Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IRC trojan hijack log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IRC trojan hijack log

Unread postby Riis » April 14th, 2006, 11:45 am

Log:
----------------
Logfile of HijackThis v1.99.1
Scan saved at 17:36:45, on 14-04-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\TrojanHunter 4.5\THGuard.exe
C:\Games\Steam\Steam.exe
C:\Programmer\Extensis\Portfolio 8\Portfolio Express.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\Security Center\SymWSC.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Norton AntiVirus\SAVScan.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Giganology\Gigaget\Gigaget.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\Programmer\Windows Defender\MSASCui.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\iTunes\iTunes.exe
C:\TDDownload\Software\hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programmer\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Gigaget] "C:\Programmer\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [Stone's TimeTool] "C:\Programmer\TimeTool\TimeTool.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Programmer\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmer\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Steam] C:\Games\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Free Download Manager] C:\Programmer\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [updateMgr] C:\Programmer\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Portfolio Express.lnk = C:\Programmer\Extensis\Portfolio 8\Portfolio Express.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Programmer\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Programmer\Giganology\Gigaget\geturl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3277870089
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3884029048
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmer\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe

-------------

I have scanned with northon, which keeps finding the trojan, but cant remove it. trojan hunter cant find it. avast dosnt seem to find it eather (i use northon on this and avast on my other machines im oretty sure both are affectet)

Hope to hear from you guys soon.
Riis
Active Member
 
Posts: 8
Joined: April 14th, 2006, 11:41 am
Advertisement
Register to Remove

MR - Riis

Unread postby whisperer » April 14th, 2006, 3:17 pm

Hi Riis and welcome to the forum, my name is whisperer and I will be helping you with your problem.

Back as soon as I have researched the entries :)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Riis » April 14th, 2006, 4:57 pm

Hi again

Here is some more info:

A little copy paste from a log made by another scan:

Fri Apr 14 20:28:06 2006 => **********************************************************
Fri Apr 14 20:28:06 2006 => eScan AntiVirus Toolkit Utility.
Fri Apr 14 20:28:06 2006 => Copyright © 2003-2004, MicroWorld Technologies Inc.
Fri Apr 14 20:28:06 2006 =>
Fri Apr 14 20:28:06 2006 => Support: support@mwti.net
Fri Apr 14 20:28:06 2006 => Web: http://www.mwti.net
Fri Apr 14 20:28:06 2006 => **********************************************************
Fri Apr 14 20:28:06 2006 => Version 4.4.7
Fri Apr 14 20:28:06 2006 => Log File: C:\TDDOWN~1\Software\mwav\mwav.log
Fri Apr 14 20:28:06 2006 => Latest Date of files inside MWAV: 12 Apr 2006 00:05:18.


--------------
And the vira it found:


File C:\PROGRA~2\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
File C:\Documents and Settings\Risici\Application Data\Thunderbird\Profiles\default\ox6xp1bk.slt\Mail\pop3.hotpop.com\Inbox infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Risici\Application Data\Thunderbird\Profiles\default\ox6xp1bk.slt\Mail\pop3.hotpop.com\Trash infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File C:\Games\cs\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\program files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
File C:\RECYCLER\NPROTECT\00049527 infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File C:\RECYCLER\NPROTECT\00049528 infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File N:\Manuel backups\05-08-2005\Thunderbird\Profiles\default\ox6xp1bk.slt\Mail\pop3.hotpop.com\Inbox infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File N:\Manuel backups\05-08-2005\Thunderbird\Profiles\default\ox6xp1bk.slt\Mail\pop3.hotpop.com\Trash infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File N:\Manuel backups\27-08-2005\ibm creative backup\fra skrivebordet\rod fra skrivebordet\sorteres dfhh\skal sorteres\girc432.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
File N:\Manuel backups\27-08-2005\Rodeting og creative kopi\filer der skal sorteres gamle\Gamle dokumenter osv skal sorteres\Gamle filer fra skrivebordet\Downloads\ss_2.4.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.603. No Action Taken.
File N:\Manuel backups\27-08-2005\Rodeting og creative kopi\filer der skal sorteres gamle\Gamle dokumenter osv skal sorteres\Gamle filer fra skrivebordet\Rod\msirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.603. No Action Taken.
File N:\Manuel backups\27-08-2005\Thunderbird\Profiles\default\ox6xp1bk.slt\Mail\pop3.hotpop.com\Inbox infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File N:\Manuel backups\27-08-2005\Thunderbird\Profiles\default\ox6xp1bk.slt\Mail\pop3.hotpop.com\Trash infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File N:\RECYCLER\NPROTECT\00000008 infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File N:\RECYCLER\NPROTECT\00000009 infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File N:\RECYCLER\NPROTECT\00000010 infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File N:\RECYCLER\NPROTECT\00000011 infected by "Email-Worm.Win32.Bagle.i" Virus. Action Taken: File Deleted.
File N:\System Volume Information\_restore{C94617C6-CD35-47AA-B628-1282C39B4BAE}\RP192\A0047768.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.603. No Action Taken.


