 17:41:58
Date (last write): 23.10.2006 00:08:42
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456

{201f27d4-3704-41d6-89c1-aa35e39143ed} (AskBar BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AskBar BHO
CLSID name: AskBar BHO
Path: C:\Programfiler\AskBarDis\bar\bin\
Long name: askBar.dll
Short name:
Date (created): 04.03.2009 22:36:06
Date (last access): 04.07.2009 18:23:14
Date (last write): 29.09.2008 18:24:28
Filesize: 325000
Attributes: archive
MD5: D1BAD87754F0141D7523C0D7CD6283F7
CRC32: 93EA42BA
Version: 4.1.0.5

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 04.07.2009 13:58:42
Date (last access): 04.07.2009 18:24:58
Date (last write): 26.01.2009 15:31:02
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Programfiler\Java\jre1.6.0_03\bin\
Long name: ssv.dll
Short name:
Date (created): 19.01.2008 19:42:44
Date (last access): 04.07.2009 18:31:08
Date (last write): 25.09.2007 02:11:34
Filesize: 501136
Attributes: archive
MD5: D787E3123FAD2BD58AB45B9A5C360ACD
CRC32: DDC625C2
Version: 6.0.30.5

{7E853D72-626A-48EC-A868-BA8D5E23E045} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Påloggingshjelp for Windows Live)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Påloggingshjelp for Windows Live
Path: C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 17.02.2009 17:11:04
Date (last access): 04.07.2009 18:23:14
Date (last write): 17.02.2009 17:11:04
Filesize: 408440
Attributes: archive
MD5: 1A82C1B9BB43385695EFC3A84F6756A2
CRC32: 75E558CA
Version: 5.0.818.6



--- ActiveX list ---
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://appldnld.appl...ex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Programfiler\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 28.03.2009 20:30:32
Date (last access): 04.07.2009 16:22:20
Date (last write): 28.03.2009 20:30:32
Filesize: 779568
Attributes: archive
MD5: CC547257A308EBE1070AED55309DA4BE
CRC32: 4805B208
Version: 7.6.0.0

{0878B424-1F95-4E26-B5AB-F0D349D89650} ()
DPF name:
CLSID name:
Installer:
Codebase:

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\swdir.inf
Codebase: http://download.macr...director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Adobe\Director\
Long name: swdir.dll
Short name:
Date (created): 25.10.2008 16:41:40
Date (last access): 04.07.2009 16:22:20
Date (last write): 06.08.2008 16:30:48
Filesize: 202168
Attributes: archive
MD5: B8153BAD2E56C50B147867FA9DAEB095
CRC32: D52113FA
Version: 11.0.0.465

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft....k/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 24.04.2007 11:32:06
Date (last access): 04.07.2009 15:31:18
Date (last write): 24.04.2007 11:32:06
Filesize: 1485696
Attributes: archive
MD5: F41FA54CD85AF8AACF8C7E084F6742F4
CRC32: 6328586B
Version: 1.7.36.0

{233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\swdir.inf
Codebase: http://download.macr...director/sw.cab
description:
classification: Legitimate
known filename: SwDir.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Adobe\Director\
Long name: swdir.dll
Short name:
Date (created): 25.10.2008 16:41:40
Date (last access): 04.07.2009 18:33:24
Date (last write): 06.08.2008 16:30:48
Filesize: 202168
Attributes: archive
MD5: B8153BAD2E56C50B147867FA9DAEB095
CRC32: D52113FA
Version: 11.0.0.465

{4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
DPF name:
CLSID name: MSN Photo Upload Tool
Installer: C:\WINDOWS\Downloaded Program Files\MsnPUpld.inf
Codebase: http://gfx1.hotmail....es/MSNPUpld.cab
description:
classification: Legitimate
known filename: MsnPUpld.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnPUpld.dll
Short name:
Date (created): 20.06.2006 16:44:04
Date (last access): 04.07.2009 15:30:34
Date (last write): 20.06.2006 16:44:04
Filesize: 379704
Attributes: archive
MD5: D2FB109C3F0DAAAA4A73E5921656DB3E
CRC32: A13093E8
Version: 10.0.913.0

{5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control)
DPF name:
CLSID name: Image Uploader Control
Installer: C:\WINDOWS\Downloaded Program Files\ImageUploader5.inf
Codebase: http://www.extrafilm...geUploader5.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ImageUploader5.ocx
Short name: IMAGEU~1.OCX
Date (created): 31.03.2008 18:21:12
Date (last access): 04.07.2009 16:22:20
Date (last write): 31.03.2008 18:21:12
Filesize: 3175944
Attributes: archive
MD5: BC5690433016EB45B8E7665545703398
CRC32: 03744F6F
Version: 5.1.10.0

