Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware Removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware Removal

Unread postby Mari49 » April 16th, 2009, 11:17 am

Can you please help me with this?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:03:34, on 16.04.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Programfiler\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows\pp06.exe
C:\windows\freddy41.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\WINDOWS\system32\dll32.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\admServ.exe
C:\DOCUME~1\Mari\LOKALE~1\Temp\RtkBtMnt.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Documents and Settings\Mari\Lokale innstillinger\Temporary Internet Files\Content.IE5\4YUSXKWN\HijackThis[1].exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Programfiler\Symantec\LiveUpdate\AUPDATE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/secu ... /index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Programfiler\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Programfiler\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld07.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy41.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [dll32] dll32
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7631136390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7632825434
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.nfoto.no/upload/ImageUploader4.cab
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Tjenesten Background Intelligent Transfer (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Programfiler\tinyproxy\tinyproxy.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Programfiler\tintinyproxyy\tinyproxy.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 13239 bytes
Mari49
Active Member
 
Posts: 14
Joined: April 16th, 2009, 1:16 am
Advertisement
Register to Remove

Re: Malware Removal

Unread postby Shaba » April 22nd, 2009, 2:31 am

Hi Mari49 and sorry for delay

You are now running HijackThis from temp folder and that needs to be corrected first.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Removal

Unread postby Mari49 » April 23rd, 2009, 1:53 pm

Hi,

Here we go:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:04, on 23.04.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Programfiler\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows\pp06.exe
C:\windows\freddy41.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\WINDOWS\system32\dll32.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\Mari\LOKALE~1\Temp\RtkBtMnt.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe
C:\Programfiler\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/secu ... /index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: 219198 helper - {5B452B01-12C9-4286-81D9-2308AEB3CD94} - C:\WINDOWS\system32\219198\219198.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Programfiler\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Programfiler\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld07.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy41.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [dll32] dll32
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7631136390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7632825434
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.nfoto.no/upload/ImageUploader4.cab
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Tjenesten Background Intelligent Transfer (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Programfiler\tinyproxy\tinyproxy.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Programfiler\tintinyproxyy\tinyproxy.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 13173 bytes
Mari49
Active Member
 
Posts: 14
Joined: April 16th, 2009, 1:16 am

Re: Malware Removal

Unread postby Shaba » April 23rd, 2009, 2:01 pm

Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Removal

Unread postby Mari49 » April 23rd, 2009, 2:44 pm

So far so good.-)

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-23 20:39:15
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 86374F90 ZwAlertResumeThread
SSDT 86376FD0 ZwAlertThread
SSDT 8636C528 ZwAllocateVirtualMemory
SSDT 86368C08 ZwConnectPort
SSDT 863906D0 ZwCreateMutant
SSDT 8637E938 ZwCreateThread
SSDT 8637ED68 ZwFreeVirtualMemory
SSDT 86390A78 ZwImpersonateAnonymousToken
SSDT 86390BE0 ZwImpersonateThread
SSDT 863810C0 ZwMapViewOfSection
SSDT 8638BF90 ZwOpenEvent
SSDT 8640F9E8 ZwOpenProcessToken
SSDT 8637E2B0 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF6ED2840]
SSDT 8623D968 ZwResumeThread
SSDT 8637DF90 ZwSetContextThread
SSDT 8637E8B0 ZwSetInformationProcess
SSDT 8637DDD0 ZwSetInformationThread
SSDT 8638BDD0 ZwSuspendProcess
SSDT 8637B9D8 ZwSuspendThread
SSDT 8636EF68 ZwTerminateProcess
SSDT 8637D128 ZwTerminateThread
SSDT 8637E9F8 ZwUnmapViewOfSection
SSDT 8637EE88 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C98 80504534 4 Bytes JMP E67ECB70
.text ntkrnlpa.exe!ZwCallbackReturn + 2DB0 8050464C 4 Bytes CALL 12D6874A
.text ntkrnlpa.exe!ZwCallbackReturn + 2F54 805047F0 8 Bytes CALL 5E20CE2C
.text ntkrnlpa.exe!ZwCallbackReturn + 2FF0 8050488C 4 Bytes JMP 3274CEC8
? System32\Drivers\hiber_WMILIB.SYS Systemet finner ikke angitt bane. !

---- User code sections - GMER 1.0.15 ----

.text C:\Programfiler\MSN Messenger\MsnMsgr.Exe[3696] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 004DE392 C:\Programfiler\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)
.text C:\Programfiler\Internet Explorer\iexplore.exe[4112] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 4476F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programfiler\Internet Explorer\iexplore.exe[4112] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 4490179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programfiler\Internet Explorer\iexplore.exe[4112] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 44901720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programfiler\Internet Explorer\iexplore.exe[4112] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 44901764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programfiler\Internet Explorer\iexplore.exe[4112] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 449016AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programfiler\Internet Explorer\iexplore.exe[4112] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 449016E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programfiler\Internet Explorer\iexplore.exe[4112] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 449017DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programfiler\Internet Explorer\iexplore.exe[4112] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 447916B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Fastfat.sys (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service system32\drivers\UACchkocenr.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACchkocenr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACchkocenr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdtnmnbve.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbwvoqeas.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACdjabvnba.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACdeadbswf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACmnmikovq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACucyddiqw.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACvoebaygm.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACqfglgxje.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACchkocenr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACchkocenr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdtnmnbve.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACbwvoqeas.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACdjabvnba.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACdeadbswf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACmnmikovq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACucyddiqw.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACvoebaygm.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACqfglgxje.log
Reg HKLM\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\fHaesvnItivIZ@ wLbDbkATywBJ@wJgS{Kni|K
Reg HKLM\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\lOjf@ STrBva_ZjaAOaa{qy@nFR
Reg HKLM\SOFTWARE\Classes\CLSID\{2578FF91-F2B0-D5CA-E634-3B015D1338F1}\TOqUkgk@ HL\OBEp