-----

Hope this helps

/Lasse -Riis
Riis
Active Member
 
Posts: 8
Joined: April 14th, 2006, 11:41 am

Unread postby whisperer » April 14th, 2006, 5:21 pm

Thanks Riis for the MWAV log,

I will try and get the Danish in it, if not I will get you to download an English version for me :D

I have just finished going through the HJT log and there is nothing on the surface so we may well have to dig deeper. I will look at the MWAV tomorrow

A description of your problems would be very helpful, I notice that you have had a recent 'dump report'

GT
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Riis » April 14th, 2006, 5:45 pm

I dont know what you mean by a dump report.
I dont know if these issues is because of the trojan but i have had several bugs/issues:

Photoshop is action strange, sometimes crashing on startup. sometimes cant open files. sometimes the dialog boxes are wierd or type missing from them.

My explorer sometimes lock up. so i cant right clik. i cant close a browser window thats cone bad.

My mIRC have had a problem today where it dindt open. it startet connection and then shutting the hole program down. REgarding irc i connect trough a bnc and i dont click any links i dont know and i dont get files over irc.

Hope this help.
Riis
Active Member
 
Posts: 8
Joined: April 14th, 2006, 11:41 am

Unread postby Riis » April 14th, 2006, 5:47 pm

------------
Rodeting og creative kopi\filer der skal sorteres gamle\Gamle dokumenter osv skal sorteres\Gamle filer fra skrivebordet\
------------

This is just folder names, so i dont think there is any danish in there you need to get translatet. But oterwise i just need a link to the english version and ill try that one :)
Riis
Active Member
 
Posts: 8
Joined: April 14th, 2006, 11:41 am

Unread postby whisperer » April 15th, 2006, 11:16 am

Hi Riis,

A DumpRep is a report made to Microsoft following a recent 'crash' of the computer, we know it as a Blue Screen of Death (BSOD), do not worry about it

I would like you to run 2 more scans
  1. Please run an online scan from here using Internet Explorer as your browser
    1. Once you are on the Panda site click the Scan your PC button.
    2. A new window will open...click the big Check Now button.
    3. Enter your Country, State/Province and a Valid Email then click send .
    4. Choose either Home User or Company. and then click the big Scan Now button.
    5. It may want to install an ActiveX component, please allow it or the scan will not happen.
    6. When it has completed downloading the files it requires for the scan, click on Local Disks to start the scan.
    7. When the scan is complete
      • Click see report
      • Click Save report. and close the scanner
    8. The scan will not cure any entries that it finds without purchasing – please ignore that option.
  2. Please download WinpFind we will use this to find any hidden files that exist.
    1. Locate the WinPFind.zip file, right-click and extract it to your C:\ folder.
    2. This will create a folder called WinPFind in the C:\ folder.

      I suggest that you print out the following instructions or highlight the remainder and save to a WordPad file on your desktop as you will no longer have an internet connection until we have finished the clean up
    3. Physically disconnect your computer from the internet by unplugging the lead.
    4. Reboot the computer into safe mode using a clean boot sequence
      1. Select the Start button and Turn Off Computer
      2. Select the Turn Off option, when the computer has shut down switch off the power supply.
      3. After 10 seconds, restore the power supply and switch on the computer
        • Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
        • As soon as the BIOS loads, or a single Beep is heard then begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
        • If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
        • Using the arrow keys on the keyboard, select Safe mode and then press Enter.
      4. When in Safe mode you will have your desktop with the word ‘Safe’ in the 4 corners.