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/...indows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Programfiler\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 25.09.2007 00:31:44
Date (last access): 04.07.2009 16:22:18
Date (last write): 25.09.2007 02:11:34
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.ma...t/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/...indows-i586.cab
Path: C:\Programfiler\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 25.09.2007 00:31:44
Date (last access): 04.07.2009 18:33:24
Date (last write): 25.09.2007 02:11:34
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/...indows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Programfiler\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 25.09.2007 00:31:44
Date (last access): 04.07.2009 18:33:24
Date (last write): 25.09.2007 02:11:34
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macr...ash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9f.ocx
Short name:
Date (created): 25.03.2008 04:32:42
Date (last access): 04.07.2009 17:18:54
Date (last write): 25.03.2008 04:32:42
Filesize: 2991488
Attributes: readonly archive
MD5: 48FDF435B8595604E54125B321924510
CRC32: 12335E29
Version: 9.0.124.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 540 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 612 ( 540) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 636 ( 540) \??\C:\WINDOWS\system32\winlogon.exe
size: 506880
PID: 680 ( 636) C:\WINDOWS\system32\services.exe
size: 111104
MD5: 6248240BB90F50535277801E2A3F923F
PID: 692 ( 636) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 0EAC811F89889A7585BAEDAA4BDD16AF
PID: 848 ( 680) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 2FADE3D461E99941AAA13E0B83385B46
PID: 908 ( 680) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 2FADE3D461E99941AAA13E0B83385B46
PID: 1004 ( 680) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 2FADE3D461E99941AAA13E0B83385B46
PID: 1064 ( 680) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 2FADE3D461E99941AAA13E0B83385B46
PID: 1156 ( 680) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 2FADE3D461E99941AAA13E0B83385B46
PID: 1324 ( 680) C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
size: 18752
MD5: B4253776EE034F6770FCEE32C28490B0
PID: 1340 ( 680) C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
size: 1029456
MD5: CC7D978C4F56FB434E841D35788A7F3C
PID: 1388 ( 680) C:\Programfiler\Alwil Software\Avast4\ashServ.exe
size: 138680
MD5: 62889D40A3FB1A9012428E16FE0DC67A
PID: 1656 ( 680) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: 24A34B0CDDA0ADF220C85150F042D4BB
PID: 260 ( 680) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 2FADE3D461E99941AAA13E0B83385B46
PID: 376 ( 680) C:\WINDOWS\system32\nvsvc32.exe
size: 155716
MD5: E9E110CDF6A063A5F9B841C36FB5CC95
PID: 388 ( 680) C:\WINDOWS\system32\PnkBstrA.exe
size: 66872
MD5: A9D6B1E7EF097C7F3B5DC4F56C0E7386
PID: 400 ( 680) C:\WINDOWS\system32\PnkBstrB.exe
size: 107832
MD5: 194B04AD84A4FF7E10188039451221D5
PID: 344 ( 680) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 2FADE3D461E99941AAA13E0B83385B46
PID: 1276 ( 680) C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
size: 254040
MD5: F09461C8ECCACE33C271CC229F11E281
PID: 1292 ( 680) C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
size: 352920
MD5: 23CA3E54474AE5FFDBC0F97B9E1815DB
PID: 1316 ( 848) C:\WINDOWS\system32\wbem\unsecapp.exe
size: 16896
MD5: AC71F604451E6FF9D54C719380AFBD44
PID: 1852 ( 848) C:\WINDOWS\system32\wbem\wmiprvse.exe
size: 227840
MD5: 798A9E6828997EEF4517ADA8A2259831
PID: 1980 ( 680) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: E3915EB1F3D908AE1FDF268E08A45AF6
PID: 2372 (2344) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 8059C34B6F4758F678E975665EADFD87
PID: 2692 (2372) C:\Programfiler\Analog Devices\Core\smax4pnp.exe
size: 925696
MD5: 115332A83AC2726FA974D30DB4BFD8DE
PID: 2716 (2372) C:\Programfiler\Analog Devices\SoundMAX\smax4.exe
size: 716800
MD5: F2C53B16FEFD00DC79A15871A5738573
PID: 2896 (2372) C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 81000
MD5: FC242DBD786557AC641726DC5C13F060
PID: 2904 (2372) C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: B1D2F529DC72F42C73FB0F48C55E7898
PID: 2912 (2372) C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
size: 132496
MD5: D4F0F7437327DBAA264338BAAFB5E5AF
PID: 2928 (2372) C:\Programfiler\Ideazon\ZEngine\Zboard.exe
size: 57344
MD5: 2D451F4D04393013FD53262FC23BDFE1
PID: 2952 (2372) C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
size: 520024
MD5: 2CD3C21B57B2B1E5CC4C82519461C9D2
PID: 2980 (2372) C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe
size: 5724184
MD5: 6B327AAECAEBB0D8FE78548ACBE52FB3
PID: 3124 (2372) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DD0A3AC0339D222329CBF9CFE0FE6AA5
PID: 3132 (2372) C:\Programfiler\DNA\btdna.exe
size: 321344
MD5: 7CF68169102EEE1C8C24C0CD495AD5BF
PID: 3144 (2372) C:\Programfiler\mail.com\mcalert.exe
size: 139264
MD5: 608D72BF9C37FA1DB6F638D310625699
PID: 3840 ( 680) C:\Programfiler\Windows Live\Messenger\usnsvc.exe
size: 98328
MD5: 9D19B042A4FD5C02195071EA2FE0C821
PID: 3728 (4080) C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe
size: 396288
MD5: C4CA7416A6DF6D95075F81D9E3B41AD1
PID: 2284 ( 848) C:\Programfiler\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 2600 (2284) C:\Programfiler\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 3976 (2284) C:\Programfiler\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 948 (3156) C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
PID: 3768 (2284) C:\Programfiler\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 2332 (2372) C:\WINDOWS\system32\NOTEPAD.EXE
size: 69120
MD5: 4E4E104A75B9352A3225FFDC2BDF787D
PID: 768 ( 540) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 2572 ( 540) \??\C:\WINDOWS\system32\winlogon.exe
size: 506880
PID: 3428 (2764) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 8059C34B6F4758F678E975665EADFD87
PID: 1452 (3428) C:\Programfiler\Analog Devices\Core\smax4pnp.exe
size: 925696
MD5: 115332A83AC2726FA974D30DB4BFD8DE
PID: 3528 (3428) C:\Programfiler\Analog Devices\SoundMAX\smax4.exe
size: 716800
MD5: F2C53B16FEFD00DC79A15871A5738573
PID: 1920 (3428) C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 81000
MD5: FC242DBD786557AC641726DC5C13F060
PID: 3752 (3428) C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: B1D2F529DC72F42C73FB0F48C55E7898
PID: 3888 (3428) C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
size: 132496
MD5: D4F0F7437327DBAA264338BAAFB5E5AF
PID: 2288 (3428) C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F
PID: 1868 (3428) C:\Programfiler\Ideazon\ZEngine\Zboard.exe
size: 57344
MD5: 2D451F4D04393013FD53262FC23BDFE1
PID: 3372 (3428) C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
size: 520024
MD5: 2CD3C21B57B2B1E5CC4C82519461C9D2
PID: 1024 (3428) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DD0A3AC0339D222329CBF9CFE0FE6AA5
PID: 3280 (3428) C:\Programfiler\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: 6B327AAECAEBB0D8FE78548ACBE52FB3
PID: 2704 (3428) C:\Programfiler\Messenger\msmsgs.exe
size: 1695232
MD5: 2C94142AD7BA1BA71EDA76190892457E
PID: 3880 (3428) C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
PID: 2788 (3428) C:\Programfiler\mail.com\mcalert.exe
size: 139264
MD5: 608D72BF9C37FA1DB6F638D310625699
PID: 3152 (3112) C:\Programfiler\OpenOffice.org 2.2\program\soffice.exe
size: 2359296
MD5: E5D8FC6EBA1050EA064A0B6E1CCD94FE
PID: 840 (3152) C:\Programfiler\OpenOffice.org 2.2\program\soffice.BIN
size: 2510848
MD5: CE329D7EC1A339B361BADBBA9BE60E6B
PID: 3660 (3428) C:\Programfiler\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 04.07.2009 18:33:24

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft....k/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft....k/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft....k/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft....k/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft....k/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F04B1BDF-3462-422F-A295-EE584AA68535}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F04B1BDF-3462-422F-A295-EE584AA68535}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C10CF0FB-32A8-4B0D-87D3-23C8D2F47873}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C10CF0FB-32A8-4B0D-87D3-23C8D2F47873}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{45F7F0C1-1610-4C5F-A6D7-A3A728DF5C9F}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{45F7F0C1-1610-4C5F-A6D7-A3A728DF5C9F}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AD4289E-D554-460D-ADC4-A9E01BFDD92E}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AD4289E-D554-460D-ADC4-A9E01BFDD92E}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: TCP/IP
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Navneområde for Sporing av nettverksplassering (NLA - Network Location Awareness)
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace





Logfile created: 04.07.2009 13:10:55
Lavasoft Ad-Aware version: 8.0.7
Extended engine version: 8.1
User performing scan: Gatinha

*********************** Definitions database information ***********************
Lavasoft definition file: 148.65
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 111741
Objects detected: 52


Type Detected
==========================
Processes.......: 0
Registry entries: 3
Hostfile entries: 0
Files...........: 2
Folders.........: 0
LSPs............: 0
Cookies.........: 47
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: *fastclick* Family Name: Cookies Clean status: Success Item ID: 408869 Family ID: 0
Description: *linksynergy* Family Name: Cookies Clean status: Success Item ID: 408845 Family ID: 0
Description: *inksynergy* Family Name: Cookies Clean status: Success Item ID: 408995 Family ID: 0
Description: *adserver* Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0
Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0
Description: *adserve* Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *adbureau* Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0
Description: *sextrack* Family Name: Cookies Clean status: Success Item ID: 408975 Family ID: 0
Description: *sextracker* Family Name: Cookies Clean status: Success Item ID: 409128 Family ID: 0
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: *fastclick* Family Name: Cookies Clean status: Success Item ID: 408869 Family ID: 0
Description: *statistik-gallup* Family Name: Cookies Clean status: Success Item ID: 409367 Family ID: 0
Description: *.adform* Family Name: Cookies Clean status: Success Item ID: 409300 Family ID: 0
Description: *.adform* Family Name: Cookies Clean status: Success Item ID: 409300 Family ID: 0
Description: *statistik-gallup* Family Name: Cookies Clean status: Success Item ID: 409367 Family ID: 0
Description: *tradedoubler* Family Name: Cookies Clean status: Success Item ID: 408964 Family ID: 0
Description: *adtech* Family Name: Cookies Clean status: Success Item ID: 409018 Family ID: 0
Description: *mediaplex* Family Name: Cookies Clean status: Success Item ID: 408991 Family ID: 0
Description: *apmebf* Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0
Description: *adbureau* Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *iwon* Family Name: Cookies Clean status: Success Item ID: 408852 Family ID: 0
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: *statcounter* Family Name: Cookies Clean status: Success Item ID: 409185 Family ID: 0
Description: *adserver* Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0
Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0
Description: *adserve* Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *fastclick* Family Name: Cookies Clean status: Success Item ID: 408869 Family ID: 0
Description: *adultfriendfinder* Family Name: Cookies Clean status: Success Item ID: 409164 Family ID: 0
Description: *adopt.euroclick* Family Name: Cookies Clean status: Success Item ID: 409169 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
Description: *overture* Family Name: Cookies Clean status: Success Item ID: 408834 Family ID: 0
Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0
Description: *serving-sys* Family Name: Cookies Clean status: Success Item ID: 409130 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Clean status: Success Item ID: 408902 Family ID: 0
Description: *ad1.emediate* Family Name: Cookies Clean status: Success Item ID: 409299 Family ID: 0
Description: C:\WINDOWS\ponto.DLL Family Name: Win32.Trojan.Agent Clean status: Success Item ID: 178252 Family ID: 936
Description: HKCR:e404.e404mgr.1: Family Name: Win32.Trojan.Agent Clean status: Success Item ID: 9949 Family ID: 936
Description: HKCR:e404.e404mgr: Family Name: Win32.Trojan.Agent Clean status: Success Item ID: 10997 Family ID: 936
Description: HKU:S-1-5-21-1123561945-2111687655-725345543-1004\software\microsoft\windows\currentversion\run:iexplorer Family Name: Win32.Trojan.Agent Clean status: Success Item ID: 29921 Family ID: 936
Description: C:\WINDOWS\system32\iinqyl.dll Family Name: Win32.Trojan.FakeAlert Clean status: Success Item ID: 111975 Family ID: 352

Scan and cleaning complete: Finished correctly after 2001 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value: C:\,D:\
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: scanrootkits, enabled:1, value: true
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false

Edited by nasdaq, 04 July 2009 - 12:46 PM.
HijackThis log requested.


#2 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 05 July 2009 - 10:50 AM

Hi malefique, and Welcome to SWI

If you still need help, please read the forum FAQ and post a HijackThis log as nasdaq already mentioned and I'll be glad to assist you.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#3 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 05 July 2009 - 03:31 PM

I did actually paste one in but it might have gotten scrubbed

here is new one

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:30:18, on 05.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\Ideazon\ZEngine\Zboard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\DNA\btdna.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Windows Live\Messenger\usnsvc.exe
C:\Programfiler\mail.com\mcalert.exe
C:\Programfiler\Windows Live\Messenger\msnmsgr.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programfiler\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programfiler\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Programfiler\ExtraFilm at Home\Agent.exe"
O4 - HKLM\..\Run: [Zboard] C:\Programfiler\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Programfiler\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iexplorerskut] C:\WINDOWS\system32\dllhostc.exe
O4 - HKCU\..\Run: [ashservecie] C:\WINDOWS\system32\ashservec.exe
O4 - HKCU\..\Run: [explorer] C:\WINDOWS\systemq.exe
O4 - HKCU\..\Run: [twumk.exe] C:\WINDOWS\system32\twumk.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Programfiler\DNA\btdna.exe"
O4 - HKCU\..\Run: [Mail.com] C:\Programfiler\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)" -"http://www.cartoonne...me_02_ext.html"
O4 - S-1-5-18 Startup: 3DO - Might and Magic VII Registration.lnk = D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: 3DO - Might and Magic VII Registration.lnk = D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
O4 - Startup: 3DO - Might and Magic VII Registration.lnk = D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Programfiler\ClickClean\ClickClean.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.extrafilm...geUploader5.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8426 bytes

#4 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 05 July 2009 - 04:12 PM

Your log was probably cut off by the maximum post length.

One or more of the items you need to remove is a backdoor application can allow attackers to access your computer specifically to steal banking information. I highly recommend that from a clean, uninfected system you immediately change all the passwords on any systems you access from this system. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you want to continue to clean the system:

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.
Please don't forget this step to disable teatimer.

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Private Data).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
I recommend you uninstall the questionable Ask Toolbar, it was likely installed with another program and you didn't see the notice that it was an optional component at the start of the install process. Many programs (even widely known legitimate programs) have toolbars as optional bundled installs these days because they get money from the business relationship. You can read more about Ask.com here.

If you uninstalled the Ask Toolbar as recommended, using Windows Explorer delete the following folder if still there:
C:\Program Files\AskBarDis

I have run ATF-cleaner, spybot S&D, Adaware(not resident) , AVAST(resident), MAM

I think you meant MBAM.

Please Run Malwarebytes' Anti-Malware.
  • Click the Update tab.
  • Click Check for Updates.
  • If an update is found, it will download and install.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


In Internet Explorer, please run the BitDefender online scan at BitDefender.com
You will need to allow an ActiveX control to install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Please post the log in your next reply.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [iexplorerskut] C:\WINDOWS\system32\dllhostc.exe
O4 - HKCU\..\Run: [ashservecie] C:\WINDOWS\system32\ashservec.exe
O4 - HKCU\..\Run: [explorer] C:\WINDOWS\systemq.exe
O4 - HKCU\..\Run: [twumk.exe] C:\WINDOWS\system32\twumk.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)" -"http://www.cartoonne...me_02_ext.html"


If you uninstalled the Ask Toolbar as recommended, also check (if still there):
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programfiler\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programfiler\AskBarDis\bar\bin\askBar.dll


You can optionally check these registration reminders as they are not needed for the proper running of your system, but I recommend you follow through with the registration:
O4 - S-1-5-18 Startup: 3DO - Might and Magic VII Registration.lnk = D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: 3DO - Might and Magic VII Registration.lnk = D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe (User 'Default user')
O4 - Startup: 3DO - Might and Magic VII Registration.lnk = D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Using Windows Explorer, locate the following files, and delete them (if still there):
C:\WINDOWS\system32\dllhostc.exe
C:\WINDOWS\system32\ashservec.exe
C:\WINDOWS\systemq.exe
C:\WINDOWS\system32\twumk.exe

Please go to VirusTotal and submit the following file for a scan and post the detection results (I don't need the "additional information") in your next reply:
C:\Programfiler\ExtraFilm at Home\Agent.exe
C:\Programfiler\ClickClean\ClickClean.exe

Is ClickClean this program?
http://www.soft-go.c...lean_58090.html
Even if it is, please do the scan anyway and post the results. It will help others identify the program later.

Please post a new HijackThis log, the log from MBAM, the log from BitDefender, and then so hopefully nothing is cut off by the maximum post length, in a second reply post the results from scanning the two files at VirusTotal, and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#5 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2009 - 04:03 AM

if I misunderstood you correctly you say that even though doing all this we'll never know and that reformatting should be best choice? :)

#6 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2009 - 04:07 AM

File ClickClean.exe received on 2009.07.06 09:09:44 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.06 -
AhnLab-V3 5.0.0.2 2009.07.06 -
AntiVir 7.9.0.204 2009.07.06 -
Antiy-AVL 2.0.3.1 2009.07.06 -
Authentium 5.1.2.4 2009.07.05 -
Avast 4.8.1335.0 2009.07.05 -
AVG 8.5.0.386 2009.07.05 -
BitDefender 7.2 2009.07.06 -
CAT-QuickHeal 10.00 2009.07.06 -
ClamAV 0.94.1 2009.07.03 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.06 -
eSafe 7.0.17.0 2009.07.02 -
eTrust-Vet 31.6.6596 2009.07.03 -
F-Prot 4.4.4.56 2009.07.05 -
F-Secure 8.0.14470.0 2009.07.06 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.06 -
Ikarus T3.1.1.64.0 2009.07.06 -
Jiangmin 11.0.706 2009.07.06 -
K7AntiVirus 7.10.783 2009.07.03 -
Kaspersky 7.0.0.125 2009.07.06 -
McAfee 5667 2009.07.05 -
McAfee+Artemis 5667 2009.07.05 -
McAfee-GW-Edition 6.8.5 2009.07.06 -
Microsoft 1.4803 2009.07.06 -
NOD32 4219 2009.07.05 -
Norman 6.01.09 2009.07.04 -
nProtect 2009.1.8.0 2009.07.05 -
Panda 10.0.0.14 2009.07.06 -
PCTools 4.4.2.0 2009.07.05 -
Prevx 3.0 2009.07.06 -
Rising 21.37.01.00 2009.07.06 -
Sophos 4.43.0 2009.07.06 -
Sunbelt 3.2.1858.2 2009.07.05 -
Symantec 1.4.4.12 2009.07.06 -
TheHacker 6.3.4.3.362 2009.07.04 -
TrendMicro 8.950.0.1094 2009.07.06 -
VBA32 3.12.10.7 2009.07.06 -
ViRobot 2009.7.6.1819 2009.07.06 -
VirusBuster 4.6.5.0 2009.07.05 -


I did the clickclean scan as you requested though is this the proper report?

#7 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 06 July 2009 - 05:00 AM

if I misunderstood you correctly you say that even though doing all this we'll never know and that reformatting should be best choice? :)

Reformatting would be the most secure choice and is the way I would deal with this if it was my own system.
While we could clean the system and remove the trojan, we would never be sure what other changes were made to your system.

I would also recommend installing a good software firewall. Two excellent free firewalls are Outpost Firewall Free or Online Armor Free. Either one would be a good choice. There is a tutorial on understanding firewalls at http://www.bleepingc...tutorial60.html and a tutorial for Outpost Free at http://www.outpostfi...9658#post179658.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#8 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2009 - 08:31 AM

reformatting is sound advice but sadly can't find my cd's >< so well I'll do it the hard way and hopefully buy myself a new comp within shortly anyway

#9 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2009 - 11:50 AM

let's see ^^

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:43:46, on 06.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\Ideazon\ZEngine\Zboard.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe
C:\Programfiler\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\mail.com\mcalert.exe
C:\Programfiler\Windows Live\Messenger\usnsvc.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Malwarebytes' Anti-Malware\mbam.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Programfiler\ExtraFilm at Home\Agent.exe"
O4 - HKLM\..\Run: [Zboard] C:\Programfiler\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Programfiler\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [iexplorerskut] C:\WINDOWS\system32\dllhostc.exe
O4 - HKCU\..\Run: [ashservecie] C:\WINDOWS\system32\ashservec.exe
O4 - HKCU\..\Run: [twumk.exe] C:\WINDOWS\system32\twumk.exe
O4 - HKCU\..\Run: [Mail.com] C:\Programfiler\mail.com\mcalert.exe -auto
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)" -"http://www.cartoonne...me_02_ext.html"
O4 - S-1-5-18 Startup: 3DO - Might and Magic VII Registration.lnk = D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: 3DO - Might and Magic VII Registration.lnk = D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
O4 - Startup: 3DO - Might and Magic VII Registration.lnk = D:\Programfiler\3DO\Might and Magic VII\Register\Remind32.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.extrafilm...geUploader5.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8412 bytes

MBAM

Malwarebytes' Anti-Malware 1.38
Database version: 2371
Windows 5.1.2600 Service Pack 3

06.07.2009 17:41:47
mbam-log-2009-07-06 (17-41-47).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 154218
Time elapsed: 48 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


BitDefender Online Scanner - Real Time Virus Report



Generated at: Mon, Jul 06, 2009 - 18:50:20


--------------------------------------------------------------------------------





Scan Info



Scanned Files
2512

Infected Files
0








Virus Detected



No virus found.











--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

#10 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2009 - 11:55 AM

I posted the scan of the clickclean.exe above, before the logs, but can't seem to find the second one anymore ^^
C:\Programfiler\ExtraFilm at Home\Agent.exe
I did a killing spree at add / remove programs in windows though might be it.

#11 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 July 2009 - 12:00 PM

and here is the latest Hijackthis log after I have done your checklist
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:59:54, on 06.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\Ideazon\ZEngine\Zboard.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe
C:\Programfiler\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\mail.com\mcalert.exe
C:\Programfiler\Windows Live\Messenger\usnsvc.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programfiler\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Programfiler\ExtraFilm at Home\Agent.exe"
O4 - HKLM\..\Run: [Zboard] C:\Programfiler\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Programfiler\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mail.com] C:\Programfiler\mail.com\mcalert.exe -auto
O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.extrafilm...geUploader5.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7184 bytes

#12 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 06 July 2009 - 05:05 PM

Download ComboFix© by sUBs from one of these locations:

http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
http://www.bleepingc...to-use-combofix

  • Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post a new HijackThis log, the log from Kaspersky's online scan, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#13 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 July 2009 - 12:52 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:51:30, on 07.07.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\Ideazon\ZEngine\Zboard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\mail.com\mcalert.exe
C:\Programfiler\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programfiler\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zboard] C:\Programfiler\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Programfiler\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Programfiler\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mail.com] C:\Programfiler\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Programfiler\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.extrafilm...geUploader5.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7281 bytes


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, July 7, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, July 07, 2009 12:26:04
Records in database: 2436405
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 61346
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:46:48

No malware has been detected. The scan area is clean.

The selected area was scanned.

#14 malefique

malefique

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 July 2009 - 12:56 PM

combofix got 1 error it coulnt download Microsoft Recovery Console just gave this error:
Internal Error failed to enumerate download path

I ran Combofix 2 times 1 before kaspersky etc and 1 after ^^

1st log

ComboFix 09-07-06.02 - sjef 07.07.2009 12:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.1023.690 [GMT 2:00]
Kjører fra: c:\documents and settings\sjef\Mine dokumenter\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090706-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sjef\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll
c:\documents and settings\sjef\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\desktop.ini
c:\documents and settings\sjef\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\LegitCheckControl.inf
c:\documents and settings\sjef\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\swflash.inf
c:\programfiler\Helper
c:\windows\Installer\154d49f.msi
c:\windows\Installer\154d4a0.msp
c:\windows\Installer\154d4a1.msp
c:\windows\Installer\154d4a2.msp
c:\windows\Installer\154d4a3.msp
c:\windows\Installer\154d4a4.msp
c:\windows\Installer\154d4a5.msp
c:\windows\Installer\154d4a6.msp
c:\windows\Installer\154d4a7.msp
c:\windows\Installer\154d4a8.msp
c:\windows\Installer\f42b34.msp
c:\windows\Installer\f42b35.msp
c:\windows\Installer\f42b36.msp
c:\windows\Installer\f42b37.msp
c:\windows\Installer\f42b38.msp
c:\windows\Installer\f42b39.msp
c:\windows\Installer\f42b3a.msp
c:\windows\Installer\f42b3b.msp
c:\windows\Installer\f42b3c.msp
c:\windows\system32\Prefetchxs

.
((((((((((((((((((((((((((( Filer Opprettet Fra 2009-06-07 til 2009-07-07 )))))))))))))))))))))))))))))))))
.

2009-07-06 17:03 . 2009-04-06 09:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-07-06 17:03 . 2009-02-10 14:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-07-06 17:02 . 2009-02-18 15:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-07-06 17:01 . 2009-07-06 17:01 -------- d-----w- c:\programfiler\Agnitum
2009-07-06 17:01 . 2009-07-06 17:01 -------- d-----w- c:\documents and settings\All Users\Programdata\Agnitum
2009-07-06 13:35 . 2009-07-06 16:46 -------- d-----w- c:\windows\BDOSCAN8
2009-07-06 05:54 . 2009-07-06 05:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-07-04 16:31 . 2009-07-04 16:31 -------- d-sh--w- c:\documents and settings\Gatinha\IECompatCache
2009-07-04 16:31 . 2009-07-04 16:31 -------- d-sh--w- c:\documents and settings\Gatinha\PrivacIE
2009-07-04 16:30 . 2009-07-04 16:30 -------- d-sh--w- c:\documents and settings\Gatinha\IETldCache
2009-07-04 16:26 . 2009-07-04 16:26 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-04 14:31 . 2009-07-04 14:31 -------- d-sh--w- c:\documents and settings\sjef\PrivacIE
2009-07-04 14:31 . 2009-07-04 14:31 -------- d-sh--w- c:\documents and settings\sjef\IECompatCache
2009-07-04 14:30 . 2009-07-04 14:30 -------- d-----w- c:\programfiler\Trend Micro
2009-07-04 14:27 . 2009-07-04 14:27 -------- d-sh--w- c:\documents and settings\sjef\IETldCache
2009-07-04 14:24 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-04 14:24 . 2009-07-04 14:24 -------- d-----w- c:\windows\ie8updates
2009-07-04 14:23 . 2009-04-30 21:18 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-04 14:23 . 2009-04-30 21:17 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-04 14:23 . 2009-07-04 14:23 -------- dc-h--w- c:\windows\ie8
2009-07-04 14:11 . 2009-07-04 14:11 -------- d-----w- c:\documents and settings\sjef\Programdata\Malwarebytes
2009-07-04 12:33 . 2009-07-04 12:33 -------- d-----w- c:\documents and settings\Gatinha\Programdata\Malwarebytes
2009-07-04 12:33 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-04 12:33 . 2009-07-04 12:33 -------- d-----w- c:\documents and settings\All Users\Programdata\Malwarebytes
2009-07-04 12:33 . 2009-07-04 12:33 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware
2009-07-04 12:33 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-04 12:31 . 2009-07-04 12:31 -------- d-----w- c:\programfiler\mail.com
2009-07-04 11:58 . 2009-07-04 12:02 -------- d-----w- c:\programfiler\Spybot - Search & Destroy
2009-07-04 11:58 . 2009-07-04 12:02 -------- d-----w- c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy
2009-07-04 11:56 . 2009-07-04 11:05 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-04 11:03 . 2009-07-04 11:08 -------- dc-h--w- c:\documents and settings\All Users\Programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-04 11:03 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-04 11:03 . 2009-07-04 11:05 -------- d-----w- c:\documents and settings\All Users\Programdata\Lavasoft
2009-07-04 11:03 . 2009-07-04 11:03 -------- d-----w- c:\programfiler\Lavasoft
2009-06-22 05:54 . 2009-06-22 05:54 -------- d-----w- c:\documents and settings\NetworkService\Lokale innstillinger\Programdata\Apple
2009-06-10 14:54 . 2009-06-10 14:54 -------- d-----w- c:\documents and settings\Gatinha\Lokale innstillinger\Programdata\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 10:15 . 2007-09-19 20:54 -------- d-----w- c:\documents and settings\sjef\Programdata\OpenOffice.org2
2009-07-06 14:08 . 2007-08-16 13:40 -------- d--h--w- c:\programfiler\InstallShield Installation Information
2009-07-06 11:06 . 2009-07-04 11:05 0 ----a-w- c:\documents and settings\All Users\Programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-06 11:05 . 2009-07-04 11:05 2353480 ----a-w- c:\documents and settings\All Users\Programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-04 16:34 . 2009-03-05 06:52 -------- d-----w- c:\documents and settings\Gatinha\Programdata\OpenOffice.org2
2009-05-25 22:59 . 2009-04-27 19:30 -------- d-----w- c:\documents and settings\sjef\Programdata\Move Networks
2009-05-13 05:06 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:34 . 2004-08-04 12:00 346112 ----a-w- c:\windows\system32\localspl.dll
2009-04-27 19:30 . 2009-04-27 19:30 34062 ----a-w- c:\documents and settings\sjef\Programdata\Move Networks\ie_bin\Uninst.exe
2009-04-19 19:51 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 06:03 . 2004-08-04 12:00 80090 ----a-w- c:\windows\system32\perfc014.dat
2009-04-16 06:03 . 2004-08-04 12:00 444332 ----a-w- c:\windows\system32\perfh014.dat
2009-04-15 14:55 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-01-26 08:51 . 2007-09-27 02:37 15360 --sha-w- c:\programfiler\Fellesfiler\Thumbs.db
2007-09-23 19:10 . 2007-09-23 19:10 642796 ----a-w- c:\programfiler\Fellesfiler\XviD-1.1.3-28062007.exe
2007-09-15 01:42 . 2007-09-15 01:42 6197248 ----a-w- c:\programfiler\Fellesfiler\innocentgirl_fuckinpublic-8.avi
2007-09-15 01:36 . 2007-09-15 01:36 7563264 ----a-w- c:\programfiler\Fellesfiler\innocentgirl_fuckinpublic-4.avi
2009-02-18 01:08 . 2007-10-11 00:41 67688 ----a-w- c:\programfiler\mozilla firefox\components\jar50.dll
2009-02-18 01:08 . 2007-10-11 00:41 54368 ----a-w- c:\programfiler\mozilla firefox\components\jsd3250.dll
2009-02-18 01:08 . 2007-10-11 00:41 34944 ----a-w- c:\programfiler\mozilla firefox\components\myspell.dll
2009-02-18 01:08 . 2007-10-11 00:41 46712 ----a-w- c:\programfiler\mozilla firefox\components\spellchk.dll
2009-02-18 01:08 . 2007-10-11 00:41 172136 ----a-w- c:\programfiler\mozilla firefox\components\xpinstal.dll
2008-11-22 13:43 . 2008-11-22 13:43 110 --sh--w- c:\windows\TRANSFORMERS.DLL
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"CurseClient"="c:\programfiler\Curse\CurseClient.exe" [2009-07-06 1966592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Mail.com"="c:\programfiler\mail.com\mcalert.exe" [2007-06-25 139264]
"SpybotSD TeaTimer"="c:\programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\programfiler\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"SunJavaUpdateSched"="c:\programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Adobe Reader Speed Launcher"="c:\programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Zboard"="c:\programfiler\Ideazon\ZEngine\Zboard.exe" [2008-11-12 57344]
"QuickTime Task"="c:\programfiler\QuickTime\qttask.exe" [2009-03-28 413696]
"Ad-Watch"="c:\programfiler\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-04 520024]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\programfiler\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-28 1626112]

c:\documents and settings\sjef\Start-meny\Programmer\Oppstart\
OpenOffice.org 2.2.lnk - c:\programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-6-8 393216]

c:\documents and settings\Gatinha\Start-meny\Programmer\Oppstart\
OpenOffice.org 2.2.lnk - c:\programfiler\OpenOffice.org 2.2\program\quickstart.exe [2007-6-8 393216]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\World of Warcraft\\BackgroundDownloader.exe"=
"C:0\\Programfiler\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programfiler\\World of Warcraft\\WoW-2.3.0.7561-to-2.3.2.7741-enGB-downloader.exe"=
"d:\\Call of Duty\\CoDUOMP.exe"=
"c:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"c:\\Programfiler\\Curse\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [04.07.2009 13:05 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [06.04.2008 12:31 114768]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [06.07.2009 19:03 704384]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [06.04.2008 12:31 20560]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [06.07.2009 19:02 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [06.07.2009 19:03 257432]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [06.07.2009 19:01 1195008]
S3 Alpham;Ideazon Merc Composite Keyboard Driver;c:\windows\system32\drivers\Alpham.sys [12.03.2006 13:11 37248]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programfiler\Lavasoft\Ad-Aware\AAWService.exe [09.03.2009 21:06 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programfiler\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 11:05]

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programfiler\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - TOMME PEKERE FJERNET - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
HKLM-Run-ExtraFilmHemmaAgent - c:\programfiler\ExtraFilm at Home\Agent.exe


.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.google.no/
FF - ProfilePath - c:\documents and settings\sjef\Programdata\Mozilla\Firefox\Profiles\8lvh439d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
FF - component: c:\programfiler\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\programfiler\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programfiler\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 12:15
Windows 5.1.2600 Service Pack 3 NTFS

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket
skjulte filer: 0

**************************************************************************
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'explorer.exe'(1656)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\programfiler\Alwil Software\Avast4\aswUpdSv.exe
c:\programfiler\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2009-07-07 12:18 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2009-07-07 10:18

Pre-Run: 17 221 713 920 byte ledig
Post-Run: 17 414 119 424 byte ledig

215 --- E O F --- 2009-07-04 14:24



2nd run I didnt save a log :( allthough got the same error both times

#15 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,352 posts

Posted 12 July 2009 - 11:25 PM

Sorry for the slow response, but I missed your reply.

There are two empty entries to remove, possibly related to TeaTimer restoring them.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

That's two different online scans now, BitDefender and Kaspersky, that didn't find any additional infected files.

I think the error was simply that the Recovery Console didn't install.

Go to start > run and copy and paste next command in the field:
ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Create a Restore Point
  • Go to Start > Programs > Accessories > System Tools > System Restore
  • Select Create a Restore Point and then Next.
  • In the box for "Restore point description", enter a descriptive name and press Create
  • When the "Restore Point Created" window appears, click Close
Run Disk Cleanup
  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
    • In the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • in the confirmation window, select Yes (Disk Cleanup will close).
Please post a new HijackThis log.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button