1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

viruswebprotect2008? HJT-Log

Discussion in 'Windows - Virus and spyware problems' started by freeme, Aug 17, 2008.

  1. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Hi, I\m sitting here with my friends computer and my hair is turning grey. He installed viruswebprotect which wasnt his greatest idea to date. So I\m the one to solve this. And I cant so please help.

    After logging in to windows i get a bluescreen. I\ve cleaned first using NOD antivirus then Smitfraudfix. After this i tried Spybot but to no use.
    I\m stuck. I even have to use a Vistabootcd to use IE because even in Safe mode IE seems to be blocking some crucial URLs such as housecall, symantec, winupdate etc.

    In safe mode the comp doesn\t crash though.
    Hijack This in safe mode says>

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:47:30, on 2008-08-17
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.se/ig/dell?hl=sv&client=dell-row&channel=se&ibd=5070110
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default.aspx?c=se&l=sv&s=gen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=sv
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [lphcp0bj0ej29] C:\WINDOWS\system32\lphcp0bj0ej29.exe
    O4 - HKLM\..\Run: [10195632] rundll32.exe "C:\WINDOWS\system32\micyaipc.dll",b
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200731159281
    O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - https://safe.tele2.com/inc/accounthelper.cab
    O20 - AppInit_DLLs: xzprfz.dll
    O22 - SharedTaskScheduler: corduroyed - {699fabf8-1087-491f-b57c-80a68929d82b} - C:\WINDOWS\system32\heuvth.dll (file missing)
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 6388 bytes
    =----------------------------------------------------------------------------------------------------------


    Edit> Managed to get a Hijack This in normal mode (and then it crached again).

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:40:24, on 2008-08-17
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\system32\lphcp0bj0ej29.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Personal\bin\Personal.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.se/ig/dell?hl=sv&client=dell-row&channel=se&ibd=5070110
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default.aspx?c=se&l=sv&s=gen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=sv
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [lphcp0bj0ej29] C:\WINDOWS\system32\lphcp0bj0ej29.exe
    O4 - HKLM\..\Run: [10195632] rundll32.exe "C:\WINDOWS\system32\micyaipc.dll",b
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200731159281
    O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - https://safe.tele2.com/inc/accounthelper.cab
    O20 - AppInit_DLLs: xzprfz.dll
    O22 - SharedTaskScheduler: corduroyed - {699fabf8-1087-491f-b57c-80a68929d82b} - C:\WINDOWS\system32\heuvth.dll (file missing)
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 7360 bytes
     
    Last edited: Aug 17, 2008
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Hello freeme,


    Download Malwarebytes' Anti-Malware to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.

    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

    • Please post the MBAM Log and a fresh HJT log in your next reply.


    2OG
     
    Last edited: Aug 17, 2008
  3. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Ok I will do that.
    Is it OK to run the Anti-Malware in safe mode or under my Vista PE bootCD? And which HJT-log would you prefer? From Safe mode or juuust before it craches in normal mode?
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Running MBAM in Safe Mode would be even better. And the HJT Log from either Mode will do.

    Let me know if you have any problems with it..
     
  5. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Wow. A lot of infected files! Weird none of the other programs found them. Here are the logs and thank you soooooo much for helping me out!


    Malwarebytes' Anti-Malware 1.24
    Databasversion: 1061
    Windows 5.1.2600 Service Pack 2

    21:42:34 2008-08-17
    mbam-log-8-17-2008 (21-42-34).txt

    Skanningstyp: Fullständig skanning (C:\|)
    Antal skannade objekt: 127866
    Förfluten tid: 19 minute(s), 0 second(s)

    Infekterade minnesprocesser: 0
    Infekterade minnesmoduler: 4
    Infekterade registernycklar: 27
    Infekterade registervärden: 8
    Infekterade registerdataposter: 4
    Infekterade mappar: 0
    Infekterade filer: 42

    Infekterade minnesprocesser:
    (Inga illasinnade poster hittades)

    Infekterade minnesmoduler:
    C:\WINDOWS\system32\khfcDTMc.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\ssqNHxvu.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\xzprfz.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\auriarxb.dll (Trojan.Vundo) -> Delete on reboot.