      To reduce the chance of AntiSpyware interfering with the fixes, please stop all antispyware on your computer. If you right-click on the icon in the systems tray you will find an option to ‘exit’. When you reboot, this will all return to normal.
    5. Navigate to the C:\WinPFind directory and click the file called WinPFind.exe .to open it
    6. Once it is open, click on the Start Scan button and wait for it to finish.
      This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
    7. When it is done, it will show the results of the scan.
      • Click on the Copy to Clipboard button
      • Paste the contents of the log in your clipboard to a Notepad file on your desktop.
  3. Please post
    • The Panda scan result
    • The WinPFind result
    • Any further comments

GT
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Riis » April 15th, 2006, 4:01 pm

win log:
-------------------
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12-03-2003 19:37:42 54784 C:\WINDOWS\daemon.dll

Checking %System% folder...
PEC2 25-04-2003 14:00:00 41123 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 14-02-2006 09:20:14 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 06-04-2006 12:48:40 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 06-04-2006 12:48:40 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 27-08-2004 02:53:24 712704 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 27-08-2004 02:53:42 667648 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 25-04-2003 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 04-08-2004 07:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
15-04-2006 21:46:18 S 2048 C:\WINDOWS\bootstat.dat
15-04-2006 21:50:26 H 54156 C:\WINDOWS\QTFont.qfn
23-03-2006 01:17:18 S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
23-03-2006 08:15:42 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911562.cat
13-03-2006 17:08:34 S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
17-03-2006 11:24:26 S 12455 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567.cat
30-03-2006 12:03:38 S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat
15-04-2006 21:46:26 H 16384 C:\WINDOWS\system32\config\default.LOG
15-04-2006 21:46:40 H 1024 C:\WINDOWS\system32\config\SAM.LOG
15-04-2006 21:46:20 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
15-04-2006 21:50:26 H 106496 C:\WINDOWS\system32\config\software.LOG
15-04-2006 21:46:28 H 1036288 C:\WINDOWS\system32\config\system.LOG
15-04-2006 02:30:14 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
15-04-2006 02:30:44 S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
15-04-2006 02:30:44 S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
17-02-2006 01:13:38 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\781e4c6e-55af-42a2-8309-d790d562f71e
17-02-2006 01:13:38 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
15-04-2006 21:49:38 H 324 C:\WINDOWS\Tasks\MP Scheduled Scan.job
15-04-2006 21:44:40 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 27-08-2004 02:53:54 69632 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 27-08-2004 02:53:54 551936 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 27-08-2004 02:53:54 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 27-08-2004 02:53:54 136192 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 27-08-2004 02:53:54 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 27-08-2004 02:53:54 155648 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 27-08-2004 02:53:54 358912 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 27-08-2004 02:53:54 131584 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 27-08-2004 02:53:54 380928 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 27-08-2004 02:53:54 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10-11-2005 14:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 25-04-2003 14:00:00 188416 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 27-08-2004 02:53:54 620032 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 25-04-2003 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 27-08-2004 02:53:54 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 27-08-2004 02:53:54 258048 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 27-08-2004 02:53:54 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 27-08-2004 02:53:54 115200 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 27-08-2004 02:53:56 299008 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 25-04-2003 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 27-08-2004 02:53:56 93696 C:\WINDOWS\SYSTEM32\timedate.cpl
Wacom Technology, Corp. 14-07-2004 11:57:52 2760704 C:\WINDOWS\SYSTEM32\WacomTablet.cpl
Microsoft Corporation 27-08-2004 02:53:56 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26-05-2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 25-04-2003 14:00:00 188416 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 25-04-2003 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 25-04-2003 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
08-08-2005 22:39:52 1893 C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Gamma Loader.lnk
26-10-2005 17:35:38 1744 C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Speed Launch.lnk
05-08-2005 21:51:18 HS 84 C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\desktop.ini
14-08-2005 14:59:20 1713 C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Microsoft Office.lnk
23-03-2006 00:04:34 914 C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Portfolio Express.lnk
20-09-2005 18:02:50 788 C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\TabUserW.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
05-08-2005 22:30:28 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
05-03-2006 22:59:50 1356 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
05-08-2005 21:51:18 HS 84 C:\Documents and Settings\Administrator\Menuen Start\Programmer\Start\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
05-08-2005 22:30:28 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PortfolioCtxMenu
{5AF16040-8D86-11D5-9E44-005004ABBC30} = C:\Programmer\Extensis\Portfolio 8\PortfolioCtxMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Programmer\Allume Systems\StuffIt\CompressMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmer\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmer\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Pinkode til menuen Start = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PortfolioCtxMenu
{5AF16040-8D86-11D5-9E44-005004ABBC30} = C:\Programmer\Extensis\Portfolio 8\PortfolioCtxMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
{3FBFD0B0-EB46-4797-9101-615610E87DA6} = C:\Programmer\Allume Systems\StuffIt\CompressMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmer\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmer\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PortfolioCtxMenu
{5AF16040-8D86-11D5-9E44-005004ABBC30} = C:\Programmer\Extensis\Portfolio 8\PortfolioCtxMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.5\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmer\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Programmer\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{111CAA23-6F4F-42AC-8555-B48C1D87BBAB}
GigagetIEHelper Class = C:\WINDOWS\system32\gigagetbho_v10.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Programmer\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A1691B-D188-4419-AD02-90002030B8EE}
FlashFXP Helper for Internet Explorer = C:\Programmer\FlashFXP\IEFlash.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
Dagens &tip = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programmer\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Programmer\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programmer\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
Advanced Tools Check C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
DAEMON Tools-1033 "C:\Programmer\D-Tools\daemon.exe" -lang 1033
WinampAgent C:\Programmer\Winamp\winampa.exe
Phase One Media Reader C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
Omnipage C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
RemoteControl C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
UserFaultCheck %systemroot%\system32\dumprep 0 -u
Gigaget "C:\Programmer\Giganology\Gigaget\GigagetShell.exe" /s
Stone's TimeTool "C:\Programmer\TimeTool\TimeTool.exe"
SunJavaUpdateSched C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
iTunesHelper "C:\Programmer\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Programmer\QuickTime\qttask.exe" -atboottime
THGuard "C:\Programmer\TrojanHunter 4.5\THGuard.exe"
Windows Defender "C:\Programmer\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\FLLESF~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 15-04-2006 21:52:30

---------------
scan log:

---------------

Incident Status Location

Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Risici\Application Data\Thunderbird\Profiles\default\ox6xp1bk.slt\Mail\Local Folders\Inbox[~0008282.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Risici\Application Data\Thunderbird\Profiles\default\ox6xp1bk.slt\Mail\Local Folders\Trash[~0005248.~]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Risici\Cookies\risici@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Risici\Cookies\risici@ad.yieldmanager[1].txt
Spyware:Cookie/BannerBank Not disinfected C:\Documents and Settings\Risici\Cookies\risici@ad10.bannerbank[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Risici\Cookies\risici@ads.pointroll[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Risici\Cookies\risici@adtech[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Risici\Cookies\risici@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Risici\Cookies\risici@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Risici\Cookies\risici@as-us.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Risici\Cookies\risici@as1.falkag[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Risici\Cookies\risici@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Risici\Cookies\risici@belnk[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Risici\Cookies\risici@bravenet[1].txt
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Risici\Cookies\risici@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Risici\Cookies\risici@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Risici\Cookies\risici@c5.zedo[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Risici\Cookies\risici@casalemedia[2].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Risici\Cookies\risici@centrport[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Risici\Cookies\risici@cgi-bin[4].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Risici\Cookies\risici@cgi-bin[6].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Risici\Cookies\risici@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Risici\Cookies\risici@dist.belnk[2].txt
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\Risici\Cookies\risici@fl01.ct2.comclick[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Risici\Cookies\risici@fortunecity[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Risici\Cookies\risici@go[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Risici\Cookies\risici@hotlog[2].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Risici\Cookies\risici@landing.domainsponsor[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Risici\Cookies\risici@maxserving[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Risici\Cookies\risici@overture[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Risici\Cookies\risici@paypopup[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Risici\Cookies\risici@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Risici\Cookies\risici@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Risici\Cookies\risici@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Risici\Cookies\risici@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Risici\Cookies\risici@revenue[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Risici\Cookies\risici@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Risici\Cookies\risici@serving-sys[2].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Risici\Cookies\risici@spylog[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Risici\Cookies\risici@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Risici\Cookies\risici@statcounter[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Risici\Cookies\risici@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Risici\Cookies\risici@tradedoubler[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Risici\Cookies\risici@tribalfusion[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Risici\Cookies\risici@tucows[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Risici\Cookies\risici@yadro[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Risici\Cookies\risici@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Risici\Cookies\risici@zedo[1].txt
Spyware:Cookie/Falkag Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[dcsdj3yox01e5h6m65tqeuj83_8j6r]
Spyware:Cookie/YieldManager Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[dcslj3u2n11e5hu0e346rajkg_6x7n]
Spyware:Cookie/2o7 Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S149247]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S148884]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S149247]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S151261]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S130376]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S151261]
Spyware:Cookie/onestat.com Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[14130865]
Spyware:Cookie/Server.iad.Liveperson Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S151421]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S151420]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S151421]
Spyware:Cookie/WebtrendsLive Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[S151420]
Spyware:Cookie/Toplist Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected N:\Manuel backups\05-08-2005\Mozilla\Firefox\Profiles\k06b89i9.default\cookies.txt[91338698]
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected N:\Manuel backups\27-08-2005\Rodeting og creative kopi\filer der skal sorteres gamle\Gamle dokumenter osv skal sorteres\Gamle filer fra skrivebordet\Rod\msirc.exe[Moo.dll]
---------------------

Note that the drive N is a friewire/usb external drive. THis is a drive with very important data for me..

Hope you can help here. Any comments about programs i need to hold those trojans away next time is also very apreciatet.

/Lasse -Risici
Riis
Active Member
 
Posts: 8
Joined: April 14th, 2006, 11:41 am

Unread postby whisperer » April 16th, 2006, 4:20 am

Thanks Riis,

it will take me a little while to go through the logs but I will get back as soon as practical.

With regards protection recommendations I will do that when we have a clean log, but I can not see evidence of a firewall. I can not stress too much how important this is in your protection against malware. There are many paid and free versions available for your use but in the interim I would suggest that you install the following free program

Back soon

GT
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby whisperer » April 16th, 2006, 11:39 am

Hi Riis,

The good news is there appears to be nothing untoward in the logs so far, so we will do a basic clean-up and another online scan and see how things are after that.
  1. Download the Ewido security suite here the suite is fully functional on a trial basis
    1. When installing, under Additional Options REMOVE the checks on Install background guard and Install scan via context menu
    2. Launch ewido, there should be a big e icon on your desktop, double-click it.
    3. The program will prompt you to update; click the "OK" button. The program will now go to the main screen
    4. On the left hand side of the main screen click Update and then click Start update
    5. The update will start and a progress bar will show the updates being installed.
    6. When the update has completed click on scanner
      • Click on Settings
      • Confirm that all check boxes are ticked
      • and scan every file is selected
      • Click OK
    7. Exit ewido for now.
  2. Download CCleaner
    1. Select the Download Latest Version link (top of green column) and save to your desktop
    2. Right-click the ccsetup127.exe file on your desktop and select Open
    3. Follow the on-screen instructions through to the Install Options page. I suggest you only retain the following 2 options
      • Add Desktop Shortcut
      • Automatically check for updates etc…
    4. Click Install
      To setup CCleaner
    5. Click on the CCleaner icon on your desktop.
    6. From the menu on the left select Options
    7. Now select Advanced. On the right remove the check against Only delete files in Windows Temp folders older than 48 hours.
    8. Select Cookies. When CCleaner is run it will remove all of the cookies in the left window; if there are cookies that you wish to retain then select them and transfer them to the right window. