Problem deleting trojan-downloader.conhook, generic and PWS

Discussion in 'Windows - Virus and spyware problems' started by Draken12, Dec 4, 2007.

  1. Draken12

    Draken12 Member

    Joined:
    Sep 5, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Hi!

    Spyware doctor, spybot… detects and delete this annoying virus, Trojan-downloader.conhook, but it keep showing up. Could someone please be kind enough to help me?

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:56, on 2007-12-04
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Intel\Wireless\Bin\EvtEng.exe
    C:\Program\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program\CA\SharedComponents\CAM\bin\cam.exe
    C:\Program\Telia\CiscoVpnClient\cvpnd.exe
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program\CA\SharedComponents\iTechnology\igateway.exe
    C:\Program\CA\eTrustITM\InoRpc.exe
    C:\Program\CA\eTrustITM\InoRT.exe
    C:\Program\CA\eTrustITM\InoTask.exe
    C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program\CA\eTrustITM\eaps.exe
    C:\Program\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program\Spyware Doctor\svcntaux.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Spyware Doctor\swdsvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program\Spyware Doctor\SDTrayApp.exe
    C:\Program\CA\Unicenter DSM\Bin\caf.exe
    C:\WINDOWS\SYSTEM32\DWRCST.exe
    C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program\CA\Unicenter DSM\Bin\cfsmsmd.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxsrvc.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program\CA\Unicenter DSM\Bin\sxplog32.exe
    C:\WINDOWS\System32\WLTRAY.exe
    C:\Program\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program\CA\Unicenter DSM\Bin\ccnfagent.exe
    C:\Program\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\CA\Unicenter DSM\Bin\cfnotsrvd.exe
    C:\Program\CA\Unicenter DSM\Bin\ccsmagtd.exe
    C:\Program\Telia\Telia Connect\AutoUpdateSrv.exe
    C:\PROGRAM\CA\UNICENTER DSM\BIN\amswmagt.exe
    C:\Program\CA\Unicenter DSM\PMAgent\capmuamagt.exe
    C:\Program\CA\Unicenter DSM\Bin\cfftplugin.exe
    C:\Program\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\HJT\HiJackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.ltdalarna.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://web.ltdalarna.se
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.ltdalarna.se/ie.pac
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: {b1776866-3025-3b68-1364-e27637d08c24} - {42c80d73-672e-4631-86b3-52036686771b} - C:\WINDOWS\System32\voasjvkg.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar4.dll
    O2 - BHO: (no name) - {B6994DF8-50BB-4D97-9E05-9A66AA8752FB} - \
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Printers] C:\WINDOWS\LTDPRINT\netprinters.vbs
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program\CA\eTrustITM\realmon.exe" -s
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [DsmSxplog] "C:\Program\CA\Unicenter DSM\Bin\sxpstub.exe"
    O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program\CA\Unicenter DSM\Bin\cfSysTray.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SDTray] "C:\Program\Spyware Doctor\SDTrayApp.exe"
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program\Telia\CiscoVpnClient\vpngui.exe
    O4 - Global Startup: Uppdateringsagent.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program\SPYBOT~1\SDHelper.dll
    O14 - IERESET.INF: START_PAGE_URL=http://web.ltdalarna.se
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.euchannels.net/UKooPlayer.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ltdalarna.se
    O17 - HKLM\Software\..\Telephony: DomainName = ltdalarna.se
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EB480CB4-FA4E-4B44-B40E-1A90D0AA4562}: Domain = ltdalarna.se
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ltdalarna.se
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ltdalarna.se
    O20 - Winlogon Notify: CAF - C:\Program\CA\Unicenter DSM\Bin\cfwlogon.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program\CA\SharedComponents\CAM\bin\cam.exe
    O23 - Service: CA Unicenter DSM r11 Common Application Framework. (caf) - Computer Associates International, Inc. - C:\Program\CA\Unicenter DSM\Bin\caf.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program\Telia\CiscoVpnClient\cvpnd.exe
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program\CA\SharedComponents\iTechnology\igateway.exe
    O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program\CA\eTrustITM\InoRpc.exe
    O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program\CA\eTrustITM\InoRT.exe
    O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program\CA\eTrustITM\InoTask.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\swdsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/widjoh/LOKALA~1/Temp/msoclip1/01/clip_image002.gif
    O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/widjoh/LOKALA~1/Temp/msohtml1/01/clip_image002.gif

    --
    End of file - 9388 bytes
     
    Draken12, Dec 4, 2007
    #1
  2. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    to many antimalware apps. i see:
    spybot, ad aware, spyware doctor, AVG antispyware.

    these provide the same service and having 4 dosnt increase your security. two have real time protection, avg guard and spybot's tea timer, both have simliar functions and will chew up system resources. one anti-virus and two anti-malware apps on a computer is plenty.
    ---------------------------------
    so that the real time protection dosnt interfere with hjt, please disable spybots tea timer, and AVG guard and any others that might be running, if you see the icon in the tray then they are active. after disabling, do this:

    trendmicro:

    start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

    O2 - BHO: {b1776866-3025-3b68-1364-e27637d08c24} - {42c80d73-672e-4631-86b3-52036686771b} - C:\WINDOWS\System32\voasjvkg.dll
    -----------------
    reboot computer after using hjt, rename the hjt icon to scanme.exe or something else then rescan and post a new hjt log.

    echorpely
     
    echoreply, Dec 4, 2007
    #2
  3. Draken12

    Draken12 Member

    Joined:
    Sep 5, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Hi again
    Thank you for the quick answer.

    New hjt log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:22, on 2007-12-05
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Intel\Wireless\Bin\EvtEng.exe
    C:\Program\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\CA\SharedComponents\CAM\bin\cam.exe
    C:\Program\Telia\CiscoVpnClient\cvpnd.exe
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program\CA\SharedComponents\iTechnology\igateway.exe
    C:\Program\CA\eTrustITM\InoRpc.exe
    C:\Program\CA\eTrustITM\InoRT.exe
    C:\Program\CA\eTrustITM\InoTask.exe
    C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program\CA\eTrustITM\eaps.exe
    C:\Program\CA\Unicenter DSM\Bin\caf.exe
    C:\Program\CA\Unicenter DSM\Bin\cfsmsmd.exe
    C:\Program\CA\Unicenter DSM\Bin\ccnfagent.exe
    C:\Program\CA\Unicenter DSM\Bin\cfnotsrvd.exe
    C:\Program\CA\Unicenter DSM\Bin\ccsmagtd.exe
    C:\PROGRAM\CA\UNICENTER DSM\BIN\amswmagt.exe
    C:\Program\CA\Unicenter DSM\PMAgent\capmuamagt.exe
    C:\Program\CA\Unicenter DSM\Bin\cfftplugin.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\DWRCST.exe
    C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program\CA\eTrustITM\realmon.exe
    C:\WINDOWS\System32\igfxsrvc.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program\CA\Unicenter DSM\Bin\sxplog32.exe
    C:\WINDOWS\System32\WLTRAY.exe
    C:\Program\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program\Telia\Telia Connect\AutoUpdateSrv.exe
    C:\HJT\Scanme.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.ltdalarna.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://web.ltdalarna.se
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.ltdalarna.se/ie.pac
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar4.dll
    O2 - BHO: (no name) - {B6994DF8-50BB-4D97-9E05-9A66AA8752FB} - \
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Printers] C:\WINDOWS\LTDPRINT\netprinters.vbs
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program\CA\eTrustITM\realmon.exe" -s
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [DsmSxplog] "C:\Program\CA\Unicenter DSM\Bin\sxpstub.exe"
    O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program\CA\Unicenter DSM\Bin\cfSysTray.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program\Telia\CiscoVpnClient\vpngui.exe
    O4 - Global Startup: Uppdateringsagent.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://web.ltdalarna.se
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.euchannels.net/UKooPlayer.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ltdalarna.se
    O17 - HKLM\Software\..\Telephony: DomainName = ltdalarna.se
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EB480CB4-FA4E-4B44-B40E-1A90D0AA4562}: Domain = ltdalarna.se
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ltdalarna.se
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ltdalarna.se
    O20 - Winlogon Notify: CAF - C:\Program\CA\Unicenter DSM\Bin\cfwlogon.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program\CA\SharedComponents\CAM\bin\cam.exe
    O23 - Service: CA Unicenter DSM r11 Common Application Framework. (caf) - Computer Associates International, Inc. - C:\Program\CA\Unicenter DSM\Bin\caf.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program\Telia\CiscoVpnClient\cvpnd.exe
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program\CA\SharedComponents\iTechnology\igateway.exe
    O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program\CA\eTrustITM\InoRpc.exe
    O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program\CA\eTrustITM\InoRT.exe
    O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program\CA\eTrustITM\InoTask.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\swdsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/widjoh/LOKALA~1/Temp/msoclip1/01/clip_image002.gif
    O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/widjoh/LOKALA~1/Temp/msohtml1/01/clip_image002.gif

    --
    End of file - 8284 bytes
     
    Draken12, Dec 5, 2007
    #3
  4. Draken12

    Draken12 Member

    Joined:
    Sep 5, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Hi
    Hopefully this spyware Doctors history log can help you as a complement to the HJT log posted above!
    /Draken

    PC Tools Spyware Doctor
    Date Status

    2007-12-04 23:17:28:234 Sökning slutförd
    Sökningstyp - Intelli-Scan
    Behandlade poster - 170186
    Hot upptäckta - 1
    Infektioner upptäckta - 2
    Ignorerade infektioner - 0

    2007-12-04 23:17:55:531 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-04 23:18:06:890 Infektion i karantän
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-04 23:18:06:906 Infektion i karantän
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-04 23:18:06:953 Infektion rensad
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-04 23:18:06:953 Infektion rensad
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-04 23:18:09:78 Summering av infektioner i karantän/borttagna
    Karantän - 2
    Karantän misslyckades - 0
    Borttagna - 2
    Borttagningen misslyckades - 0

    2007-12-04 23:25:10:750 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-04 23:25:30:640 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-04 23:35:46:546 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-04 23:36:41:343 OnGuard upptäckt rensad
    Hotnamn - Application.TrackingCookies
    Typ - Cookie
    Risknivå - Låg
    Infektion - doubleclick.net/ doubleclick.net

    2007-12-04 23:39:54:140 OnGuard upptäckt rensad
    Hotnamn - Application.TrackingCookies
    Typ - Cookie
    Risknivå - Låg
    Infektion - doubleclick.net/ doubleclick.net

    2007-12-04 23:43:52:437 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-04 23:46:12:62 OnGuard upptäckt rensad
    Hotnamn - Adware.Advertising
    Typ - Cookie
    Risknivå - Låg
    Infektion - statcounter.com/ statcounter.com

    2007-12-04 23:46:12:62 OnGuard upptäckt rensad
    Hotnamn - Adware.Advertising
    Typ - Cookie
    Risknivå - Låg
    Infektion - www.burstnet.com/ www.burstnet.com

    2007-12-04 23:47:12:218 OnGuard upptäckt rensad
    Hotnamn - Adware.Advertising
    Typ - Cookie
    Risknivå - Låg
    Infektion - statcounter.com/ statcounter.com

    2007-12-04 23:47:12:218 OnGuard upptäckt rensad
    Hotnamn - Adware.Advertising
    Typ - Cookie
    Risknivå - Låg
    Infektion - www.burstnet.com/ www.burstnet.com

    2007-12-04 23:54:18:265 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-04 23:56:53:656 OnGuard upptäckt rensad
    Hotnamn - Application.TrackingCookies
    Typ - Cookie
    Risknivå - Låg
    Infektion - indextools.com/ indextools.com

    2007-12-04 23:57:26:890 Sökning påbörjad
    Sökningstyp - Intelli-Scan

    2007-12-04 23:57:42:375 Infektion upptäcktes på denna dator
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-04 23:57:42:375 Infektion upptäcktes på denna dator
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-04 23:59:07:390 Sökning slutförd
    Sökningstyp - Intelli-Scan
    Behandlade poster - 170014
    Hot upptäckta - 1
    Infektioner upptäckta - 2
    Ignorerade infektioner - 0

    2007-12-05 00:03:12:343 Sökning påbörjad
    Sökningstyp - Intelli-Scan

    2007-12-05 00:03:29:156 Infektion upptäcktes på denna dator
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-05 00:03:29:171 Infektion upptäcktes på denna dator
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-05 00:04:48:703 Sökning slutförd
    Sökningstyp - Intelli-Scan
    Behandlade poster - 169968
    Hot upptäckta - 1
    Infektioner upptäckta - 2
    Ignorerade infektioner - 0

    2007-12-05 00:06:10:312 Infektion i karantän
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-05 00:06:10:828 Infektion i karantän
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-05 00:06:10:890 Infektion rensad
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-05 00:06:10:890 Infektion rensad
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-05 00:06:13:15 Summering av infektioner i karantän/borttagna
    Karantän - 2
    Karantän misslyckades - 0
    Borttagna - 2
    Borttagningen misslyckades - 0

    2007-12-05 00:09:28:937 Tjänst Stoppad
    Spyware Doctor Serviceprogram Stoppat
    2007-12-05 07:45:44:218 Tjänst Startad
    Spyware Doctor Serviceprogram startat
    2007-12-05 07:45:44:609 OnGuards status
    Alla OnGuards Aktiverades
    2007-12-05 07:45:44:781 Immuniseringsresultat
    ActiveX-sektion har immuniserats. Inga poster behandlades.
    2007-12-05 08:14:04:291 Sökning påbörjad
    Sökningstyp - Intelli-Scan

    2007-12-05 08:14:25:200 Infektion upptäcktes på denna dator
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-05 08:14:25:216 Infektion upptäcktes på denna dator
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-05 08:15:44:958 Sökning slutförd
    Sökningstyp - Intelli-Scan
    Behandlade poster - 141548
    Hot upptäckta - 1
    Infektioner upptäckta - 2
    Ignorerade infektioner - 0

    2007-12-05 08:15:51:437 Infektion i karantän
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-05 08:15:51:437 Infektion i karantän
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-05 08:15:51:500 Infektion rensad
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-05 08:15:51:500 Infektion rensad
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-05 08:15:53:644 Summering av infektioner i karantän/borttagna
    Karantän - 2
    Karantän misslyckades - 0
    Borttagna - 2
    Borttagningen misslyckades - 0

    2007-12-05 08:24:16:700 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:24:55:891 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:26:50:6 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:27:30:370 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:29:29:469 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:30:28:839 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:34:31:164 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:35:19:791 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:36:22:721 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:37:22:639 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:40:44:983 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:58:27:246 OnGuard upptäckt rensad
    Hotnamn - Trojan.Virtumonde
    Typ - Cookie
    Risknivå - Förhöjd
    Infektion - svxela.com/ svxela.com

    2007-12-05 08:59:29:743 OnGuard upptäckt rensad
    Hotnamn - Application.TrackingCookies
    Typ - Cookie
    Risknivå - Låg
    Infektion - m.webtrends.com/ m.webtrends.com

    2007-12-05 10:21:51:650 Infektion upptäcktes på denna dator
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-05 10:21:51:650 Infektion upptäcktes på denna dator
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-05 10:22:21:52 Sökning slutförd
    Sökningstyp - Intelli-Scan
    Behandlade poster - 162761
    Hot upptäckta - 1
    Infektioner upptäckta - 2
    Ignorerade infektioner - 0

    2007-12-05 10:28:27:189 Infektion i karantän
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-05 10:28:27:204 Infektion i karantän
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-05 10:28:27:424 Infektion rensad
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Key
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan

    2007-12-05 10:28:27:439 Infektion rensad
    Hotnamn - Trojan-Downloader.ConHook
    Typ - Registry Value
    Risknivå - Hög
    Infektion - HKEY_USERS\S-1-5-21-910452376-877226765-825688854-34913\Software\Microsoft\MS Juan, (Default)

    2007-12-05 10:28:29:555 Summering av infektioner i karantän/borttagna
    Karantän - 2
    Karantän misslyckades - 0
    Borttagna - 2
    Borttagningen misslyckades - 0
     
    Draken12, Dec 5, 2007
    #4
  5. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    yes that log is helpful. cookies aren't much to worry about. you can use settings within IE or firefox to control them. or get ATF-Cleaner to keep cookies, temps etc cleaned up with one click of the button

    http://www.atribune.org/content/view/19/2/
    -----------------------------
    try this:
    download and run vundofix.exe:

    http://www.atribune.org/ccount/click.php?id=4

    * Double-click VundoFix.exe to run it.
    * Click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    echoreply
     
    echoreply, Dec 5, 2007
    #5
  6. Draken12

    Draken12 Member

    Joined:
    Sep 5, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Ok, now I have done what you told. Vundofix didn't find anything but the reason behind this is probably because I tried Vundofix yesterday. By the way hasn’t spyware Doctor found any sign off the little Trojan basted...... so maybe I’m lucky!!

    VundoFix Log:

    VundoFix V6.7.0

    Checking Java version...

    Sun Java not detected
    Scan started at 00:16:48 2007-12-04

    Listing files found while scanning....

    C:\windows\system32\jryaipgn.dll
    C:\windows\system32\kjjlm.ini
    C:\windows\system32\mljjk.dll

    Beginning removal...

    Attempting to delete C:\windows\system32\jryaipgn.dll
    C:\windows\system32\jryaipgn.dll Has been deleted!

    Attempting to delete C:\windows\system32\kjjlm.ini
    C:\windows\system32\kjjlm.ini Has been deleted!

    Attempting to delete C:\windows\system32\mljjk.dll
    C:\windows\system32\mljjk.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.7.0

    Checking Java version...

    Sun Java not detected
    Scan started at 00:47:23 2007-12-04

    Listing files found while scanning....


    VundoFix V6.7.0

    Checking Java version...

    Sun Java not detected
    Scan started at 01:35:19 2007-12-04

    Listing files found while scanning....


    VundoFix V6.7.0

    Checking Java version...

    Sun Java not detected
    Scan started at 02:05:41 2007-12-04

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.7.0

    Checking Java version...

    Sun Java not detected
    Scan started at 21:48:13 2007-12-04

    Listing files found while scanning....


    VundoFix V6.7.0

    Checking Java version...

    Sun Java not detected
    Scan started at 14:28:41 2007-12-05

    Listing files found while scanning....

    No infected files were found.

    Beginning removal...



    HJT Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:07, on 2007-12-05
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Intel\Wireless\Bin\EvtEng.exe
    C:\Program\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program\CA\SharedComponents\CAM\bin\cam.exe
    C:\Program\Telia\CiscoVpnClient\cvpnd.exe
    C:\WINDOWS\SYSTEM32\DWRCS.EXE
    C:\Program\CA\SharedComponents\iTechnology\igateway.exe
    C:\Program\CA\eTrustITM\InoRpc.exe
    C:\Program\CA\eTrustITM\InoRT.exe
    C:\Program\CA\eTrustITM\InoTask.exe
    C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program\CA\eTrustITM\eaps.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program\CA\Unicenter DSM\Bin\caf.exe
    C:\Program\CA\Unicenter DSM\Bin\cfsmsmd.exe
    C:\Program\CA\Unicenter DSM\Bin\ccnfagent.exe
    C:\Program\CA\Unicenter DSM\Bin\cfnotsrvd.exe
    C:\Program\CA\Unicenter DSM\Bin\ccsmagtd.exe
    C:\PROGRAM\CA\UNICENTER DSM\BIN\amswmagt.exe
    C:\Program\CA\Unicenter DSM\PMAgent\capmuamagt.exe
    C:\Program\CA\Unicenter DSM\Bin\cfftplugin.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\DWRCST.exe
    C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\WINDOWS\System32\igfxsrvc.exe
    C:\Program\CA\Unicenter DSM\Bin\sxplog32.exe
    C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\System32\WLTRAY.exe
    C:\Program\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Telia\Telia Connect\AutoUpdateSrv.exe
    C:\Program\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\HJT\Scanme.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.ltdalarna.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://web.ltdalarna.se
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.ltdalarna.se/ie.pac
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar4.dll
    O2 - BHO: (no name) - {B6994DF8-50BB-4D97-9E05-9A66AA8752FB} - \
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar4.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Printers] C:\WINDOWS\LTDPRINT\netprinters.vbs
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program\CA\eTrustITM\realmon.exe" -s
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [DsmSxplog] "C:\Program\CA\Unicenter DSM\Bin\sxpstub.exe"
    O4 - HKLM\..\Run: [CAF_SystemTray] "C:\Program\CA\Unicenter DSM\Bin\cfSysTray.exe"
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program\Telia\CiscoVpnClient\vpngui.exe
    O4 - Global Startup: Uppdateringsagent.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://web.ltdalarna.se
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.euchannels.net/UKooPlayer.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ltdalarna.se
    O17 - HKLM\Software\..\Telephony: DomainName = ltdalarna.se
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EB480CB4-FA4E-4B44-B40E-1A90D0AA4562}: Domain = ltdalarna.se
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ltdalarna.se
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ltdalarna.se
    O20 - Winlogon Notify: CAF - C:\Program\CA\Unicenter DSM\Bin\cfwlogon.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - C:\Program\CA\SharedComponents\CAM\bin\cam.exe
    O23 - Service: CA Unicenter DSM r11 Common Application Framework. (caf) - Computer Associates International, Inc. - C:\Program\CA\Unicenter DSM\Bin\caf.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program\Telia\CiscoVpnClient\cvpnd.exe
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program\CA\SharedComponents\iTechnology\igateway.exe
    O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program\CA\eTrustITM\InoRpc.exe
    O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program\CA\eTrustITM\InoRT.exe
    O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program\CA\eTrustITM\InoTask.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\swdsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
    O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/widjoh/LOKALA~1/Temp/msoclip1/01/clip_image002.gif
    O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/widjoh/LOKALA~1/Temp/msohtml1/01/clip_image002.gif

    --
    End of file - 8444 bytes
     
    Draken12, Dec 5, 2007
    #6
  7. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    vundofix removed some .dlls, hows it on your end now?
     
    echoreply, Dec 5, 2007
    #7
  8. Draken12

    Draken12 Member

    Joined:
    Sep 5, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    The dlls was as a matter of fact removed the day before I ask for your help when I still got problem with the continually returning Trojan called trojan-downloader.conhook. I think the Trojan was re-activated, after deletion, every time I run IE, but who am I to tell!!! Anyway, now my system seems to run OK so thank you so much for your help. If it’s ok I would like your last opinion about which processes that shouldn’t be running in my task manager and how to remove from still be running there in the future? I don't know if it's possible to post an image, snapshot, located on your hard drive so if you have any suggestions....

    Thank you for everything.
    Best regards /
    Draken
     
    Draken12, Dec 5, 2007
    #8
  9. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    you are welcome

    looks like it was removed yesterday when you ran vundofix;

    2007-12-04

    Listing files found while scanning....

    C:\windows\system32\jryaipgn.dll
    C:\windows\system32\kjjlm.ini
    C:\windows\system32\mljjk.dll

    Beginning removal...
    ------------------------------------------
    ok so alls good now.

    click on the icons by the clock, usually this will launch the software, look in settings or preferences for options not to start with windows. see if that helps control some of it.

    look you are a service pack behind in windows update. windows is up to service pack 2 now. you should visit windows update do get the latest patches and fixes for windows. it will be a huge download, hope you have broadband-- also available on CD if you want it that way.

    also good idea to do this after cleaning up malware:

    One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is agood idea after malware is removed.

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    (winXP)

    1. Turn off System Restore. (deletes old possibly infected restore point)
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.(new restore points on a clean system)
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK, then reboot

    echoreply
     
    echoreply, Dec 5, 2007
    #9
  10. Draken12

    Draken12 Member

    Joined:
    Sep 5, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Hi

    If you follow the timeline in vundofix history you can see that I am live in Sweden and because of that I’m about 8 hours ahead, depending on where in the states you live. I don’t want to be rude, but the virus stopped to showing up first when you told me to the remove O2 - BHO: {b1776866-3025-3b68-1364-e27637d08c24} - {42c80d73-672e-4631-86b3-52036686771b} - C:\WINDOWS\System32\voasjvkg.dll and use ATF-Cleaner.

    What kind of dll is voasjvkg.dll?

    Thx again /
    Draken
     
    Draken12, Dec 6, 2007
    #10
  11. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    echoreply, Dec 6, 2007
    #11

Share This Page