    Infekterade registernycklar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d60ba9f-04da-4015-a021-28f1d8a900cc} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{2d60ba9f-04da-4015-a021-28f1d8a900cc} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9102c0f4-26f8-4e2b-ba4b-1617cbe8441c} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{9102c0f4-26f8-4e2b-ba4b-1617cbe8441c} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{1dbd3f8d-abc8-4fba-9cdb-0fefa3c5af84} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1dbd3f8d-abc8-4fba-9cdb-0fefa3c5af84} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqnhxvu (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{de98a479-1544-4d3f-8b82-12fdd5bc998f} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{de98a479-1544-4d3f-8b82-12fdd5bc998f} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{0b6ef17e-18e5-4449-86ea-64c82d596eae} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{6d0111e3-3060-4d23-b2bc-42ed86cbe9a3} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{72a128e0-2240-40c8-9e92-5387d64f839e} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72a128e0-2240-40c8-9e92-5387d64f839e} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\xmllib.xmldp (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\xmllib.xmldp.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{699fabf8-1087-491f-b57c-80a68929d82b} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

    Infekterade registervärden:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10195632 (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1dbd3f8d-abc8-4fba-9cdb-0fefa3c5af84} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{699fabf8-1087-491f-b57c-80a68929d82b} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcp0bj0ej29 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

    Infekterade registerdataposter:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfcdtmc -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfcdtmc -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Infekterade mappar:
    (Inga illasinnade poster hittades)

    Infekterade filer:
    C:\WINDOWS\system32\udumcm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\khfcDTMc.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\cMTDcfhk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cMTDcfhk.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\micyaipc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cpiaycim.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\uwepvejt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tjevpewu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ssqNHxvu.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\xzprfz.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\auriarxb.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\xml2u32h.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KZL22NF9\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KZL22NF9\kb767887[1] (Trojan.Vundo) -> Delete on reboot.
    C:\Documents and Settings\ANN-BRITT\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe (BHO.Baidu) -> Quarantined and deleted successfully.
    C:\Documents and Settings\DRAGAN\Local Settings\Temp\40_1.exe (Adware.BHO) -> Quarantined and deleted successfully.
    C:\Documents and Settings\DRAGAN\Local Settings\Temp\bindsrv2.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\edlb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\xokvrpwg.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\byXQGxVo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gsdxnyrc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
    C:\Documents and Settings\Administrator\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\tfnslopk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\blphcp0bj0ej29.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lphcp0bj0ej29.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\phcp0bj0ej29.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\DRAGAN\Local Settings\Temp\HDVideodll_ver1.5918.0.exe (Trojan.Agent) -> Quarantined and deleted successfully.


    --------------------------------------------------------------------


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:46:57, on 2008-08-17
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.se/ig/dell?hl=sv&client=dell-row&channel=se&ibd=5070110
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default.aspx?c=se&l=sv&s=gen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=sv
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200731159281
    O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - https://safe.tele2.com/inc/accounthelper.cab
    O20 - AppInit_DLLs: xzprfz.dll udumcm.dll
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 6215 bytes
     
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @freeme,

    Boot into normal mode and post a HJT Log.

    You may have a few things left over that need removing.
     
  7. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Yep there's still stuff to do... I still get pop-ups.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:46:35, on 2008-08-18
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Personal\bin\Personal.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.se/ig/dell?hl=sv&client=dell-row&channel=se&ibd=5070110
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default.aspx?c=se&l=sv&s=gen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=sv
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200731159281
    O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - https://safe.tele2.com/inc/accounthelper.cab
    O20 - AppInit_DLLs: xzprfz.dll udumcm.dll
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 6935 bytes
     
  8. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @ freeme,

    Before running ComboFix Be sure to disable Spybot Teatimer.


    Download ComboFix from Here But, BEFORE saving it to your Desktop, Rename it to Combo-Fix.exe with a hyphen – in the middle.

    Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

    Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.


    TNX
    2OG
     
  9. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Jeez. This is something else!
    I closed everything and ran combofix. While running it rebooted the comp. so som programs started again at the new login. Hope this didn't ruin stuff.
    the log:

    ComboFix 08-08-17.03 - Administrator 2008-08-18 18:21:41.1 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1674 [GMT 2:00]
    Running from: C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\ANN-BRITT\Cookies\ann-britt@www.gulex[1].txt
    C:\Documents and Settings\ANN-BRITT\Cookies\ann-britt@www.hitta[1].txt
    C:\Documents and Settings\ANN-BRITT\Cookies\ann-britt@www.pixmania[1].txt
    C:\Documents and Settings\ANN-BRITT\Cookies\ann-britt@www.sestan-apartmani[2].txt
    C:\Documents and Settings\ANN-BRITT\UserData
    C:\Documents and Settings\ANN-BRITT\UserData\4H2V4LI7\oXMLStore[1].xml
    C:\Documents and Settings\ANN-BRITT\UserData\index.dat
    C:\Documents and Settings\ANN-BRITT\UserData\KHA78XMV\IsOnIE6tbPromo[1].xml
    C:\Documents and Settings\ANN-BRITT\UserData\O1EVWDAN\sn[1].xml
    C:\Documents and Settings\DRAGAN\Application Data\Adobe\crc.dat
    C:\Documents and Settings\DRAGAN\Application Data\macromedia\Flash Player\#SharedObjects\XGL6U9FR\interclick.com
    C:\Documents and Settings\DRAGAN\Application Data\macromedia\Flash Player\#SharedObjects\XGL6U9FR\interclick.com\ud.sol
    C:\Documents and Settings\DRAGAN\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Documents and Settings\DRAGAN\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\Documents and Settings\DRAGAN\Cookies\dragan@a.playboy[2].txt
    C:\Documents and Settings\DRAGAN\Cookies\dragan@adtoma.expressen[2].txt
    C:\Documents and Settings\DRAGAN\Cookies\dragan@allaannonser[2].txt
    C:\Documents and Settings\DRAGAN\Cookies\dragan@clicktorrent[1].txt
    C:\Documents and Settings\DRAGAN\Cookies\dragan@live[1].txt
    C:\Documents and Settings\DRAGAN\Cookies\dragan@mobile[2].txt
    C:\Documents and Settings\DRAGAN\Cookies\dragan@msn[3].txt
    C:\Documents and Settings\DRAGAN\Cookies\dragan@skinvideo[2].txt
    C:\Documents and Settings\DRAGAN\UserData
    C:\Documents and Settings\DRAGAN\UserData\2ANPVP1C\iconState[1].xml
    C:\Documents and Settings\DRAGAN\UserData\ACVOKJYL\IsOnIE6tbPromo[1].xml
    C:\Documents and Settings\DRAGAN\UserData\ACVOKJYL\oWindowsUpdate[1].xml
    C:\Documents and Settings\DRAGAN\UserData\index.dat
    C:\Documents and Settings\DRAGAN\UserData\J4XO2TFE\oWindowsUpdate[1].xml
    C:\Documents and Settings\DRAGAN\UserData\ZKZMTI84\oWindowsUpdate[1].xml
    C:\Documents and Settings\DRAGAN\UserData\ZKZMTI84\showHideState[1].xml
    C:\Documents and Settings\SOFI\Cookies\sofi@inflash[1].txt
    C:\Documents and Settings\SOFI\Cookies\sofi@server.cpmstar[1].txt
    C:\WINDOWS\Downloaded Program Files\setup.inf

    ----- BITS: Possible infected sites -----

    http://pornotube8.net
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TDSSSERV


    ((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
    .

    2008-08-18 07:17 . 2008-08-18 17:51 <KAT> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-17 21:20 . 2008-08-17 21:20 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-17 21:20 . 2008-08-17 21:20 <KAT> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2008-08-17 21:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-17 21:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-17 16:06 . 2007-09-06 10:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-08-17 16:06 . 2006-04-28 03:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-08-17 16:06 . 2008-05-29 19:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-08-17 16:06 . 2008-05-19 07:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-08-17 16:06 . 2008-08-12 04:07 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
    2008-08-17 16:06 . 2008-08-10 01:37 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
    2008-08-17 16:06 . 2003-06-06 07:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-08-17 16:06 . 2004-08-01 04:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-08-17 16:06 . 2007-10-04 10:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-08-17 15:41 . 2008-08-17 15:41 <KAT> d-------- C:\Program Files\CCleaner
    2008-08-17 15:34 . 2008-08-17 15:34 <KAT> d-------- C:\Program Files\VS Revo Group
    2008-08-17 15:28 . 2008-08-17 15:28 <KAT> d-------- C:\Program Files\Trend Micro
    2008-08-17 14:43 . 2008-08-17 14:43 <KAT> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-17 14:39 . 2008-08-17 14:40 <KAT> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-08-17 14:39 . 2008-08-17 16:55 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-17 14:28 . 2008-08-17 16:06 4,062 --a------ C:\WINDOWS\system32\tmp.reg
    2008-08-17 12:16 . 2008-08-17 12:16 <KAT> d-------- C:\Program Files\Common Files\Download Manager
    2008-08-17 12:16 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2008-08-17 11:28 . 2008-08-17 11:28 347 --a------ C:\WINDOWS\CTWave32.INI
    2008-08-17 11:27 . 2008-08-17 11:27 29 --a------ C:\WINDOWS\sfbm.INI
    2008-08-15 22:57 . 2008-08-15 22:57 <KAT> d-------- C:\Documents and Settings\Administrator\Application Data\Vso
    2008-08-15 22:57 . 2008-08-15 22:57 81,920 --a------ C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
    2008-08-15 22:57 . 2008-08-15 22:57 47,360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
    2008-08-14 02:54 . 2008-08-14 02:54 <KAT> d--hs---- C:\$RECYCLE.BIN
    2008-08-13 20:30 . 2008-08-13 20:30 <KAT> d-------- C:\Documents and Settings\Administrator\cbt
    2008-08-13 20:30 . 2008-08-13 20:30 <KAT> d-------- C:\Documents and Settings\Administrator\Application Data\Netscape
    2008-08-13 20:29 . 2008-08-13 20:30 <KAT> d-------- C:\Documents and Settings\Administrator\Application Data\Personal
    2008-08-12 21:12 . 2008-08-12 21:12 <KAT> d-------- C:\Documents and Settings\ANN-BRITT\Application Data\TmpRecentIcons
    2008-08-12 21:01 . 2008-08-12 21:01 <KAT> d-------- C:\Documents and Settings\DRAGAN\Application Data\TmpRecentIcons
    2008-08-12 20:34 . 2008-08-12 20:34 <KAT> d-------- C:\Program Files\Sun

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-17 13:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-17 13:38 --------- d-----w C:\Program Files\Activision
    2008-08-17 13:34 --------- d-----w C:\Program Files\VS Revo Group
    2008-08-17 12:43 --------- d-----w C:\Documents and Settings\DRAGAN\Application Data\Lavasoft
    2008-08-17 11:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-08-17 10:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-17 10:10 --------- d-----w C:\Program Files\Norton Security Scan
    2008-08-17 09:28 --------- d-----w C:\Program Files\Creative
    2008-08-15 21:08 --------- d-----w C:\Program Files\Professor Franklin
    2008-08-15 21:07 --------- d-----w C:\Program Files\LimeWire
    2008-08-15 21:06 --------- d-----w C:\Program Files\SuperGOO
    2008-08-15 21:01 --------- d-----w C:\Program Files\Google
    2008-08-15 20:59 --------- d-----w C:\Program Files\GemMaster
    2008-08-15 20:57 --------- d-----w C:\Program Files\vso
    2008-08-15 20:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
    2008-08-12 18:34 --------- d-----w C:\Program Files\Java
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-15 08:35 63,488 ----a-w C:\WINDOWS\xobglu16.dll
    2008-06-15 08:35 53,002 ----a-w C:\WINDOWS\xobglu32.dll
    2007-09-24 16:53 81,920 ----a-w C:\Documents and Settings\DRAGAN\Application Data\ezpinst.exe
    2007-09-24 16:53 47,360 ----a-w C:\Documents and Settings\DRAGAN\Application Data\pcouffin.sys
    2007-01-08 19:12 32 ----a-r C:\Documents and Settings\All Users\hash.dat
    2007-01-21 09:51 88 --sh--r C:\WINDOWS\system32\1E26776674.sys
    2007-01-30 19:02 88 --sh--r C:\WINDOWS\system32\E8CBD9B60D.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 23:57 395776]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 09:15 151552]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 19:41 45056]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 05:12 94208]
    "VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 11:20 1118208]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
    "DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 13:38 163840]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
    "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-05-10 17:04 11776]
    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-06 17:42 950664]
    "SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 07:00 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Personal.lnk - C:\Program Files\Personal\bin\Personal.exe [2007-12-17 19:13:30 722728]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=xzprfz.dll udumcm.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tdssserv.sys]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
    "10426:UDP"= 10426:UDP:SingleClick ICC

