Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Hjt Logfile


  • This topic is locked This topic is locked
14 replies to this topic

#1 RobinT

RobinT

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 11 September 2007 - 11:26 AM

So my computer's pretty screwed up and I'd appreciate any help... Here's the log Logfile of HijackThis v1.99.1 Scan saved at 19:18:03, on 2007-09-11 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program\Internet Explorer\iexplore.exe D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\Explorer.EXE D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program\Internet Explorer\iexplore.exe D:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\DaemonTools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Futuremark] C:\WINDOWS\twain_32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: Eqxorqm - C:\WINDOWS\SYSTEM32\Eqxorqm.dll O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: kAlkSAu - {8041F3DF-2AEB-5975-35AB-CAEE89B6FCC1} - C:\WINDOWS\system32\shkpd.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe Right...well thanks again Robin

    Advertisements

Register to Remove


#2 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 16 September 2007 - 07:20 AM

Hello RobinT,

Welcome to the forum, what I would like you to do is to delete your current copy of HJT and download and install the newer version by Trendmicro.

Download and install Trendmicros Hijackthis

Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

THIS IS IMPORTANT
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe

Before you post a new log, do this. Go to Start> Run and type in msconfig and on the General Tab, make sure Normal Startup is selected. Reboot your computer and post the new HJT log please

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#3 RobinT

RobinT

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 18 September 2007 - 12:19 PM

Hi... Thanks for helping me...but there's one thing I forgot to mention. I have to start the computer in failsafe-mode (I think that's what it's called in English) because it jams when I try to open a user (where it says "reading personal settings" or something like that). So the Hjt-scan is done in failsafe-mode... Is this going to be a problem or can I follow your instructions in failsafe as well?

#4 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 18 September 2007 - 03:41 PM

Hello Robin,

Since your having problems , let bypass the Trendmicro log for the time being and I will just use your old one. I need you to run this program. If you cant download it on this computer, you can download on another one and copy it to a CD and transfer it to this computer.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Ken :)

Edited by ken545, 18 September 2007 - 04:01 PM.


 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#5 RobinT

RobinT

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 20 September 2007 - 10:57 AM

Hi Ken
So how's things where you live?
How are the wife and kids? Car's running ok?
Hehe, no seriously...here is the Combofix log followed by a new Hjt log.



ComboFix 07-09-20.1 - "Robin" 2007-09-20 18:24:36.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.1771 [GMT 2:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.protected
C:\DOCUME~1\Jocke\APPLIC~1\Microsoft\25319.dat
C:\DOCUME~1\Mia\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\Robin\APPLIC~1\Microsoft\25319.dat
C:\Program\Ultimate Defender
C:\Program\Ultimate Defender\Uninstall.exe
C:\WINDOWS\.protected
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\F?nts\
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\KJH38.sys
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\KB_963491.exe
C:\WINDOWS\system32\KB04080293.exe
C:\WINDOWS\system32\KB37368731.exe
C:\WINDOWS\system32\KB49334087.exe
C:\WINDOWS\system32\L2C30.tmp.exe
C:\WINDOWS\system32\L822B.tmp.exe
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\stera.log
C:\WINDOWS\temp\salm.exe
C:\WINDOWS\wpcjmd.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\LEGACY_FWSVC
-------\LEGACY_KJH38
-------\LEGACY_MSUPDATE
-------\LEGACY_NPF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SMTPDRV
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\syssrv


((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
.

2007-09-20 18:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 21:33 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Contacts
2007-09-09 22:45 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-09 22:43 <KAT> d---s---- C:\DOCUME~1\ADMINI~1\UserData
2007-09-09 22:34 <KAT> dr------- C:\DOCUME~1\ADMINI~1\Start-meny
2007-09-09 22:34 <KAT> dr------- C:\DOCUME~1\ADMINI~1\Mina dokument
2007-09-09 22:34 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Skrivare
2007-09-09 22:34 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\N„tverket
2007-09-09 22:34 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Skrivbord
2007-09-09 22:33 765,952 --a------ C:\DOCUME~1\ADMINI~1\CRLDS3D.DLL
2007-09-09 22:33 <KAT> dr------- C:\DOCUME~1\ADMINI~1\Favoriter
2007-09-09 22:33 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Mallar
2007-09-09 22:33 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Lokala inst„llningar
2007-09-09 00:42 46,329 --a------ C:\WINDOWS\ygefgtrr.exe
2007-09-07 19:02 45,102 --a------ C:\WINDOWS\debgfrfd.exe
2007-09-07 18:58 72,438 --a------ C:\WINDOWS\uygregtrds.exe
2007-09-07 18:58 71,352 --a------ C:\WINDOWS\wewfgrtr.exe
2007-09-07 18:58 70,965 --a------ C:\WINDOWS\tfgtrere.exe
2007-09-07 18:42 57,856 --a------ C:\WINDOWS\system32\DEVRE.dll
2007-09-07 18:42 17,280 C:\WINDOWS\system32\drivers\ompjiili.sys
2007-09-07 18:32 41,472 --a------ C:\WINDOWS\system32\smswqjwq.dll
2007-09-07 14:37 72,954 --a------ C:\WINDOWS\yrfefef.exe
2007-09-07 14:37 71,401 --a------ C:\WINDOWS\ewtrefe.exe
2007-09-06 23:25 15,984 --ahs---- C:\WINDOWS\system32\mssrv32.exe
2007-09-05 14:40 <KAT> d-------- C:\Program\WC3Banlist
2007-09-05 13:39 23,616 --a------ C:\WINDOWS\system32\O1dh23k6.exe
2007-09-02 12:09 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2007-09-01 20:13 <KAT> d-------- C:\DOCUME~1\Robin\APPLIC~1\Talkback
2007-08-31 12:41 26,176 --a------ C:\WINDOWS\system32\1gC3KmUj.exe
2007-08-30 18:32 <KAT> d-------- C:\Program\TPTEST5
2007-08-26 14:06 <KAT> d-------- C:\DOCUME~1\Mia\APPLIC~1\Talkback
2007-08-25 05:36 1,132 --a------ C:\WINDOWS\mozver.dat
2007-08-25 05:05 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-22 21:49 <KAT> d-------- C:\Program\id Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 22:34 --------- d-------- C:\DOCUME~1\Jocke\APPLIC~1\Lavasoft
2007-09-08 21:36 --------- d-------- C:\DOCUME~1\Mia\APPLIC~1\Skype
2007-09-07 21:12 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-09-02 15:03 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-02 14:56 --------- d--h----- C:\Program\InstallShield Installation Information
2007-08-19 22:45 --------- d-------- C:\DOCUME~1\Mia\APPLIC~1\Apple Computer
2007-08-19 21:40 --------- d-------- C:\Program\QuickTime
2007-08-19 21:40 --------- d-------- C:\Program\iTunes
2007-08-19 21:40 --------- d-------- C:\Program\iPod
2007-08-19 21:40 --------- d-------- C:\Program\Apple Software Update
2007-08-19 21:40 --------- d-------- C:\DOCUME~1\Jocke\APPLIC~1\Apple Computer
2007-08-19 21:40 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-19 21:39 --------- d-------- C:\Program\Delade filer\Apple
2007-08-19 21:39 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-17 15:28 --------- d-------- C:\Program\CAPCOM
2006-01-24 16:46 765952 --a------ C:\WINDOWS\system32\config\system~1\CRLDS3D.DLL
2006-01-24 16:46 765952 --a------ C:\DOCUME~1\Robin\CRLDS3D.DLL
2006-01-24 16:46 765952 --a------ C:\DOCUME~1\Mia\CRLDS3D.DLL
2006-01-24 16:46 765952 --a------ C:\DOCUME~1\Jocke\CRLDS3D.DLL
2006-01-24 16:46 765952 --a------ C:\DOCUME~1\DEFAUL~1\CRLDS3D.DLL
2006-08-06 13:36:58 2 --shatr C:\WINDOWS\winstart.bat
2004-08-04 12:00:00 45,102 --sh--r C:\WINDOWS\system32\advfvdds.exe
2004-08-04 12:00:00 88,898 --sh--r C:\WINDOWS\system32\advminev.exe
2004-08-04 12:00:00 45,102 --sh--r C:\WINDOWS\system32\dlltsnll.exe
2004-08-04 12:00:00 54,991 --sh--r C:\WINDOWS\system32\drvdniix.exe
2004-08-04 12:00:00 71,401 --sh--r C:\WINDOWS\system32\eddesp.exe
2004-08-04 12:00:00 70,965 --sh--r C:\WINDOWS\system32\filsemd.exe
2004-08-04 12:00:00 45,102 --sh--r C:\WINDOWS\system32\igffyccv.exe
2004-08-04 12:00:00 90,540 --sh--r C:\WINDOWS\system32\netoxzzr.exe
2004-08-04 12:00:00 72,954 --sh--r C:\WINDOWS\system32\psncc32.exe
2004-08-04 12:00:00 72,438 --sh--r C:\WINDOWS\system32\sdvlibswr.exe
2004-08-04 12:00:00 71,352 --sh--r C:\WINDOWS\system32\vmddnst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 19:25]
"Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22]
"DAEMON Tools-1033"="D:\Program\DaemonTools\daemon.exe" [2004-08-22 17:05]
"QuickTime Task"="C:\Program\QuickTime\QTTask.exe" [2007-06-29 06:24]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-01 14:02]
"nwiz"="nwiz.exe" [2005-12-01 14:02 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2005-08-08 07:10 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-08 07:10 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 19:39 C:\WINDOWS\SOUNDMAN.EXE]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 14:00]
"!AVG Anti-Spyware"="D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"Futuremark"="C:\WINDOWS\twain_32.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00]
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"=MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"=MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"= blank [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"kAlkSAu"= {8041F3DF-2AEB-5975-35AB-CAEE89B6FCC1} - C:\WINDOWS\system32\shkpd.dll [2004-08-04 14:00 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Eqxorqm]
Eqxorqm.dll 2004-08-04 14:00 60416 C:\WINDOWS\system32\Eqxorqm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg]
C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll 2007-09-06 20:33 14341 C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^.protected]
path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jocke^Start-meny^Program^Autostart^Registration Brothers In Arms.LNK]
path=C:\Documents and Settings\Jocke\Start-meny\Program\Autostart\Registration Brothers In Arms.LNK
backup=C:\WINDOWS\pss\Registration Brothers In Arms.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Robin^Start-meny^Program^Autostart^.protected]
path=C:\Documents and Settings\Robin\Start-meny\Program\Autostart\.protected
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5f3773d6.exe]
C:\Documents and Settings\Jocke\Lokala inställningar\Application Data\5f3773d6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9fbd639d.exe]
C:\Documents and Settings\Jocke\Lokala inställningar\Application Data\9fbd639d.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"D:\Program\DaemonTools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mnec]
"C:\WINDOWS\FNTS~1\javaw.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystem]
"C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tqnhs]
C:\WINDOWS\F?nts\r?ndll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
"C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
D:\Program\Winamp\winampa.exe

R0 mmntupqk;mmntupqk;C:\WINDOWS\system32\drivers\ompjiili.sys
R3 PRISM_A00;CREATIX 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys
S2 DP1112;DP1112;\??\C:\WINDOWS\system32\Drivers\DP.sys
S2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys
S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys
S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys
S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys
S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe
S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE
S3 RegGuard;RegGuard;\??\C:\WINDOWS\system32\Drivers\regguard.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\Setup\rsrc\Autorun.exe
dinstall\command- L:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
AutoRun\command- N:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\O]
AutoRun\command- O:\launcher.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 23:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 00:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 01:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-08 02:03:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-08 03:03:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-12 05:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-07 06:01:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-07 07:01:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-07 08:01:38 C:\WINDOWS\Tasks\At35.job"
"2007-09-07 09:01:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-07 10:01:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-17 11:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-17 12:00:00 C:\WINDOWS\Tasks\At39.job"
"2007-09-17 13:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-17 14:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-17 15:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 16:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 17:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-10 18:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 19:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 20:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-08 21:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-06 22:01:57 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-08 23:00:00 C:\WINDOWS\Tasks\At50.job"
"2007-09-09 00:00:00 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-09 01:00:00 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-08 02:03:00 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-08 03:03:00 C:\WINDOWS\Tasks\At54.job"
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-12 05:00:00 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-07 06:01:00 C:\WINDOWS\Tasks\At57.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-07 07:01:00 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-07 08:01:38 C:\WINDOWS\Tasks\At59.job"
"2007-09-07 09:01:00 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-07 10:01:00 C:\WINDOWS\Tasks\At61.job"
"2007-09-17 11:00:00 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-17 12:00:00 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-17 13:00:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-17 14:00:00 C:\WINDOWS\Tasks\At65.job"
"2007-09-17 15:00:00 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-09 16:00:00 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-09 17:00:00 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-10 18:00:00 C:\WINDOWS\Tasks\At69.job"
"2007-09-09 19:00:00 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-09 20:00:00 C:\WINDOWS\Tasks\At71.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-08 21:00:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-17 15:23:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 18:43:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
SetDefaultMIDI = MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 18:45:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-20 18:45
.
--- E O F ---




Logfile of HijackThis v1.99.1
Scan saved at 18:52, on 2007-09-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program\internet explorer\iexplore.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\DaemonTools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Futuremark] C:\WINDOWS\twain_32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Eqxorqm - C:\WINDOWS\SYSTEM32\Eqxorqm.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: kAlkSAu - {8041F3DF-2AEB-5975-35AB-CAEE89B6FCC1} - C:\WINDOWS\system32\shkpd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe

#6 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 20 September 2007 - 11:53 AM

Combofix removed quite a bit, I need you to run this program and post the report, then I need you to follow the instructions for removing HJT and install the updated version, I also need you to rename it. After you do that with Trendmico, you should be able to boot to normal windows and post a new HJT log.

There is still some bad stuff in your Combo log that needs to be removed, I will have to go over that this evening.

Please download SuperAntiSpyware
Install the program
  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#7 RobinT

RobinT

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 26 September 2007 - 11:03 AM

Hi Ken I haven't been online for a while, sorry to keep you waiting... So, I tried to install SuperAntiSpyware like you wrote but Windows tells me that "Windows Installer" can not be used in failsafe mode (even though I am using the admin-account, but maybe that doesn't make a difference in this case) and I still can't boot to normal Windows. Don't know if I've missed something here?

#8 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 26 September 2007 - 12:03 PM

We need to make sure all hidden files are showing :
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.


You can download this right to your desktop.

Download VundoFix to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Go to the tasks folder and delete any and all of anything to do with At26.job regardless of the number
C:\WINDOWS\Tasks\At26.job

This is important
D:\HijackThis\HijackThis.exe<-- Go here and right click on the HJT icon and rename it to Scanner.exe


Post the Vundo log and a new HJT log renamed please. You still have quite a few malware files on your computer that may be the cause of your problems, lets see what Vundo removes and whatever is left we can remove manually.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#9 RobinT

RobinT

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 27 September 2007 - 11:24 AM

Hi Ken VundoFix didn't find anything to remove but I'm posting the log anyway... "VundoFix V6.5.9 Checking Java version... Sun Java not detected Scan started at 19:06:21 2007-09-27 Listing files found while scanning.... No infected files were found. Beginning removal..." ...and here's the new, renamed Hjt log. Logfile of HijackThis v1.99.1 Scan saved at 19:16, on 2007-09-27 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program\Internet Explorer\IEXPLORE.EXE D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\Explorer.EXE C:\Program\internet explorer\iexplore.exe C:\Program\MSN Messenger\msnmsgr.exe D:\HijackThis\Scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\WINDOWS\system32\bho.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\DaemonTools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Futuremark] C:\WINDOWS\twain_32.exe O4 - HKLM\..\Run: [Windows Framework] C:\WINDOWS\TEMP\frmwrk.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: Eqxorqm - C:\WINDOWS\SYSTEM32\Eqxorqm.dll O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: kAlkSAu - {8041F3DF-2AEB-5975-35AB-CAEE89B6FCC1} - C:\WINDOWS\system32\shkpd.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe

#10 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 27 September 2007 - 06:05 PM

Hey Robin,

Lets do this.

Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\WINDOWS\system32\bho.dll

O4 - HKLM\..\Run: [Windows Framework] C:\WINDOWS\TEMP\frmwrk.exe

O20 - Winlogon Notify: Eqxorqm - C:\WINDOWS\SYSTEM32\Eqxorqm.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll

O21 - SSODL: kAlkSAu - {8041F3DF-2AEB-5975-35AB-CAEE89B6FCC1} - C:\WINDOWS\system32\shkpd.dll





Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\TEMP\frmwrk.exe
    C:\WINDOWS\system32\bho.dll
    C:\WINDOWS\SYSTEM32\Eqxorqm.dll
    C:\WINDOWS\system32\shkpd.dll
    C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


Let me see the OtMoveIt log and a New HJT log please

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#11 RobinT

RobinT

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 02 October 2007 - 11:47 AM

Hey

There's been some progress!
After I ran OtMoveIt I can log in to normal Windows again and the first thing that happened was the Msconfig menu popped up and asked if I wanted to switch to normal startup, which you wrote in a previous reply, so I did.
I also unchecked the Hide file extensions for known types option and the Hide protected operating system files (recommended) option since they had both changed back to being checked after I logged on to my own account.

Another thing when I signed in was a window popped up telling me that the file ".protected" cannot be opened since windows doesn't know what program created it.
I was suppose to chose between an automatic search on the internet or choose from a list of programs on my computer...

Ok here's the OtMoveIt log


C:\WINDOWS\TEMP\frmwrk.exe moved successfully.
File/Folder C:\WINDOWS\system32\bho.dll not found.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\Eqxorqm.dll
C:\WINDOWS\SYSTEM32\Eqxorqm.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\Eqxorqm.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\shkpd.dll
C:\WINDOWS\system32\shkpd.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\shkpd.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll
C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll NOT unregistered.
File move failed. C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll scheduled to be moved on reboot.

Created on 09-28-2007 18:03:14



...followed by a new Hjt log


Logfile of HijackThis v1.99.1
Scan saved at 19:33, on 2007-10-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Creative\Shared Files\Module Loader\DLLML.exe
C:\Norman\bin\ZLH.EXE
D:\Program\DaemonTools\daemon.exe
C:\Program\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\iTunes\iTunesHelper.exe
D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\dlltsnll.exe
C:\WINDOWS\system32\drvdniix.exe
C:\WINDOWS\system32\filsemd.exe
C:\WINDOWS\system32\vmddnst.exe
C:\WINDOWS\system32\psncc32.exe
C:\WINDOWS\system32\sdvlibswr.exe
C:\WINDOWS\system32\eddesp.exe
D:\Program\Winamp\winampa.exe
C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe
C:\Program\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program\DELADE~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Mozilla Firefox\firefox.exe
D:\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helgon.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\DaemonTools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Futuremark] C:\WINDOWS\twain_32.exe
O4 - HKLM\..\Run: [rtksw32] C:\WINDOWS\system32\dlltsnll.exe
O4 - HKLM\..\Run: [hdcoplt] C:\WINDOWS\system32\drvdniix.exe
O4 - HKLM\..\Run: [nbkarts] C:\WINDOWS\system32\filsemd.exe
O4 - HKLM\..\Run: [vtdlpse] C:\WINDOWS\system32\vmddnst.exe
O4 - HKLM\..\Run: [adlhidp] C:\WINDOWS\system32\psncc32.exe
O4 - HKLM\..\Run: [trivisls] C:\WINDOWS\system32\sdvlibswr.exe
O4 - HKLM\..\Run: [lcuise] C:\WINDOWS\system32\eddesp.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RCSystem] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [rtksw32] C:\WINDOWS\system32\dlltsnll.exe
O4 - HKCU\..\Run: [vtdlpse] C:\WINDOWS\system32\vmddnst.exe
O4 - HKCU\..\Run: [trivisls] C:\WINDOWS\system32\sdvlibswr.exe
O4 - HKCU\..\Run: [adlhidp] C:\WINDOWS\system32\psncc32.exe
O4 - HKCU\..\Run: [isrdmcc] KB04080293.exe
O4 - HKCU\..\Run: [lcuise] C:\WINDOWS\system32\eddesp.exe
O4 - HKCU\..\Run: [trbetil] fxsabyij.exe
O4 - HKCU\..\Run: [nbkarts] C:\WINDOWS\system32\filsemd.exe
O4 - HKCU\..\Run: [ocdkram] dllffpdb.exe
O4 - HKCU\..\Run: [hdcoplt] C:\WINDOWS\system32\drvdniix.exe
O4 - HKCU\..\Run: [Tqnhs] C:\WINDOWS\F?nts\r?ndll32.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PcSync] C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Mnec] "C:\WINDOWS\FNTS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [9fbd639d.exe] C:\Documents and Settings\Jocke\Lokala inställningar\Application Data\9fbd639d.exe
O4 - HKCU\..\Run: [5f3773d6.exe] C:\Documents and Settings\Jocke\Lokala inställningar\Application Data\5f3773d6.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Eqxorqm - Eqxorqm.dll (file missing)
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: kAlkSAu - {8041F3DF-2AEB-5975-35AB-CAEE89B6FCC1} - C:\WINDOWS\system32\shkpd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe




#12 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 02 October 2007 - 12:08 PM

Robin,

We are making some headway but very slowly. No need to post the log in red, your blinding me.

Delete Combofix and download the updated version.


Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#13 RobinT

RobinT

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 02 October 2007 - 04:21 PM

ComboFix 07-09-20.1 - "Robin" 2007-09-20 18:24:36.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.1771 [GMT 2:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.protected
C:\DOCUME~1\Jocke\APPLIC~1\Microsoft\25319.dat
C:\DOCUME~1\Mia\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\Robin\APPLIC~1\Microsoft\25319.dat
C:\Program\Ultimate Defender
C:\Program\Ultimate Defender\Uninstall.exe
C:\WINDOWS\.protected
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\F?nts\
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\KJH38.sys
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\KB_963491.exe
C:\WINDOWS\system32\KB04080293.exe
C:\WINDOWS\system32\KB37368731.exe
C:\WINDOWS\system32\KB49334087.exe
C:\WINDOWS\system32\L2C30.tmp.exe
C:\WINDOWS\system32\L822B.tmp.exe
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\stera.log
C:\WINDOWS\temp\salm.exe
C:\WINDOWS\wpcjmd.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\LEGACY_FWSVC
-------\LEGACY_KJH38
-------\LEGACY_MSUPDATE
-------\LEGACY_NPF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SMTPDRV
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\syssrv


((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
.

2007-09-20 18:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 21:33 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Contacts
2007-09-09 22:45 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-09 22:43 <KAT> d---s---- C:\DOCUME~1\ADMINI~1\UserData
2007-09-09 22:34 <KAT> dr------- C:\DOCUME~1\ADMINI~1\Start-meny
2007-09-09 22:34 <KAT> dr------- C:\DOCUME~1\ADMINI~1\Mina dokument
2007-09-09 22:34 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Skrivare
2007-09-09 22:34 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\N„tverket
2007-09-09 22:34 <KAT> d-------- C:\DOCUME~1\ADMINI~1\Skrivbord
2007-09-09 22:33 765,952 --a------ C:\DOCUME~1\ADMINI~1\CRLDS3D.DLL
2007-09-09 22:33 <KAT> dr------- C:\DOCUME~1\ADMINI~1\Favoriter
2007-09-09 22:33 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Mallar
2007-09-09 22:33 <KAT> d--h----- C:\DOCUME~1\ADMINI~1\Lokala inst„llningar
2007-09-09 00:42 46,329 --a------ C:\WINDOWS\ygefgtrr.exe
2007-09-07 19:02 45,102 --a------ C:\WINDOWS\debgfrfd.exe
2007-09-07 18:58 72,438 --a------ C:\WINDOWS\uygregtrds.exe
2007-09-07 18:58 71,352 --a------ C:\WINDOWS\wewfgrtr.exe
2007-09-07 18:58 70,965 --a------ C:\WINDOWS\tfgtrere.exe
2007-09-07 18:42 57,856 --a------ C:\WINDOWS\system32\DEVRE.dll
2007-09-07 18:42 17,280 C:\WINDOWS\system32\drivers\ompjiili.sys
2007-09-07 18:32 41,472 --a------ C:\WINDOWS\system32\smswqjwq.dll
2007-09-07 14:37 72,954 --a------ C:\WINDOWS\yrfefef.exe
2007-09-07 14:37 71,401 --a------ C:\WINDOWS\ewtrefe.exe
2007-09-06 23:25 15,984 --ahs---- C:\WINDOWS\system32\mssrv32.exe
2007-09-05 14:40 <KAT> d-------- C:\Program\WC3Banlist
2007-09-05 13:39 23,616 --a------ C:\WINDOWS\system32\O1dh23k6.exe
2007-09-02 12:09 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2007-09-01 20:13 <KAT> d-------- C:\DOCUME~1\Robin\APPLIC~1\Talkback
2007-08-31 12:41 26,176 --a------ C:\WINDOWS\system32\1gC3KmUj.exe
2007-08-30 18:32 <KAT> d-------- C:\Program\TPTEST5
2007-08-26 14:06 <KAT> d-------- C:\DOCUME~1\Mia\APPLIC~1\Talkback
2007-08-25 05:36 1,132 --a------ C:\WINDOWS\mozver.dat
2007-08-25 05:05 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-22 21:49 <KAT> d-------- C:\Program\id Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 22:34 --------- d-------- C:\DOCUME~1\Jocke\APPLIC~1\Lavasoft
2007-09-08 21:36 --------- d-------- C:\DOCUME~1\Mia\APPLIC~1\Skype
2007-09-07 21:12 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-09-02 15:03 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-02 14:56 --------- d--h----- C:\Program\InstallShield Installation Information
2007-08-19 22:45 --------- d-------- C:\DOCUME~1\Mia\APPLIC~1\Apple Computer
2007-08-19 21:40 --------- d-------- C:\Program\QuickTime
2007-08-19 21:40 --------- d-------- C:\Program\iTunes
2007-08-19 21:40 --------- d-------- C:\Program\iPod
2007-08-19 21:40 --------- d-------- C:\Program\Apple Software Update
2007-08-19 21:40 --------- d-------- C:\DOCUME~1\Jocke\APPLIC~1\Apple Computer
2007-08-19 21:40 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-19 21:39 --------- d-------- C:\Program\Delade filer\Apple
2007-08-19 21:39 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-17 15:28 --------- d-------- C:\Program\CAPCOM
2006-01-24 16:46 765952 --a------ C:\WINDOWS\system32\config\system~1\CRLDS3D.DLL
2006-01-24 16:46 765952 --a------ C:\DOCUME~1\Robin\CRLDS3D.DLL
2006-01-24 16:46 765952 --a------ C:\DOCUME~1\Mia\CRLDS3D.DLL
2006-01-24 16:46 765952 --a------ C:\DOCUME~1\Jocke\CRLDS3D.DLL
2006-01-24 16:46 765952 --a------ C:\DOCUME~1\DEFAUL~1\CRLDS3D.DLL
2006-08-06 13:36:58 2 --shatr C:\WINDOWS\winstart.bat
2004-08-04 12:00:00 45,102 --sh--r C:\WINDOWS\system32\advfvdds.exe
2004-08-04 12:00:00 88,898 --sh--r C:\WINDOWS\system32\advminev.exe
2004-08-04 12:00:00 45,102 --sh--r C:\WINDOWS\system32\dlltsnll.exe
2004-08-04 12:00:00 54,991 --sh--r C:\WINDOWS\system32\drvdniix.exe
2004-08-04 12:00:00 71,401 --sh--r C:\WINDOWS\system32\eddesp.exe
2004-08-04 12:00:00 70,965 --sh--r C:\WINDOWS\system32\filsemd.exe
2004-08-04 12:00:00 45,102 --sh--r C:\WINDOWS\system32\igffyccv.exe
2004-08-04 12:00:00 90,540 --sh--r C:\WINDOWS\system32\netoxzzr.exe
2004-08-04 12:00:00 72,954 --sh--r C:\WINDOWS\system32\psncc32.exe
2004-08-04 12:00:00 72,438 --sh--r C:\WINDOWS\system32\sdvlibswr.exe
2004-08-04 12:00:00 71,352 --sh--r C:\WINDOWS\system32\vmddnst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 19:25]
"Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22]
"DAEMON Tools-1033"="D:\Program\DaemonTools\daemon.exe" [2004-08-22 17:05]
"QuickTime Task"="C:\Program\QuickTime\QTTask.exe" [2007-06-29 06:24]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-01 14:02]
"nwiz"="nwiz.exe" [2005-12-01 14:02 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2005-08-08 07:10 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-08 07:10 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 19:39 C:\WINDOWS\SOUNDMAN.EXE]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 14:00]
"!AVG Anti-Spyware"="D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"Futuremark"="C:\WINDOWS\twain_32.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00]
"msnmsgr"="C:\Program\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"=MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMIDI"=MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"= blank [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"kAlkSAu"= {8041F3DF-2AEB-5975-35AB-CAEE89B6FCC1} - C:\WINDOWS\system32\shkpd.dll [2004-08-04 14:00 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Eqxorqm]
Eqxorqm.dll 2004-08-04 14:00 60416 C:\WINDOWS\system32\Eqxorqm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg]
C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll 2007-09-06 20:33 14341 C:\Documents and Settings\All Users\Dokument\Settings\partnership.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^.protected]
path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jocke^Start-meny^Program^Autostart^Registration Brothers In Arms.LNK]
path=C:\Documents and Settings\Jocke\Start-meny\Program\Autostart\Registration Brothers In Arms.LNK
backup=C:\WINDOWS\pss\Registration Brothers In Arms.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Robin^Start-meny^Program^Autostart^.protected]
path=C:\Documents and Settings\Robin\Start-meny\Program\Autostart\.protected
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5f3773d6.exe]
C:\Documents and Settings\Jocke\Lokala inställningar\Application Data\5f3773d6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9fbd639d.exe]
C:\Documents and Settings\Jocke\Lokala inställningar\Application Data\9fbd639d.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"D:\Program\DaemonTools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mnec]
"C:\WINDOWS\FNTS~1\javaw.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystem]
"C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tqnhs]
C:\WINDOWS\F?nts\r?ndll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
"C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
D:\Program\Winamp\winampa.exe

R0 mmntupqk;mmntupqk;C:\WINDOWS\system32\drivers\ompjiili.sys
R3 PRISM_A00;CREATIX 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys
S2 DP1112;DP1112;\??\C:\WINDOWS\system32\Drivers\DP.sys
S2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys
S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys
S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys
S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys
S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe
S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE
S3 RegGuard;RegGuard;\??\C:\WINDOWS\system32\Drivers\regguard.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\Setup\rsrc\Autorun.exe
dinstall\command- L:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
AutoRun\command- N:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\O]
AutoRun\command- O:\launcher.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-08 23:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 00:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 01:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-08 02:03:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-08 03:03:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-12 05:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-07 06:01:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-07 07:01:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-07 08:01:38 C:\WINDOWS\Tasks\At35.job"
"2007-09-07 09:01:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-07 10:01:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-17 11:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-17 12:00:00 C:\WINDOWS\Tasks\At39.job"
"2007-09-17 13:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-17 14:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-17 15:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 16:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 17:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-10 18:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 19:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-09 20:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-08 21:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\1gC3KmUj.exe
"2007-09-06 22:01:57 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-08 23:00:00 C:\WINDOWS\Tasks\At50.job"
"2007-09-09 00:00:00 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-09 01:00:00 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-08 02:03:00 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-08 03:03:00 C:\WINDOWS\Tasks\At54.job"
"2007-09-12 04:00:00 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-12 05:00:00 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-07 06:01:00 C:\WINDOWS\Tasks\At57.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-07 07:01:00 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-07 08:01:38 C:\WINDOWS\Tasks\At59.job"
"2007-09-07 09:01:00 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-07 10:01:00 C:\WINDOWS\Tasks\At61.job"
"2007-09-17 11:00:00 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-17 12:00:00 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-17 13:00:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-17 14:00:00 C:\WINDOWS\Tasks\At65.job"
"2007-09-17 15:00:00 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-09 16:00:00 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-09 17:00:00 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-10 18:00:00 C:\WINDOWS\Tasks\At69.job"
"2007-09-09 19:00:00 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-09 20:00:00 C:\WINDOWS\Tasks\At71.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-08 21:00:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\system32\O1dh23k6.exe
"2007-09-17 15:23:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 18:43:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
SetDefaultMIDI = MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 18:45:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-20 18:45
.
--- E O F ---



...and the HJT log



Logfile of HijackThis v1.99.1
Scan saved at 00:16:07, on 2007-10-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Creative\Shared Files\Module Loader\DLLML.exe
C:\Norman\bin\ZLH.EXE
D:\Program\DaemonTools\daemon.exe
C:\Program\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\iTunes\iTunesHelper.exe
D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\dlltsnll.exe
C:\WINDOWS\system32\drvdniix.exe
C:\WINDOWS\system32\filsemd.exe
C:\WINDOWS\system32\vmddnst.exe
C:\WINDOWS\system32\psncc32.exe
C:\WINDOWS\system32\sdvlibswr.exe
C:\WINDOWS\system32\eddesp.exe
D:\Program\Winamp\winampa.exe
C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe
C:\Program\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\DELADE~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program\Mozilla Firefox\firefox.exe
D:\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helgon.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\DaemonTools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Futuremark] C:\WINDOWS\twain_32.exe
O4 - HKLM\..\Run: [rtksw32] C:\WINDOWS\system32\dlltsnll.exe
O4 - HKLM\..\Run: [hdcoplt] C:\WINDOWS\system32\drvdniix.exe
O4 - HKLM\..\Run: [nbkarts] C:\WINDOWS\system32\filsemd.exe
O4 - HKLM\..\Run: [vtdlpse] C:\WINDOWS\system32\vmddnst.exe
O4 - HKLM\..\Run: [adlhidp] C:\WINDOWS\system32\psncc32.exe
O4 - HKLM\..\Run: [trivisls] C:\WINDOWS\system32\sdvlibswr.exe
O4 - HKLM\..\Run: [lcuise] C:\WINDOWS\system32\eddesp.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RCSystem] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [rtksw32] C:\WINDOWS\system32\dlltsnll.exe
O4 - HKCU\..\Run: [vtdlpse] C:\WINDOWS\system32\vmddnst.exe
O4 - HKCU\..\Run: [trivisls] C:\WINDOWS\system32\sdvlibswr.exe
O4 - HKCU\..\Run: [adlhidp] C:\WINDOWS\system32\psncc32.exe
O4 - HKCU\..\Run: [isrdmcc] KB04080293.exe
O4 - HKCU\..\Run: [lcuise] C:\WINDOWS\system32\eddesp.exe
O4 - HKCU\..\Run: [trbetil] fxsabyij.exe
O4 - HKCU\..\Run: [nbkarts] C:\WINDOWS\system32\filsemd.exe
O4 - HKCU\..\Run: [ocdkram] dllffpdb.exe
O4 - HKCU\..\Run: [hdcoplt] C:\WINDOWS\system32\drvdniix.exe
O4 - HKCU\..\Run: [Tqnhs] C:\WINDOWS\F?nts\r?ndll32.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PcSync] C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Mnec] "C:\WINDOWS\FNTS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [9fbd639d.exe] C:\Documents and Settings\Jocke\Lokala inställningar\Application Data\9fbd639d.exe
O4 - HKCU\..\Run: [5f3773d6.exe] C:\Documents and Settings\Jocke\Lokala inställningar\Application Data\5f3773d6.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Eqxorqm - Eqxorqm.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: kAlkSAu - {8041F3DF-2AEB-5975-35AB-CAEE89B6FCC1} - C:\WINDOWS\system32\shkpd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\Delade filer\PCSuite\Services\ServiceLayer.exe

#14 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 02 October 2007 - 05:16 PM

Robin,

It looks like we are taking 2 steps forward and 3 back. Your picking up bad files and fast as we remove them. I would suggest until your clean , outside of posting here that you stay off the internet.

It looks like you are booting into normal windows. So do this.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.


Download AVG Anti-Spyware Free to your desktop.
  • Once you have downloaded AVG Anti-Spyware Free, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon Update then select the Update now link.
  • Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
  • Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
  • Under Reports
  • Select Automatically generate report after every scan
  • Un-Select Only if threats were found
  • Close AVG Anti-Spyware Free <-- Do not run the scan yet.


Boot your computer into Safemode
  • Go to Start> Shut Off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
  • This will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to SAFEMODE
  • Then press the Enter on your Keyboard
Tutorial if you need it How to boot into Safemode



  • Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
  • Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
  • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
  • A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt







  • Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
  • Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
  • AVG will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
  • If you have any infections you will prompted, then select Apply all actions
  • Next select the Reports icon at the top.
  • Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
  • make sure to remember where you saved that file, this is important
  • Close AVG Anti-Spyware Free
IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:


Reboot normally.

  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3 and press Enter
  • Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.



Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


Post the log from Smitfraud fix, the AVG Spyware log and a New HJT log please

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#15 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 11 October 2007 - 10:17 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users