---- EOF - GMER 1.0.15 ----
Mari49
Active Member
 
Posts: 14
Joined: April 16th, 2009, 1:16 am

Re: Malware Removal

Unread postby Shaba » April 23rd, 2009, 2:54 pm

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Removal

Unread postby Mari49 » April 23rd, 2009, 3:17 pm

Here they are:
ComboFix 09-04-23.A3 - Mari 23.04.2009 21:04.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.1014.476 [GMT 2:00]
Kjører fra: c:\documents and settings\Mari\Skrivebord\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated)
FW: Symantec Endpoint Protection *disabled*
* Opprettet nytt gjenopprettingspunkt

ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mari\Lokale innstillinger\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Mari\Lokale innstillinger\Temporary Internet Files\fbk.sts
c:\documents and settings\Mari\Programdata\CROSOF~1.NET
c:\documents and settings\Mari\Programdata\gadcom
c:\documents and settings\Mari\Programdata\Gool
c:\programfiler\tintinyproxyy\tinyproxy.exe
c:\programfiler\tinyproxy\tinyproxy.exe
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\f49f4daa.dat
c:\windows\freddy41.exe
c:\windows\IE4 Error Log.txt
c:\windows\ld07.exe
c:\windows\pp06.exe
c:\windows\system32\219198
c:\windows\system32\219198\219198.dll
c:\windows\system32\AcIloUtv.ini
c:\windows\system32\AcIloUtv.ini2
c:\windows\system32\dll32.exe
c:\windows\system32\fgcotxfy.ini
c:\windows\system32\FiPWxyay.ini
c:\windows\system32\FiPWxyay.ini2
c:\windows\system32\fltfivvd.ini
c:\windows\system32\hmviiuei.ini
c:\windows\system32\iknXxyay.ini
c:\windows\system32\iknXxyay.ini2
c:\windows\system32\jdryulpo.ini
c:\windows\system32\jlsclvop.ini
c:\windows\system32\JPpVDcfe.ini
c:\windows\system32\JPpVDcfe.ini2
c:\windows\system32\mcrh.tmp
c:\windows\system32\meqauoul.ini
c:\windows\system32\mtdsvdbh.ini
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\PpsBLkkj.ini
c:\windows\system32\PpsBLkkj.ini2
c:\windows\system32\scthmmxa.ini
c:\windows\system32\Ssrtttwa.ini
c:\windows\system32\Ssrtttwa.ini2
c:\windows\system32\tCdNnnnn.ini
c:\windows\system32\tCdNnnnn.ini2
c:\windows\system32\thlrgxep.ini
c:\windows\system32\UACbwvoqeas.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\ucaoujec.ini
c:\windows\system32\XbeOVvut.ini
c:\windows\system32\XbeOVvut.ini2
c:\windows\system32\xbIOnnmp.ini
c:\windows\system32\xbIOnnmp.ini2
c:\windows\system32\xujysndi.ini
c:\windows\system32\ycwjhfkt.ini
c:\windows\system32\zxdnt3d.cfg
c:\windows\tmark2.dat

.
((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CANON_CAMERA_ACCESS_LIBRARY_8_(CCALIB8)_
-------\Legacy_LOGICAL_DISK_MANAGER_(DMSERVER)_
-------\Legacy_NTMLSVC
-------\Service_Canon Camera Access Library 8 (CCALib8)
-------\Service_Logical Disk Manager (dmserver)
-------\Service_UACd.sys


((((((((((((((((((((((((((( Filer Opprettet Fra 2009-05-23 til 2009-4-23 )))))))))))))))))))))))))))))))))
.