    S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys [2006-07-14 03:01]
    S2 wsppkt;Wireless Security Protocol;C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys [2006-07-14 03:02]
    S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 05:39]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-06-22 C:\WINDOWS\Tasks\Norton Security Scan.job
    - C:\Program Files\Norton Security Scan\Nss.exe [2008-01-09 05:08]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{1A389CEA-5EFF-4E36-91EB-A64F3886BF64} - (no file)
    BHO-{1DBD3F8D-ABC8-4FBA-9CDB-0FEFA3C5AF84} - (no file)
    BHO-{C0805283-240B-4E9C-A806-746BF008933D} - (no file)
    BHO-{de98a479-1544-4d3f-8b82-12fdd5bc998f} - (no file)
    HKCU-Run-SetDefaultMIDI - MIDIDef.exe
    Notify-ssqNHxvu - (no file)


    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://www.google.se/
    R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://desktop.google.com/uninstall-feedback.html?hl=sv

    O16 -: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} - hxxps://safe.tele2.com/inc/accounthelper.cab
    C:\WINDOWS\Downloaded Program Files\Account.inf
    C:\WINDOWS\Downloaded Program Files\Account.dll


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-18 18:27:04
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\ehome\ehmsas.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
    C:\WINDOWS\system32\verclsid.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-18 18:32:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-18 16:32:10

    Pre-Run: 207,006,863,360 bytes free
    Post-Run: 207,796,740,096 byte ledigt

    213 --- E O F --- 2008-08-10 18:36:01


    And the HJT Log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:36:45, on 2008-08-18
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Personal\bin\Personal.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.se/ig/dell?hl=sv&client=dell-row&channel=se&ibd=5070110
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default.aspx?c=se&l=sv&s=gen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=sv
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200731159281
    O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - https://safe.tele2.com/inc/accounthelper.cab
    O20 - AppInit_DLLs: xzprfz.dll udumcm.dll
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 7908 bytes
     
  10. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Hey freeme,

    Open Notepad - it must be Notepad, not Wordpad.
    Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C



    Go to the Notepad window and click Edit > Paste
    Then click File > Save
    Name the file "CFScript.txt" (including the quotes)
    Save the file to your Desktop


    [​IMG]


    Referring to the picture above, drag CFScript into ComboFix.exe

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


    2OG
     
    Last edited: Aug 18, 2008
  11. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Hey freeme,

    I had to edit that last post so don't use it unless it says it was edited.. or do it again.
     
  12. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Before you told me to rename Combofix.exe to Combo-fix.exe
    dragging the txt-file i just made starts the program but it ends again complaining on the renamed filename. Do I change the name back to the original?

    Thanx for sticking by me on this one!
     
  13. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    HuH? I've never had it complain before.

    Whatever, I don't see anything in the log that will complain, so change and give it a try.

    There's more that one way to skin a cat, if someone objects. lol
     
  14. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    It wanted me to use only aphanumerics in the filename so i renamed it CombopFix and it worked. The result says:


    ComboFix 08-08-17.03 - Administrator 2008-08-18 21:01:01.2 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1685 [GMT 2:00]
    Running from: C:\Documents and Settings\Administrator\Desktop\CombopFix.exe
    Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\system32\1E26776674.sys
    C:\WINDOWS\system32\E8CBD9B60D.sys
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\1E26776674.sys
    C:\WINDOWS\system32\E8CBD9B60D.sys

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
    .

    2008-08-18 07:17 . 2008-08-18 17:51 <KAT> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-17 21:20 . 2008-08-17 21:20 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-17 21:20 . 2008-08-17 21:20 <KAT> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2008-08-17 21:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-17 21:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-17 16:06 . 2007-09-06 10:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-08-17 16:06 . 2006-04-28 03:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-08-17 16:06 . 2008-05-29 19:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-08-17 16:06 . 2008-05-19 07:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-08-17 16:06 . 2008-08-12 04:07 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
    2008-08-17 16:06 . 2008-08-10 01:37 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
    2008-08-17 16:06 . 2003-06-06 07:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-08-17 16:06 . 2004-08-01 04:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-08-17 16:06 . 2007-10-04 10:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-08-17 15:41 . 2008-08-17 15:41 <KAT> d-------- C:\Program Files\CCleaner
    2008-08-17 15:34 . 2008-08-17 15:34 <KAT> d-------- C:\Program Files\VS Revo Group
    2008-08-17 15:28 . 2008-08-17 15:28 <KAT> d-------- C:\Program Files\Trend Micro
    2008-08-17 14:43 . 2008-08-17 14:43 <KAT> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-17 14:39 . 2008-08-18 19:35 <KAT> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-08-17 14:39 . 2008-08-18 19:34 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-17 14:28 . 2008-08-17 16:06 4,062 --a------ C:\WINDOWS\system32\tmp.reg
    2008-08-17 12:16 . 2008-08-17 12:16 <KAT> d-------- C:\Program Files\Common Files\Download Manager
    2008-08-17 12:16 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2008-08-17 11:28 . 2008-08-17 11:28 347 --a------ C:\WINDOWS\CTWave32.INI
    2008-08-17 11:27 . 2008-08-17 11:27 29 --a------ C:\WINDOWS\sfbm.INI
    2008-08-15 22:57 . 2008-08-15 22:57 <KAT> d-------- C:\Documents and Settings\Administrator\Application Data\Vso
    2008-08-15 22:57 . 2008-08-15 22:57 81,920 --a------ C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
    2008-08-15 22:57 . 2008-08-15 22:57 47,360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
    2008-08-14 02:54 . 2008-08-14 02:54 <KAT> d--hs---- C:\$RECYCLE.BIN
    2008-08-13 20:30 . 2008-08-13 20:30 <KAT> d-------- C:\Documents and Settings\Administrator\cbt
    2008-08-13 20:30 . 2008-08-13 20:30 <KAT> d-------- C:\Documents and Settings\Administrator\Application Data\Netscape
    2008-08-13 20:29 . 2008-08-13 20:30 <KAT> d-------- C:\Documents and Settings\Administrator\Application Data\Personal
    2008-08-12 21:12 . 2008-08-12 21:12 <KAT> d-------- C:\Documents and Settings\ANN-BRITT\Application Data\TmpRecentIcons
    2008-08-12 21:01 . 2008-08-12 21:01 <KAT> d-------- C:\Documents and Settings\DRAGAN\Application Data\TmpRecentIcons
    2008-08-12 20:34 . 2008-08-12 20:34 <KAT> d-------- C:\Program Files\Sun

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-17 13:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-17 13:38 --------- d-----w C:\Program Files\Activision
    2008-08-17 13:34 --------- d-----w C:\Program Files\VS Revo Group
    2008-08-17 12:43 --------- d-----w C:\Documents and Settings\DRAGAN\Application Data\Lavasoft
    2008-08-17 11:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-08-17 10:24 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-17 10:10 --------- d-----w C:\Program Files\Norton Security Scan
    2008-08-17 09:28 --------- d-----w C:\Program Files\Creative
    2008-08-15 21:08 --------- d-----w C:\Program Files\Professor Franklin
    2008-08-15 21:07 --------- d-----w C:\Program Files\LimeWire
    2008-08-15 21:06 --------- d-----w C:\Program Files\SuperGOO
    2008-08-15 21:01 --------- d-----w C:\Program Files\Google
    2008-08-15 20:59 --------- d-----w C:\Program Files\GemMaster
    2008-08-15 20:57 --------- d-----w C:\Program Files\vso
    2008-08-15 20:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
    2008-08-12 18:34 --------- d-----w C:\Program Files\Java
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
    2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
    2008-06-15 08:35 63,488 ----a-w C:\WINDOWS\xobglu16.dll
    2008-06-15 08:35 53,002 ----a-w C:\WINDOWS\xobglu32.dll
    2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
    2008-05-31 20:48 9,024 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    2007-09-24 16:53 81,920 ----a-w C:\Documents and Settings\DRAGAN\Application Data\ezpinst.exe
    2007-09-24 16:53 47,360 ----a-w C:\Documents and Settings\DRAGAN\Application Data\pcouffin.sys
    2007-01-08 19:12 32 ----a-r C:\Documents and Settings\All Users\hash.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 23:57 395776]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 09:15 151552]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 19:41 45056]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 05:12 94208]
    "VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 11:20 1118208]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50 221184]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50 81920]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
    "DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 13:38 163840]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 08:55 61440]
    "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-05-10 17:04 11776]
    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-06 17:42 950664]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 07:00 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Personal.lnk - C:\Program Files\Personal\bin\Personal.exe [2007-12-17 19:13:30 722728]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
    "10426:UDP"= 10426:UDP:SingleClick ICC

    S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys [2006-07-14 03:01]
    S2 wsppkt;Wireless Security Protocol;C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys [2006-07-14 03:02]
    S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 05:39]

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder

    2008-06-22 C:\WINDOWS\Tasks\Norton Security Scan.job
    - C:\Program Files\Norton Security Scan\Nss.exe [2008-01-09 05:08]
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-18 21:03:38
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-08-18 21:04:46
    ComboFix-quarantined-files.txt 2008-08-18 19:04:38
    ComboFix2.txt 2008-08-18 16:32:15

    Pre-Run: 207,871,209,472 bytes free
    Post-Run: 207,860,260,864 byte ledigt

    157 --- E O F --- 2008-08-10 18:36:01






    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:05:35, on 2008-08-18
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.se/ig/dell?hl=sv&client=dell-row&channel=se&ibd=5070110
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.euro.dell.com/content/default.aspx?c=se&l=sv&s=gen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=sv
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200731159281
    O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - https://safe.tele2.com/inc/accounthelper.cab
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 6903 bytes
     
  15. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    @freeme, that’s beautiful.. How’s it acting, no pop-ups I hope.

    That is a new version of combofix, I guess they changed it without my permission. Now I'll have to change my speech. : )

    Let me know, How it Goes, and I’ll give you a few final tasks to perform : 0
     
  16. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Thanks a lot for the help. The computer now runs just fine in normal mode. Though my NOD antivirus does not work anymore. Cant communicate with the kernel service. Though I don't think it's legit programme. And I only get a error message on the webpage when trying to run windowsupdate or microsoftupdate. The windows should be legit.

    Now what's the best protection for my friend regarding AV and Firewall?

     
  17. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Still no Pop-ups or anything but trying to update the Adobe reader i got the response that this has been prohobited by the system administrator. I'm running in Administrator account. Isn't that weird?
     
  18. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Congratulations freeme, your log now looks CLEAN [​IMG]


    Things to do:

    Install a firewall – see below.

    Get XP SP3 -> HERE

    For an AntiVirus I recommend Avira Antivir, excellent AV, I use it.
    And if you can’t live with the Nag Screens – google avira antivir nag disable – oh, I didn’t say that… [​IMG]



    Hhere are a few other things you must do once you are completely clean:

    1. Time for some housekeeping

    Please download the OTMoveIt2 by OldTimer

    Save it to your desktop.
    Run the tool by clicking on the icon.
    • Click the Cleanup button.

    • The tools that we used as well as this one will be removed from your system.
    This will also cleanup the leftover tools where you have ran smidfraudfix.



    2. Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only


    Double-click ATF-Cleaner.exe to run the program.

    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.

    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • Click Exit on the Main menu to close the program.




    3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:

    • Go to Start > Programs > Accessories > System Tools and click "System Restore".

    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    • Then go to Start > Run and type: Cleanmgr
    • Click "OK"
    Select the drive you want to clean usually C:
    Click OK
    When it completes the scan:
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.



    4. Defragment your Hard Drive

    1.Open My Computer.
    2.Right-click the local disk volume that you want to defragment, and then click Properties.
    3.On the Tools tab, click Defragment Now.
    4.Click Defragment.




    And here are some tips to reduce the potential for spyware infection in the future:


    It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall
    I have recently changed my firewall to Comodo, love it and highly recommend it..

    Make sure you keep your Windows OS current by visiting Windows update
    regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

    I strongly recommend installing the following applications:


    To protect your machine, I highly recommend BOClean. It’s FREE and it works. I use it and never get one of these infections.

    In order to prevent the installation of Trojans and Malware on your machine:
    Download and install: http://www.comodo.com/boclean/boclean.html ]Comodo BOClean[/url]

    Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 59000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.

    Spywareblaster <= SpywareBlaster will prevent spyware from being installed.


    MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer



    Enjoy your clean computer. Any questions?

    The oldgeek knows how to get the bugs out…. Oops, missed one..[​IMG]



    2OG
     
  19. freeme

    freeme Member

    Joined:
    Aug 17, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    2OG you are my new idol! =)
    Though since my friends kids are using the computer is there a swedish version of SP3 that I can find?
    EDIT: And I doubleposted earlier. Did you see both?
     
    Last edited: Aug 18, 2008
  20. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,701
    Likes Received:
    39
    Trophy Points:
    78
    Sometimes these viruses mess with the system files.

    Go to > Start > run in the box type sfc /scannow

    Click OK

    Let it run, it takes a while. If it finds corrupt system files it will repair them.

    If it asks for a system CD, I hope you have one. It may find the files on your HD in C:\windows\i386 if it’s there..
     

Share This Page