Logfile of HijackThis v1.99.1 Scan saved at 19:40:37, on 2006-07-02 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program\Alwil Software\Avast4\aswUpdSv.exe C:\Program\Alwil Software\Avast4\ashServ.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\Alwil Software\Avast4\ashMaiSv.exe C:\Program\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program\Java\jre1.5.0_06\bin\jusched.exe C:\Program\DAEMON Tools\daemon.exe C:\Program\ALWILS~1\Avast4\ashDisp.exe C:\Program\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program\MSN Messenger\MsnMsgr.Exe C:\Program\Messenger\msmsgs.exe C:\Program\World of Warcraft\WoW.exe C:\Program\Ventrilo\Ventrilo.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program\WinRAR\WinRAR.exe C:\Program\Internet Explorer\iexplore.exe C:\Documents and Settings\Johan\Mina dokument\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nTrayFw] C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgSE2405.exe O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing) O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe and avast said i got: Win32.Delf-AQC Win32:Fake-Alert i hope i did not miss anything on my post. if so, just tell me. Thanks in advance =) Additional info: the delf-aqc makes "g[random-numbers].dll" in my C:/Windows folder btw, and its there the virus is executed, i think. I tried to delete the file, but a program used it. it creates a new "g[random-numbers].dll" everytime i boot, i should add.
Hi ReZeftY. Ok, you got some infections on your computer.... Cleaning instructions: Download and install Ewido Anti-Spyware 4.0 -> http://www.ewido.net/en/download/ -> Open Ewido Anti-Spyware -> Click the Update icon at the top of the window -> Click the Start update button -> Wait for the update to download and install -> Quit the program, we'll use this later. Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1 Do NOT run yet. Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgSE2405.exe Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml Run ATF Cleaner -> Check select all -> Press Empty selected -> Open Ewido Anti-Spyware -> Click the Scanner icon at the top of the window -> Click the Settings tab then select Recommended Options and choose Quarantine -> Click the Scan tab -> Select Complete System Scan. The scanning begins. -> When the scan has completed: -> If infections were found you'll be prompted about what to do. -> Please make sure that the Set all elements to is set to Quarantine (in downleft corner of the window) -> Then press Apply all actions and answer yes to all if it asks about something -> Click on the Save Scan Report button and save the scan to your Desktop. -> Copy and paste the scan results into your next post Restart your computer normally. Post the following logs to here: -> a fresh HijackThis log -> Ewido's log
Thanks for the quick reply, here is my logs. Logfile of HijackThis v1.99.1 Scan saved at 02:07:03, on 2006-07-04 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program\Alwil Software\Avast4\aswUpdSv.exe C:\Program\Alwil Software\Avast4\ashServ.exe C:\Program\ewido anti-spyware 4.0\guard.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\Explorer.EXE C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program\Alwil Software\Avast4\ashMaiSv.exe C:\Program\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program\Java\jre1.5.0_06\bin\jusched.exe C:\Program\DAEMON Tools\daemon.exe C:\Program\ALWILS~1\Avast4\ashDisp.exe C:\Program\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program\MSN Messenger\MsnMsgr.Exe C:\Program\Messenger\msmsgs.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Johan\Mina dokument\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nTrayFw] C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing) O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 02:02:19 2006-07-04 + Scan result: D:\Program\Virtual Maid\Virtual Maid.dll -> Adware.MaidBar : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Lokala inställningar\Temporary Internet Files\Content.IE5\5D0TB683\remote_load[1].htm -> Adware.MediaMotor : Cleaned with backup (quarantined). C:\Program\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup (quarantined). C:\WINDOWS\system32\wvuvvut.dll -> Adware.Virtumonde : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc10.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc11.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc12.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc13.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc14.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc15.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc16.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc17.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc18.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc19.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc20.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc21.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc22.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc23.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc24.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc25.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc26.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc27.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc28.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc29.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc3.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc30.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc31.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc32.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc33.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc34.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc35.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc36.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc37.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc38.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc39.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc4.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc40.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc41.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc42.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc43.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc44.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc45.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc46.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc47.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc48.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc49.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc5.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc50.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc51.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc52.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc53.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc54.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc55.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc56.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc57.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc58.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc59.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc6.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc60.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc61.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc62.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc63.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc64.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc65.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc66.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc67.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc68.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc69.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc7.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc70.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc71.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc72.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc73.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc74.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc75.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc76.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc77.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc78.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc79.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc8.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc80.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc81.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc82.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc83.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc84.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc85.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc86.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc87.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc88.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\RECYCLER\S-1-5-21-1644491937-1844237615-725345543-1003\Dc9.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g25831953.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [280] C:\WINDOWS\g25831953.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [848] C:\WINDOWS\g25831953.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Lokala inställningar\Temporary Internet Files\Content.IE5\KPQNKXMB\popup[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Lokala inställningar\Temporary Internet Files\Content.IE5\KPQNKXMB\popup[2].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined). :mozilla.323:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.324:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.325:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.326:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.327:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.328:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.329:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned with backup (quarantined). :mozilla.156:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined). :mozilla.238:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@gde.adocean[2].txt -> TrackingCookie.Adocean : Cleaned with backup (quarantined). :mozilla.33:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined). :mozilla.36:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined). :mozilla.48:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.49:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.51:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.52:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). :mozilla.21:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). :mozilla.50:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). :mozilla.22:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined). :mozilla.31:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). :mozilla.241:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.242:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.243:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.244:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.245:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.246:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.247:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). :mozilla.25:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@crbanner.casinopays[1].txt -> TrackingCookie.Casinopays : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined). :mozilla.16:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined). :mozilla.17:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined). :mozilla.250:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined). :mozilla.235:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). :mozilla.41:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). :mozilla.40:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Estat : Cleaned with backup (quarantined). :mozilla.225:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). :mozilla.226:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). :mozilla.227:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). :mozilla.228:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). :mozilla.178:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.205:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.206:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.207:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.208:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.303:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.304:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.305:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.332:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.333:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.334:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). :mozilla.10:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.210:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.211:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). :mozilla.212:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@www.goldenpalace[1].txt -> TrackingCookie.Goldenpalace : Cleaned with backup (quarantined). :mozilla.248:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.249:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.261:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.262:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.294:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.295:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.300:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). :mozilla.266:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined). :mozilla.15:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). :mozilla.170:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup (quarantined). :mozilla.251:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined). :mozilla.252:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined). :mozilla.253:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined). :mozilla.254:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@ppms.popularix[2].txt -> TrackingCookie.Popularix : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined). :mozilla.186:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined). :mozilla.173:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). :mozilla.174:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). :mozilla.175:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). :mozilla.176:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). :mozilla.177:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined). :mozilla.179:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined). :mozilla.180:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined). :mozilla.182:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned with backup (quarantined). :mozilla.133:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined). :mozilla.74:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined). :mozilla.75:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined). :mozilla.102:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). :mozilla.103:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). :mozilla.104:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined). :mozilla.184:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined). :mozilla.96:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined). :mozilla.40:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). :mozilla.41:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). :mozilla.44:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined). :mozilla.11:\Documents and Settings\ReZeftY\Application Data\Mozilla\Firefox\Profiles\q9bwzg8i.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). :mozilla.68:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). :mozilla.95:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Weborama : Cleaned with backup (quarantined). :mozilla.112:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined). :mozilla.271:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). :mozilla.272:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). :mozilla.273:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). :mozilla.274:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). :mozilla.157:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). :mozilla.164:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). :mozilla.97:C:\Documents and Settings\Johan\Application Data\Mozilla\Firefox\Profiles\cjppjts9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). D:\Documents and Settings\ReZeftY\Cookies\rezefty@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Lokala inställningar\Temporary Internet Files\Content.IE5\MKPDFRJ7\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined). ::Report end note that i still get Win32.Delf-AQC but not sure about Win32:Fake-Alert.
Ok lets continue. Download win32delfkil -> http://users.telenet.be/marcvn/tools/win32delfkil.exe Save it to your desktop. Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Put a check next to Run VundoFix as a task. * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK * When VundoFix re-opens, click the Scan for Vundo button. * Once the scan is ready, rightclick list box (white box that lists the found files) and choose Add more files * Copy/Paste the following two lines to the upper field: C:\WINDOWS\SYSTEM32\wvuvvut.dll C:\WINDOWS\system32\tuvvuvw.* * Click Add Files and click Close Window * Click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will shutdown your computer, click OK. * Turn your computer back on Doubleclick win32delfkil.exe and it extracts itself to win32delfkil-directory. Close all other windows and open the win32delfkil-directory. Doubleclick fix.bat. If the computer doesn't restart after the fix, restart it by yourself. Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html Delete this folder if found: D:\Program\Virtual Maid Then follow the Ewido instructions on my last message and run a new Comlete system scan. Post the following logs to here: -> a fresh HijackThis log -> Ewido's log -> contents of C:\win32delfkill.txt
Just so you know, when i runned the win32delfkill program and it was about to shutdown, it had some problems with "winlogon.exe" so i had to restart manually by the powerbutton on my computer. --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 01:05:30 2006-07-05 + Scan result: C:\WINDOWS\g28630687.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g29957984.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g31282343.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g32608125.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g33819000.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g35137640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g36463140.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g37784000.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g39108218.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g40313781.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g41634468.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g42958734.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g44280796.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g45601968.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g46923906.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g48126062.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g49446453.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g504500.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g50770312.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g52095125.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g53418640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [1772] C:\WINDOWS\g53418640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [740] C:\WINDOWS\g53418640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Lokala inställningar\Temporary Internet Files\Content.IE5\4PAR8LQF\bgates[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Lokala inställningar\Temp\winE6.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined). ::Report end Logfile of HijackThis v1.99.1 Scan saved at 01:07:08, on 2006-07-05 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program\Java\jre1.5.0_06\bin\jusched.exe C:\Program\DAEMON Tools\daemon.exe C:\Program\ALWILS~1\Avast4\ashDisp.exe C:\Program\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program\MSN Messenger\MsnMsgr.Exe C:\Program\Messenger\msmsgs.exe C:\Program\Alwil Software\Avast4\aswUpdSv.exe C:\Program\Alwil Software\Avast4\ashServ.exe C:\Program\ewido anti-spyware 4.0\guard.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program\Alwil Software\Avast4\ashMaiSv.exe C:\Program\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\Program\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program\Internet Explorer\iexplore.exe C:\Program\VideoLAN\VLC\vlc.exe C:\WINDOWS\system32\regsvr32.exe C:\Program\Notepad++\notepad++.exe C:\Dev-Cpp\devcpp.exe C:\Program\Internet Explorer\iexplore.exe C:\WINDOWS\system32\regsvr32.exe C:\Documents and Settings\Johan\Mina dokument\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nTrayFw] C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing) O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Ok, we'll need to do something before we can continue... Download F-Secure Blacklight and save it to your desktop -> http://www.f-secure.com/blacklight/try.shtml Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers). DON'T choose Rename if something was found! Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)
It did not find anything :/ 07/05/06 13:14:30 [Info]: BlackLight Engine 1.0.42 initialized 07/05/06 13:14:30 [Info]: OS: 5.1 build 2600 (Service Pack 2) 07/05/06 13:14:30 [Note]: 7019 4 07/05/06 13:14:30 [Note]: 7005 0 07/05/06 13:14:35 [Note]: 7006 0 07/05/06 13:14:35 [Note]: 7011 3520 07/05/06 13:14:35 [Note]: 7026 0 07/05/06 13:14:35 [Note]: 7026 0 07/05/06 13:14:37 [Note]: FSRAW library version 1.7.1019 07/05/06 13:15:39 [Note]: 7007 0
Hi again, it is a good thing that nothing was found Run ATF Cleaner -> Check select all -> Press Empty selected Please run a one more scan with Ewido (follow the intructions on my old message) Then post Ewido's log and a fresh HijackThis log to here.
Logfile of HijackThis v1.99.1 Scan saved at 02:50:22, on 2006-07-06 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program\Alwil Software\Avast4\aswUpdSv.exe C:\Program\Alwil Software\Avast4\ashServ.exe C:\Program\ewido anti-spyware 4.0\guard.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\Alwil Software\Avast4\ashMaiSv.exe C:\Program\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program\Java\jre1.5.0_06\bin\jusched.exe C:\Program\DAEMON Tools\daemon.exe C:\Program\ALWILS~1\Avast4\ashDisp.exe C:\Program\QuickTime\qttask.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program\Messenger\msmsgs.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\Program\VideoLAN\VLC\vlc.exe C:\Program\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\regsvr32.exe C:\Program\Internet Explorer\iexplore.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe C:\Program\Internet Explorer\iexplore.exe C:\Documents and Settings\Johan\Mina dokument\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nTrayFw] C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing) O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 03:30:19 2006-07-06 + Scan result: C:\WINDOWS\g11759421.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g13097000.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g14351859.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g1474859.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g15554546.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g157640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g16878312.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g20006328.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g21328671.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g22534921.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g25656343.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g26977968.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g2805562.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g28300640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g31187203.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g32507593.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g33830312.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g35150406.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g36355015.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g37555046.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g38878687.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g40198218.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g41524921.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g4239562.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g42844468.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g44168359.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g45375046.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g46572171.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g47893906.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g49213812.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g5676906.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g7035859.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g8357078.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g9821484.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [1008] C:\WINDOWS\g2805562.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [1204] C:\WINDOWS\g157640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [1776] C:\WINDOWS\g41524921.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [3100] C:\WINDOWS\g46572171.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [332] C:\WINDOWS\g20006328.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [3756] C:\WINDOWS\g35150406.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [3768] C:\WINDOWS\g21328671.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [384] C:\WINDOWS\g22534921.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [3896] C:\WINDOWS\g1474859.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [3908] C:\WINDOWS\g42844468.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4212] C:\WINDOWS\g8357078.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4428] C:\WINDOWS\g13097000.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4456] C:\WINDOWS\g47893906.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4480] C:\WINDOWS\g7035859.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4552] C:\WINDOWS\g9821484.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4652] C:\WINDOWS\g38878687.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4704] C:\WINDOWS\g11759421.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4732] C:\WINDOWS\g36355015.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4736] C:\WINDOWS\g14351859.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4780] C:\WINDOWS\g26977968.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4784] C:\WINDOWS\g31187203.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [4788] C:\WINDOWS\g32507593.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [488] C:\WINDOWS\g33830312.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5000] C:\WINDOWS\g25656343.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5128] C:\WINDOWS\g37555046.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5308] C:\WINDOWS\g4239562.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5348] C:\WINDOWS\g5676906.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5392] C:\WINDOWS\g15554546.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5408] C:\WINDOWS\g45375046.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5672] C:\WINDOWS\g16878312.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5740] C:\WINDOWS\g40198218.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5788] C:\WINDOWS\g44168359.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [584] C:\WINDOWS\g22534921.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [5860] C:\WINDOWS\g49213812.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). [884] C:\WINDOWS\g28300640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Lokala inställningar\Temporary Internet Files\Content.IE5\Y0NIW5TF\bgates[2].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined). ::Report end
Ok lets try running win32delfkil again, but this time, do it from the safe mode. When you're ready, please post the log from C:\win32delfkil.txt to here.
It did not work. i think we have to fix my "winlogon.exe"-problem before we can continue with the virus to be honest.
Ok, lets try this scanner instead... Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe -> Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml -> Doubleclick the drweb-cureit.exe file and Allow to run the express scan -> This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. -> Once the short scan has finished, you should now mark the drives that you want to scan. -> Select all drives. A red dot shows which drives have been chosen. -> Click the green arrow at the right, and the scan will start. -> Click 'Yes to all' if it asks if you want to cure/move the file. -> When the scan has finished, look if you can click next icon next to the files found -> If so, click it and then click the next icon right below and select Move incurable -> After the scan, in the menu, click file and choose save report list -> Save the report to your desktop. The report will be called DrWeb.csv -> Close Dr.Web Cureit. -> Reboot the computer in Normal Mode, -> Post the Cure-it report and a fresh HijackThis log
It found some infections (or rather, quite alot): Logfile of HijackThis v1.99.1 Scan saved at 03:39:10, on 2006-07-09 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program\Java\jre1.5.0_06\bin\jusched.exe C:\Program\DAEMON Tools\daemon.exe C:\Program\ALWILS~1\Avast4\ashDisp.exe C:\Program\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program\MSN Messenger\MsnMsgr.Exe C:\Program\Messenger\msmsgs.exe C:\Program\Skype\Phone\Skype.exe C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program\Alwil Software\Avast4\aswUpdSv.exe C:\Program\Alwil Software\Avast4\ashServ.exe C:\Program\ewido anti-spyware 4.0\guard.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program\Alwil Software\Avast4\ashMaiSv.exe C:\Program\Alwil Software\Avast4\ashWebSv.exe C:\Program\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Johan\Mina dokument\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nTrayFw] C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing) O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe DrWeb: ssqpn.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.; A0004609.exe;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP27;Adware.MediaTicket;Incurable.Moved.; A0006665.exe;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP28;Adware.MediaTicket;Incurable.Moved.; A0011855.exe;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP31;Adware.SaveNow;Incurable.Moved.; A0019000.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019001.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019002.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019003.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019004.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019005.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019006.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019007.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019008.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019009.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019010.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019011.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019012.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019013.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019014.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019015.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019016.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019017.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019018.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019019.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019020.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019021.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019022.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019023.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019024.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019025.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019026.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019027.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019028.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019029.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019030.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019031.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019032.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019033.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019034.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019035.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019036.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019037.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019038.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019039.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019040.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019041.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019042.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019043.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019044.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019045.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019046.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019047.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019048.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019049.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019050.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019051.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019052.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019053.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019054.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019055.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019056.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019057.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019058.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019059.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.DownLoader.10744;Deleted.; A0019991.dll;C:\System Volume Information\_restore{D2099151-01A2-45D2-890A-B05B11A86662}\RP37;Trojan.Mezzia;Deleted.; ssqpn.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
Ok looks quite good now Your HijackThis log looks clean, you could run a new scan with Ewido so we can see if you're still infected with Delf... Please post a fresh HijackThis log and the latest Ewido report when you're ready.
--------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 12:31:38 2006-07-09 + Scan result: C:\Documents and Settings\Johan\DoctorWeb\Quarantine\A0011857.dll -> Adware.MaidBar : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\DoctorWeb\Quarantine\A0004609.exe -> Adware.MediaTicket : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\DoctorWeb\Quarantine\A0006665.exe -> Adware.MediaTicket : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\DoctorWeb\Quarantine\A0011855.exe -> Adware.SaveNow : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@bfast[2].txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined). C:\Documents and Settings\Johan\Cookies\johan@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined). ::Report end Logfile of HijackThis v1.99.1 Scan saved at 12:32:21, on 2006-07-09 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program\Alwil Software\Avast4\aswUpdSv.exe C:\Program\Alwil Software\Avast4\ashServ.exe C:\Program\ewido anti-spyware 4.0\guard.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program\Alwil Software\Avast4\ashMaiSv.exe C:\Program\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program\Java\jre1.5.0_06\bin\jusched.exe C:\Program\DAEMON Tools\daemon.exe C:\Program\ALWILS~1\Avast4\ashDisp.exe C:\Program\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program\MSN Messenger\MsnMsgr.Exe C:\Program\Messenger\msmsgs.exe C:\Program\ewido anti-spyware 4.0\ewido.exe C:\Program\Internet Explorer\iexplore.exe C:\Program\VideoLAN\VLC\vlc.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Johan\Mina dokument\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nTrayFw] C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing) O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Ok good, you're clean now =) You should update your Java (old version has all kinds of vulnerabilities) 1. Click "Start"-> "Control panel" -> Double-click Java icon (coffee cup) 2. Move to "Update" tab and update Java by clicking "Update Now". After that do a restart. 3. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp 4. After updating, uninstall the old Java (if found) from Add/Remove Programs, named as J2SE Runtime Environment 5.0 Update 6 Now that you're clean, here are some tips how to stay clean. -> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware. -> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning. -> Use CCleaner -> http://www.ccleaner.com Download and install CCleaner. Clean your registry and temporary files with it regularly. -> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48 Download and install Ad-Aware. Update it and scan your computer regularly with it. -> Use Ewido -> http://www.ewido.net/en Download and install Ewido. Update it and scan your computer regularly with it. -> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html SpywareBlaster will prevent spyware from being installed to your computer. -> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm This prevents your computer from connecting to harmful sites. -> Change your browser to Firefox -> http://www.mozilla.org Firefox is faster, safer and quicker browser than Internet Explorer. -> Keep your systen up-to-date -> http://windowsupdate.microsoft.com Visit Windows Update regularly. -> Keep your antivirus and firewall up-to-date Scan your computer regularly with your antivirus. -> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html So how did I get infected in the first place? Stay clean