2009-04-21 06:01 . 2009-04-21 06:01 2 ---h--w c:\windows\t55ft3242f44.dat
2009-04-17 11:48 . 2009-04-17 11:48 2 ---h--w c:\windows\t55ft2823f44.dat
2009-04-16 14:41 . 2009-04-16 14:42 -------- d-----w c:\programfiler\Trend Micro
2009-04-16 14:41 . 2009-04-16 14:41 812344 ----a-w c:\programfiler\HJTInstall.exe
2009-04-15 15:56 . 2009-04-15 15:58 2048 ---h--w c:\windows\f5087.dat
2009-04-15 15:15 . 2009-04-17 11:50 142 ----a-w C:\pch.bat
2009-04-15 15:13 . 2009-04-15 15:13 2 ---h--w c:\windows\t55ft2772f44.dat
2009-04-14 18:39 . 2009-04-14 18:39 2 ---h--w c:\windows\t55ft2804f44.dat
2009-04-13 17:53 . 2009-04-13 17:53 1 ---h--w c:\windows\f23567.dat
2009-04-13 17:53 . 2009-04-13 17:53 1 ----a-w c:\windows\9g2234wesdf3dfgjf23
2009-04-13 17:53 . 2009-04-13 17:53 2 ---h--w c:\windows\t55ft2803f44.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 19:08 . 2009-03-09 16:11 11005 ----a-w C:\aaw7boot.log
2009-04-21 04:31 . 2006-06-29 04:12 62530 ----a-w c:\windows\system32\perfc014.dat
2009-04-21 04:31 . 2006-06-29 04:12 389242 ----a-w c:\windows\system32\perfh014.dat
2009-04-20 18:57 . 2006-10-22 07:34 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-20 18:57 . 2006-10-22 07:34 232 ---ha-w C:\sqmdata10.sqm
2009-04-14 18:23 . 2006-10-21 16:57 268 ---ha-w C:\sqmdata09.sqm
2009-04-14 18:23 . 2006-10-21 16:57 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-12 20:15 . 2006-10-21 10:04 268 ---ha-w C:\sqmdata08.sqm
2009-04-12 20:15 . 2006-10-21 10:04 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-05 15:20 . 2006-10-19 18:10 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-05 15:20 . 2006-10-19 18:10 232 ---ha-w C:\sqmdata07.sqm
2009-03-28 09:32 . 2006-10-14 20:19 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-28 09:32 . 2006-10-14 20:19 232 ---ha-w C:\sqmdata06.sqm
2009-03-22 16:44 . 2006-10-14 19:57 268 ---ha-w C:\sqmdata05.sqm
2009-03-22 16:44 . 2006-10-14 19:57 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-22 15:15 . 2006-10-14 19:57 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-22 15:15 . 2006-10-14 19:57 232 ---ha-w C:\sqmdata04.sqm
2009-03-22 14:57 . 2009-03-22 14:57 -------- d-----w c:\documents and settings\Mari\Programdata\Uniblue
2009-03-22 14:57 . 2009-03-22 14:57 -------- d-----w c:\programfiler\Uniblue
2009-03-22 10:43 . 2006-10-13 18:56 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-22 10:43 . 2006-10-13 18:56 232 ---ha-w C:\sqmdata03.sqm
2009-03-21 15:56 . 2009-03-21 15:56 -------- d-----w c:\programfiler\Spybot - Search & Destroy
2009-03-21 15:56 . 2009-03-21 15:56 -------- d-----w c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy
2009-03-21 14:58 . 2006-10-12 19:31 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-21 14:58 . 2006-10-12 19:31 232 ---ha-w C:\sqmdata02.sqm
2009-03-21 11:06 . 2006-10-12 16:07 268 ---ha-w C:\sqmdata01.sqm
2009-03-21 11:06 . 2006-10-12 16:07 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-21 10:07 . 2006-10-12 05:18 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-21 10:07 . 2006-10-12 05:18 232 ---ha-w C:\sqmdata00.sqm
2009-03-21 09:42 . 2009-03-09 16:10 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-18 21:41 . 2006-10-26 17:53 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-18 21:41 . 2006-10-26 17:53 232 ---ha-w C:\sqmdata19.sqm
2009-03-16 21:55 . 2009-03-16 21:55 -------- d-----w c:\programfiler\Opera
2009-03-13 16:01 . 2008-06-19 21:12 149768 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-03-09 22:49 . 2006-10-26 17:01 268 ---ha-w C:\sqmdata18.sqm
2009-03-09 22:49 . 2006-10-26 17:01 244 ---ha-w C:\sqmnoopt18.sqm
2009-03-09 20:42 . 2009-03-09 20:42 -------- d-----w c:\documents and settings\Mari\Programdata\Auslogics
2009-03-09 20:42 . 2009-03-09 20:42 -------- d-----w c:\programfiler\Auslogics
2009-03-09 17:44 . 2009-03-09 17:41 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-09 17:44 . 2009-03-09 17:41 60800 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-09 17:44 . 2009-03-09 17:41 123952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-09 17:44 . 2009-03-09 17:41 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-08 19:23 . 2009-02-28 16:44 32768 ----a-w c:\windows\system32\drivers\21906bd1.sys
2009-03-08 18:58 . 2006-10-24 09:07 244 ---ha-w C:\sqmnoopt17.sqm
2009-03-08 18:58 . 2006-10-24 09:07 232 ---ha-w C:\sqmdata17.sqm
2009-03-08 18:56 . 2009-03-08 18:56 -------- d--h--w c:\documents and settings\All Users\Programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-08 18:55 . 2009-03-08 18:55 -------- d-----w c:\programfiler\Lavasoft
2009-03-08 18:55 . 2009-03-08 18:55 -------- d-----w c:\documents and settings\All Users\Programdata\Lavasoft
2009-03-01 18:31 . 2006-10-24 07:20 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-01 18:31 . 2006-10-24 07:20 232 ---ha-w C:\sqmdata16.sqm
2009-02-28 22:05 . 2006-10-23 09:22 268 ---ha-w C:\sqmdata15.sqm
2009-02-28 22:05 . 2006-10-23 09:22 244 ---ha-w C:\sqmnoopt15.sqm
2009-02-28 22:04 . 2006-10-22 08:33 244 ---ha-w C:\sqmnoopt14.sqm
2009-02-28 22:04 . 2006-10-22 08:33 232 ---ha-w C:\sqmdata14.sqm
2009-02-28 21:40 . 2009-02-01 14:04 57364 ----a-w c:\windows\system32\ywozlvfefijl.dll-uninst.exe
2009-02-28 16:45 . 2009-02-28 16:44 705 ----a-w C:\mseljj.exe
2009-02-28 16:44 . 2007-10-25 13:19 2 ----a-w C:\156505820
2009-02-28 15:43 . 2009-02-28 15:43 2713 ----a-w c:\windows\system32\khfcAqQi.dll
2009-02-21 20:40 . 2006-10-22 08:05 244 ---ha-w C:\sqmnoopt13.sqm
2009-02-21 20:40 . 2006-10-22 08:05 232 ---ha-w C:\sqmdata13.sqm
2009-02-08 10:21 . 2006-10-22 07:43 268 ---ha-w C:\sqmdata12.sqm
2009-02-08 10:21 . 2006-10-22 07:43 244 ---ha-w C:\sqmnoopt12.sqm
2009-02-06 21:29 . 2006-10-22 07:38 268 ---ha-w C:\sqmdata11.sqm
2009-02-06 21:29 . 2006-10-22 07:38 244 ---ha-w C:\sqmnoopt11.sqm
2009-02-01 20:26 . 2009-02-01 20:26 357704 ----a-w c:\windows\system32\sysfer.dll
2009-02-01 20:26 . 2009-02-01 20:26 107848 ----a-w c:\windows\system32\SymVPN.dll
2009-02-01 20:26 . 2009-02-01 20:26 49480 ----a-w c:\windows\system32\FwsVpn.dll
2006-12-10 18:05 . 2006-10-11 19:30 39760 ----a-w c:\documents and settings\Robert\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2006-11-09 15:20 . 2006-10-11 19:34 39760 ----a-w c:\documents and settings\Bjørnar\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2006-11-07 17:07 . 2006-10-12 00:44 39760 ----a-w c:\documents and settings\Mari\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2006-10-12 00:44 . 2006-10-12 00:41 128 ----a-w c:\documents and settings\Mari\Lokale innstillinger\Programdata\fusioncache.dat
2006-10-11 19:33 . 2006-10-11 19:33 131 ----a-w c:\documents and settings\Bjørnar\Lokale innstillinger\Programdata\fusioncache.dat
2006-10-11 19:30 . 2006-10-11 19:29 130 ----a-w c:\documents and settings\Robert\Lokale innstillinger\Programdata\fusioncache.dat
2005-02-14 21:32 . 2009-01-19 19:25 128 ----a-w c:\documents and settings\Administrator\Lokale innstillinger\Programdata\fusioncache.dat
2008-10-31 17:23 . 2008-10-31 17:23 32768 --sha-w c:\windows\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012008103120081101\index.dat
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dll32"="dll32" [X]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"updateMgr"="c:\programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Uniblue RegistryBooster 2"="c:\programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-07-24 1863960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\programfiler\Realtek\InstallShield\AzMixerSel.exe" [2005-12-20 53248]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PCMService"="c:\programfiler\Acer\Acer Arcade\PCMService.exe" [2005-12-13 151552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"ntiMUI"="c:\programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-01-17 344064]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-01-16 3080192]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"SunJavaUpdateSched"="c:\programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\programfiler\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\programfiler\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"Easy-PrintToolBox"="c:\programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"Symantec PIF AlertEng"="c:\programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Ad-Watch"="c:\programfiler\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-21 515416]
"ccApp"="c:\programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-27 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\
Adobe Reader Speed Launch.lnk - c:\programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programfiler\\Acer\\Acer Arcade\\PCMService.exe"=
"c:\\Programfiler\\LimeWire\\LimeWire.exe"=
"c:\\Programfiler\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Programfiler\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programfiler\\MSN Messenger\\MsnMsgr.Exe"=
"c:\\Programfiler\\MSN Messenger\\livecall.exe"=
"c:\\Programfiler\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Programfiler\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Programfiler\\Fellesfiler\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9090:TCP"= 9090:TCP:TINYPROXY

R0 Xecv36;Xecv36; [x]
R1 21906bd1;21906bd1;c:\windows\System32\drivers\21906bd1.sys [2009-03-08 32768]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-11-18 23888]
R3 EraserUtilDrv10633;EraserUtilDrv10633; [x]
R3 EraserUtilDrvI7;EraserUtilDrvI7; [x]
S1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
S2 lavasoft ad-aware service;lavasoft ad-aware service;c:\programfiler\Lavasoft\Ad-Aware\AAWService.exe [2009-03-21 951632]
S2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296]
S2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programfiler\Fellesfiler\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-18 101936]
S3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\Drivers\NdisFilt.sys [2005-09-13 4392]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ad27a0a-140c-11de-9a1a-0016d41b5bba}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com j:
\Shell\Open\command - resycled\ntldr.com j:
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

2009-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programfiler\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 09:41]
.
- - - - TOMME PEKERE FJERNET - - - -

BHO-{5B452B01-12C9-4286-81D9-2308AEB3CD94} - c:\windows\system32\219198\219198.dll
HKLM-Run-sysfbtray - c:\windows\freddy41.exe
SafeBoot-Symantec Antvirus


.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.symantec.com/enterprise/secu ... /index.jsp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: microsoft.com\update
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 21:10
Windows 5.1.2600 Service Pack 3 FAT NTAPI

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket
skjulte filer: 0

**************************************************************************
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'explorer.exe'(3972)
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\progra~1\FELLES~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\programfiler\Fellesfiler\Microsoft Shared\Web Components\11\1044\OWCI11.DLL
c:\windows\system32\msimtf.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\programfiler\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\SMC.EXE
c:\programfiler\FELLESFILER\SYMANTEC SHARED\CCSVCHST.EXE
c:\programfiler\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
c:\programfiler\ACER\ACER ARCADE\KERNEL\TV\CLCAPSVC.EXE
c:\programfiler\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVER.EXE
c:\programfiler\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVICE.EXE
c:\programfiler\FELLESFILER\LIGHTSCRIBE\LSSRVC.EXE
c:\programfiler\CYBERLINK\SHARED FILES\RICHVIDEO.EXE
c:\programfiler\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\RTVSCAN.EXE
c:\programfiler\ACER\ACER ARCADE\KERNEL\TV\CLSCHED.EXE
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\programfiler\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\SMCGUI.EXE
c:\programfiler\iPod\bin\iPodService.exe
c:\acer\Empowering Technology\admServ.exe
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\docume~1\Mari\LOKALE~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2009-04-23 21:12 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2009-04-23 19:12

Pre-Run: 8 236 990 464 byte ledig
Post-Run: 9 584 574 464 byte ledig

319 --- E O F --- 2008-11-04 08:12


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:17:04, on 23.04.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Programfiler\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\DOCUME~1\Mari\LOKALE~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Dokumenter\HTJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/secu ... /index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Programfiler\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Programfiler\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [dll32] dll32
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7631136390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7632825434
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.nfoto.no/upload/ImageUploader4.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 12126 bytes
Mari49
Active Member
 
Posts: 14
Joined: April 16th, 2009, 1:16 am

Re: Malware Removal

Unread postby Shaba » April 23rd, 2009, 3:22 pm

Please see my link how to install recovery console manually.

After that, please rerun combofix and post back a fresh combofix log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Removal

Unread postby Mari49 » April 23rd, 2009, 3:41 pm

Sorry, my fault, here we go:
ComboFix 09-04-23.A3 - Mari 23.04.2009 21:34.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.47.1044.18.1014.502 [GMT 2:00]
Kjører fra: c:\documents and settings\Mari\Skrivebord\ComboFix.exe
Command switches brukt :: c:\documents and settings\Mari\Skrivebord\WinXP_NO_PER_BF.EXE
AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated)
FW: Symantec Endpoint Protection *disabled*
* Opprettet nytt gjenopprettingspunkt
.

((((((((((((((((((((((((((( Filer Opprettet Fra 2009-05-23 til 2009-4-23 )))))))))))))))))))))))))))))))))
.

2009-04-23 19:11 . 2009-04-23 19:11 -------- d-----w c:\windows\LastGood
2009-04-21 06:01 . 2009-04-21 06:01 2 ---h--w c:\windows\t55ft3242f44.dat
2009-04-17 11:48 . 2009-04-17 11:48 2 ---h--w c:\windows\t55ft2823f44.dat
2009-04-16 14:41 . 2009-04-16 14:42 -------- d-----w c:\programfiler\Trend Micro
2009-04-16 14:41 . 2009-04-16 14:41 812344 ----a-w c:\programfiler\HJTInstall.exe
2009-04-15 15:56 . 2009-04-15 15:58 2048 ---h--w c:\windows\f5087.dat
2009-04-15 15:15 . 2009-04-17 11:50 142 ----a-w C:\pch.bat
2009-04-15 15:13 . 2009-04-15 15:13 2 ---h--w c:\windows\t55ft2772f44.dat
2009-04-14 18:39 . 2009-04-14 18:39 2 ---h--w c:\windows\t55ft2804f44.dat
2009-04-13 17:53 . 2009-04-13 17:53 1 ---h--w c:\windows\f23567.dat
2009-04-13 17:53 . 2009-04-13 17:53 1 ----a-w c:\windows\9g2234wesdf3dfgjf23
2009-04-13 17:53 . 2009-04-13 17:53 2 ---h--w c:\windows\t55ft2803f44.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 19:13 . 2006-06-29 04:12 62530 ----a-w c:\windows\system32\perfc014.dat
2009-04-23 19:13 . 2006-06-29 04:12 389242 ----a-w c:\windows\system32\perfh014.dat
2009-04-23 19:08 . 2009-03-09 16:11 11005 ----a-w C:\aaw7boot.log
2009-04-20 18:57 . 2006-10-22 07:34 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-20 18:57 . 2006-10-22 07:34 232 ---ha-w C:\sqmdata10.sqm
2009-04-14 18:23 . 2006-10-21 16:57 268 ---ha-w C:\sqmdata09.sqm
2009-04-14 18:23 . 2006-10-21 16:57 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-12 20:15 . 2006-10-21 10:04 268 ---ha-w C:\sqmdata08.sqm
2009-04-12 20:15 . 2006-10-21 10:04 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-05 15:20 . 2006-10-19 18:10 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-05 15:20 . 2006-10-19 18:10 232 ---ha-w C:\sqmdata07.sqm
2009-03-28 09:32 . 2006-10-14 20:19 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-28 09:32 . 2006-10-14 20:19 232 ---ha-w C:\sqmdata06.sqm
2009-03-22 16:44 . 2006-10-14 19:57 268 ---ha-w C:\sqmdata05.sqm
2009-03-22 16:44 . 2006-10-14 19:57 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-22 15:15 . 2006-10-14 19:57 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-22 15:15 . 2006-10-14 19:57 232 ---ha-w C:\sqmdata04.sqm
2009-03-22 14:57 . 2009-03-22 14:57 -------- d-----w c:\documents and settings\Mari\Programdata\Uniblue
2009-03-22 14:57 . 2009-03-22 14:57 -------- d-----w c:\programfiler\Uniblue
2009-03-22 10:43 . 2006-10-13 18:56 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-22 10:43 . 2006-10-13 18:56 232 ---ha-w C:\sqmdata03.sqm
2009-03-21 15:56 . 2009-03-21 15:56 -------- d-----w c:\programfiler\Spybot - Search & Destroy
2009-03-21 15:56 . 2009-03-21 15:56 -------- d-----w c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy
2009-03-21 14:58 . 2006-10-12 19:31 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-21 14:58 . 2006-10-12 19:31 232 ---ha-w C:\sqmdata02.sqm
2009-03-21 11:06 . 2006-10-12 16:07 268 ---ha-w C:\sqmdata01.sqm
2009-03-21 11:06 . 2006-10-12 16:07 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-21 10:07 . 2006-10-12 05:18 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-21 10:07 . 2006-10-12 05:18 232 ---ha-w C:\sqmdata00.sqm
2009-03-21 09:42 . 2009-03-09 16:10 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-18 21:41 . 2006-10-26 17:53 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-18 21:41 . 2006-10-26 17:53 232 ---ha-w C:\sqmdata19.sqm
2009-03-16 21:55 . 2009-03-16 21:55 -------- d-----w c:\programfiler\Opera
2009-03-13 16:01 . 2008-06-19 21:12 149768 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-03-09 22:49 . 2006-10-26 17:01 268 ---ha-w C:\sqmdata18.sqm
2009-03-09 22:49 . 2006-10-26 17:01 244 ---ha-w C:\sqmnoopt18.sqm
2009-03-09 20:42 . 2009-03-09 20:42 -------- d-----w c:\documents and settings\Mari\Programdata\Auslogics
2009-03-09 20:42 . 2009-03-09 20:42 -------- d-----w c:\programfiler\Auslogics
2009-03-09 17:44 . 2009-03-09 17:41 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-09 17:44 . 2009-03-09 17:41 60800 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-09 17:44 . 2009-03-09 17:41 123952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-09 17:44 . 2009-03-09 17:41 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-08 19:23 . 2009-02-28 16:44 32768 ----a-w c:\windows\system32\drivers\21906bd1.sys
2009-03-08 18:58 . 2006-10-24 09:07 244 ---ha-w C:\sqmnoopt17.sqm
2009-03-08 18:58 . 2006-10-24 09:07 232 ---ha-w C:\sqmdata17.sqm
2009-03-08 18:56 . 2009-03-08 18:56 -------- d--h--w c:\documents and settings\All Users\Programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-08 18:55 . 2009-03-08 18:55 -------- d-----w c:\programfiler\Lavasoft
2009-03-08 18:55 . 2009-03-08 18:55 -------- d-----w c:\documents and settings\All Users\Programdata\Lavasoft
2009-03-01 18:31 . 2006-10-24 07:20 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-01 18:31 . 2006-10-24 07:20 232 ---ha-w C:\sqmdata16.sqm
2009-02-28 22:05 . 2006-10-23 09:22 268 ---ha-w C:\sqmdata15.sqm
2009-02-28 22:05 . 2006-10-23 09:22 244 ---ha-w C:\sqmnoopt15.sqm
2009-02-28 22:04 . 2006-10-22 08:33 244 ---ha-w C:\sqmnoopt14.sqm
2009-02-28 22:04 . 2006-10-22 08:33 232 ---ha-w C:\sqmdata14.sqm
2009-02-28 21:40 . 2009-02-01 14:04 57364 ----a-w c:\windows\system32\ywozlvfefijl.dll-uninst.exe
2009-02-28 16:45 . 2009-02-28 16:44 705 ----a-w C:\mseljj.exe
2009-02-28 16:44 . 2007-10-25 13:19 2 ----a-w C:\156505820
2009-02-28 15:43 . 2009-02-28 15:43 2713 ----a-w c:\windows\system32\khfcAqQi.dll
2009-02-21 20:40 . 2006-10-22 08:05 244 ---ha-w C:\sqmnoopt13.sqm
2009-02-21 20:40 . 2006-10-22 08:05 232 ---ha-w C:\sqmdata13.sqm
2009-02-08 10:21 . 2006-10-22 07:43 268 ---ha-w C:\sqmdata12.sqm
2009-02-08 10:21 . 2006-10-22 07:43 244 ---ha-w C:\sqmnoopt12.sqm
2009-02-06 21:29 . 2006-10-22 07:38 268 ---ha-w C:\sqmdata11.sqm
2009-02-06 21:29 . 2006-10-22 07:38 244 ---ha-w C:\sqmnoopt11.sqm
2009-02-01 20:26 . 2009-02-01 20:26 357704 ----a-w c:\windows\system32\sysfer.dll
2009-02-01 20:26 . 2009-02-01 20:26 107848 ----a-w c:\windows\system32\SymVPN.dll
2009-02-01 20:26 . 2009-02-01 20:26 49480 ----a-w c:\windows\system32\FwsVpn.dll
2006-12-10 18:05 . 2006-10-11 19:30 39760 ----a-w c:\documents and settings\Robert\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2006-11-09 15:20 . 2006-10-11 19:34 39760 ----a-w c:\documents and settings\Bjørnar\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2006-11-07 17:07 . 2006-10-12 00:44 39760 ----a-w c:\documents and settings\Mari\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2006-10-12 00:44 . 2006-10-12 00:41 128 ----a-w c:\documents and settings\Mari\Lokale innstillinger\Programdata\fusioncache.dat
2006-10-11 19:33 . 2006-10-11 19:33 131 ----a-w c:\documents and settings\Bjørnar\Lokale innstillinger\Programdata\fusioncache.dat
2006-10-11 19:30 . 2006-10-11 19:29 130 ----a-w c:\documents and settings\Robert\Lokale innstillinger\Programdata\fusioncache.dat
2005-02-14 21:32 . 2009-01-19 19:25 128 ----a-w c:\documents and settings\Administrator\Lokale innstillinger\Programdata\fusioncache.dat
2008-10-31 17:23 . 2008-10-31 17:23 32768 --sha-w c:\windows\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\MSHist012008103120081101\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_19.10.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 18:00 . 2008-10-16 12:09 51224 c:\windows\system32\wuauclt.exe
+ 2009-04-23 19:11 . 2008-10-16 12:09 43544 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
+ 2009-04-23 19:11 . 2008-10-16 12:08 34328 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
- 2006-06-29 04:12 . 2009-04-21 04:31 54614 c:\windows\system32\perfc009.dat
+ 2006-06-29 04:12 . 2009-04-23 19:13 54614 c:\windows\system32\perfc009.dat
+ 2004-08-04 18:00 . 2008-10-16 12:09 51224 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 18:00 . 2008-10-16 12:09 92696 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 18:00 . 2008-10-16 12:09 92696 c:\windows\system32\cdm.dll
+ 2009-04-23 19:11 . 2008-07-18 20:10 45768 c:\windows\LastGood\system32\wups2.dll
+ 2009-04-23 19:11 . 2008-07-18 20:10 36552 c:\windows\LastGood\system32\wups.dll
+ 2009-04-23 19:11 . 2008-07-18 20:10 53448 c:\windows\LastGood\system32\wuauclt.exe
+ 2009-04-23 19:11 . 2008-07-18 20:10 94920 c:\windows\LastGood\system32\cdm.dll
+ 2004-08-04 18:00 . 2008-10-16 12:12 323608 c:\windows\system32\wucltui.dll
+ 2004-08-04 18:00 . 2008-10-16 12:12 561688 c:\windows\system32\wuapi.dll
+ 2006-06-29 04:12 . 2009-04-23 19:13 384930 c:\windows\system32\perfh009.dat
- 2006-06-29 04:12 . 2009-04-21 04:31 384930 c:\windows\system32\perfh009.dat
+ 2004-08-04 18:00 . 2008-10-16 12:12 323608 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-04 18:00 . 2008-10-16 12:12 561688 c:\windows\system32\dllcache\wuapi.dll
+ 2009-04-23 19:11 . 2008-07-18 20:09 325832 c:\windows\LastGood\system32\wucltui.dll
+ 2009-04-23 19:11 . 2008-07-18 20:09 563912 c:\windows\LastGood\system32\wuapi.dll
+ 2004-08-04 18:00 . 2008-10-16 12:13 1809944 c:\windows\system32\wuaueng.dll
+ 2004-08-04 18:00 . 2008-10-16 12:13 1809944 c:\windows\system32\dllcache\wuaueng.dll
+ 2009-04-23 19:11 . 2008-07-18 20:09 1811656 c:\windows\LastGood\system32\wuaueng.dll
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dll32"="dll32" [X]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"updateMgr"="c:\programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Uniblue RegistryBooster 2"="c:\programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-07-24 1863960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\programfiler\Realtek\InstallShield\AzMixerSel.exe" [2005-12-20 53248]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PCMService"="c:\programfiler\Acer\Acer Arcade\PCMService.exe" [2005-12-13 151552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"ntiMUI"="c:\programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-01-17 344064]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-01-16 3080192]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"SunJavaUpdateSched"="c:\programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\programfiler\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\programfiler\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"Easy-PrintToolBox"="c:\programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"Symantec PIF AlertEng"="c:\programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Ad-Watch"="c:\programfiler\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-21 515416]
"ccApp"="c:\programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-27 16248320]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\
Adobe Reader Speed Launch.lnk - c:\programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programfiler\\Acer\\Acer Arcade\\PCMService.exe"=
"c:\\Programfiler\\LimeWire\\LimeWire.exe"=
"c:\\Programfiler\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Programfiler\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programfiler\\MSN Messenger\\MsnMsgr.Exe"=
"c:\\Programfiler\\MSN Messenger\\livecall.exe"=
"c:\\Programfiler\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Programfiler\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Programfiler\\Fellesfiler\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9090:TCP"= 9090:TCP:TINYPROXY

R0 Xecv36;Xecv36; [x]
R1 21906bd1;21906bd1;c:\windows\System32\drivers\21906bd1.sys [2009-03-08 32768]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-11-18 23888]
R3 EraserUtilDrv10633;EraserUtilDrv10633; [x]
R3 EraserUtilDrvI7;EraserUtilDrvI7; [x]
S1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
S2 lavasoft ad-aware service;lavasoft ad-aware service;c:\programfiler\Lavasoft\Ad-Aware\AAWService.exe [2009-03-21 951632]
S2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296]
S2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programfiler\Fellesfiler\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-18 101936]
S3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\Drivers\NdisFilt.sys [2005-09-13 4392]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ad27a0a-140c-11de-9a1a-0016d41b5bba}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com j:
\Shell\Open\command - resycled\ntldr.com j:
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

2009-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programfiler\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 09:41]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.symantec.com/enterprise/secu ... /index.jsp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: microsoft.com\update
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 21:37
Windows 5.1.2600 Service Pack 3 FAT NTAPI

skanner skjulte prosesser ...

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ...

skanning vellykket
skjulte filer: 0

**************************************************************************
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'explorer.exe'(2200)
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\msimtf.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Tidspunkt ferdig: 2009-04-23 21:38
ComboFix-quarantined-files.txt 2009-04-23 19:38
ComboFix2.txt 2009-04-23 19:12

Pre-Run: 9 263 874 048 byte ledig
Post-Run: 9 261 547 520 byte ledig

WinXP_NO_PER_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

263 --- E O F --- 2008-11-04 08:12


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:40:40, on 23.04.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Programfiler\Acer\Acer Arcade\PCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\All Users\Dokumenter\HTJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/secu ... /index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programfiler\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Programfiler\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Programfiler\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programfiler\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Programfiler\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [dll32] dll32
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programfiler\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7631136390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7632825434
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.nfoto.no/upload/ImageUploader4.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programfiler\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programfiler\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Programfiler\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 12028 bytes
Mari49
Active Member
 
Posts: 14
Joined: April 16th, 2009, 1:16 am

Re: Malware Removal

Unread postby Shaba » April 23rd, 2009, 11:56 pm

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Removal

Unread postby Mari49 » April 24th, 2009, 12:17 am

Ok:-)
Acer Arcade
Acer eDataSecurity Management 1.00.26
Acer eLock Management
Acer Empowering Technology framework
Acer ePerformance Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer OrbiCam
Acer Screensaver
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
AusLogics Disk Defrag
AusLogics Registry Cleaner
AusLogics Registry Defrag
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task
Canon Internet Library for ZoomBrowser EX
Canon iP5200
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Setup Utility 2.0
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CD-LabelPrint
Easy-WebPrint
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
Hotfix for Windows Media Format 11 SDK (KB929399)
Hurtigreparasjon for Windows Internet Explorer 7 (KB947864)
Hurtigreparasjon for Windows Media Player 11 (KB939683)
Hurtigreparasjon for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
iTunes
J2SE Runtime Environment 5.0 Update 8
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Kritisk oppdatering for Windows Media Player 11 (KB959772)
LimeWire 4.18.8
LiveUpdate 3.3 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Norwegian Language Pack
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NTI Backup NOW! 4
NTI CD & DVD-Maker
Opera 9.64
Oppdatering for Windows XP (KB951072-v2)
Oppdatering for Windows XP (KB951978)
Oppdatering for Windows XP (KB955839)
Oppdatering for Windows XP (KB967715)
PowerProducer
QuickTime
Realtek High Definition Audio Driver
Search Assistant Leftsidebuddy
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB938127)
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB950759)
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB953838)
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB956390)
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB963027)
Sikkerhetsoppdatering for Windows Media Player (KB952069)
Sikkerhetsoppdatering for Windows Media Player 11 (KB936782)
Sikkerhetsoppdatering for Windows Media Player 11 (KB954154)
Sikkerhetsoppdatering for Windows Media Player 9 (KB917734)
Sikkerhetsoppdatering for Windows XP (KB913433)
Sikkerhetsoppdatering for Windows XP (KB923561)
Sikkerhetsoppdatering for Windows XP (KB938464)
Sikkerhetsoppdatering for Windows XP (KB938464-v2)
Sikkerhetsoppdatering for Windows XP (KB941569)
Sikkerhetsoppdatering for Windows XP (KB946648)
Sikkerhetsoppdatering for Windows XP (KB950760)
Sikkerhetsoppdatering for Windows XP (KB950762)
Sikkerhetsoppdatering for Windows XP (KB950974)
Sikkerhetsoppdatering for Windows XP (KB951066)
Sikkerhetsoppdatering for Windows XP (KB951376)
Sikkerhetsoppdatering for Windows XP (KB951376-v2)
Sikkerhetsoppdatering for Windows XP (KB951698)
Sikkerhetsoppdatering for Windows XP (KB951748)
Sikkerhetsoppdatering for Windows XP (KB952004)
Sikkerhetsoppdatering for Windows XP (KB952954)
Sikkerhetsoppdatering for Windows XP (KB953839)
Sikkerhetsoppdatering for Windows XP (KB954211)
Sikkerhetsoppdatering for Windows XP (KB954459)
Sikkerhetsoppdatering for Windows XP (KB954600)
Sikkerhetsoppdatering for Windows XP (KB955069)
Sikkerhetsoppdatering for Windows XP (KB956391)
Sikkerhetsoppdatering for Windows XP (KB956572)
Sikkerhetsoppdatering for Windows XP (KB956802)
Sikkerhetsoppdatering for Windows XP (KB956803)
Sikkerhetsoppdatering for Windows XP (KB956841)
Sikkerhetsoppdatering for Windows XP (KB957095)
Sikkerhetsoppdatering for Windows XP (KB957097)
Sikkerhetsoppdatering for Windows XP (KB958644)
Sikkerhetsoppdatering for Windows XP (KB958687)
Sikkerhetsoppdatering for Windows XP (KB958690)
Sikkerhetsoppdatering for Windows XP (KB959426)
Sikkerhetsoppdatering for Windows XP (KB960225)
Sikkerhetsoppdatering for Windows XP (KB960715)
Sikkerhetsoppdatering for Windows XP (KB960803)
Sikkerhetsoppdatering for Windows XP (KB961373)
Spybot - Search & Destroy
Symantec Endpoint Protection
Uniblue RegistryBooster 2
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Mari49
Active Member
 
Posts: 14
Joined: April 16th, 2009, 1:16 am

Re: Malware Removal

Unread postby Shaba » April 24th, 2009, 1:22 am

As per forum rules, you will need to uninstall LimeWire 4.18.8

After that, please post back a fresh uninstall list.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Removal

Unread postby Mari49 » April 24th, 2009, 10:27 am

Hello,
I have uninstalled LimeWire, unsecure where I find a list of all uninstalled programs...
Can you help me.

Regards
Mari49
Active Member
 
Posts: 14
Joined: April 16th, 2009, 1:16 am

Re: Malware Removal

Unread postby Shaba » April 24th, 2009, 12:01 pm

Similar way as before, HijackThis - config- misc tools - uninstall manager :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Malware Removal

Unread postby Mari49 » April 24th, 2009, 12:10 pm

Okidoki :lol:
Here it is:
Acer Arcade
Acer eDataSecurity Management 1.00.26
Acer eLock Management
Acer Empowering Technology framework
Acer ePerformance Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer OrbiCam
Acer Screensaver
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
AusLogics Disk Defrag
AusLogics Registry Cleaner
AusLogics Registry Defrag
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task
Canon Internet Library for ZoomBrowser EX
Canon iP5200
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Setup Utility 2.0
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CD-LabelPrint
Easy-WebPrint
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
Hotfix for Windows Media Format 11 SDK (KB929399)
Hurtigreparasjon for Windows Internet Explorer 7 (KB947864)
Hurtigreparasjon for Windows Media Player 11 (KB939683)
Hurtigreparasjon for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
iTunes
J2SE Runtime Environment 5.0 Update 8
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Kritisk oppdatering for Windows Media Player 11 (KB959772)
LiveUpdate 3.3 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Norwegian Language Pack
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NTI Backup NOW! 4
NTI CD & DVD-Maker
Opera 9.64
Oppdatering for Windows XP (KB951072-v2)
Oppdatering for Windows XP (KB951978)
Oppdatering for Windows XP (KB955839)
Oppdatering for Windows XP (KB967715)
PowerProducer
QuickTime
Realtek High Definition Audio Driver
Search Assistant Leftsidebuddy
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB938127)
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB950759)
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB953838)
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB956390)
Sikkerhetsoppdatering for Windows Internet Explorer 7 (KB963027)
Sikkerhetsoppdatering for Windows Media Player (KB952069)
Sikkerhetsoppdatering for Windows Media Player 11 (KB936782)
Sikkerhetsoppdatering for Windows Media Player 11 (KB954154)
Sikkerhetsoppdatering for Windows Media Player 9 (KB917734)
Sikkerhetsoppdatering for Windows XP (KB913433)
Sikkerhetsoppdatering for Windows XP (KB923561)
Sikkerhetsoppdatering for Windows XP (KB938464)
Sikkerhetsoppdatering for Windows XP (KB938464-v2)
Sikkerhetsoppdatering for Windows XP (KB941569)
Sikkerhetsoppdatering for Windows XP (KB946648)
Sikkerhetsoppdatering for Windows XP (KB950760)
Sikkerhetsoppdatering for Windows XP (KB950762)
Sikkerhetsoppdatering for Windows XP (KB950974)
Sikkerhetsoppdatering for Windows XP (KB951066)
Sikkerhetsoppdatering for Windows XP (KB951376)
Sikkerhetsoppdatering for Windows XP (KB951376-v2)
Sikkerhetsoppdatering for Windows XP (KB951698)
Sikkerhetsoppdatering for Windows XP (KB951748)
Sikkerhetsoppdatering for Windows XP (KB952004)
Sikkerhetsoppdatering for Windows XP (KB952954)
Sikkerhetsoppdatering for Windows XP (KB953839)
Sikkerhetsoppdatering for Windows XP (KB954211)
Sikkerhetsoppdatering for Windows XP (KB954459)
Sikkerhetsoppdatering for Windows XP (KB954600)
Sikkerhetsoppdatering for Windows XP (KB955069)
Sikkerhetsoppdatering for Windows XP (KB956391)
Sikkerhetsoppdatering for Windows XP (KB956572)
Sikkerhetsoppdatering for Windows XP (KB956802)
Sikkerhetsoppdatering for Windows XP (KB956803)
Sikkerhetsoppdatering for Windows XP (KB956841)
Sikkerhetsoppdatering for Windows XP (KB957095)
Sikkerhetsoppdatering for Windows XP (KB957097)
Sikkerhetsoppdatering for Windows XP (KB958644)
Sikkerhetsoppdatering for Windows XP (KB958687)
Sikkerhetsoppdatering for Windows XP (KB958690)
Sikkerhetsoppdatering for Windows XP (KB959426)
Sikkerhetsoppdatering for Windows XP (KB960225)
Sikkerhetsoppdatering for Windows XP (KB960715)
Sikkerhetsoppdatering for Windows XP (KB960803)
Sikkerhetsoppdatering for Windows XP (KB961373)
Spybot - Search & Destroy
Symantec Endpoint Protection
Uniblue RegistryBooster 2
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Mari49
Active Member
 
Posts: 14
Joined: April 16th, 2009, 1:16 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware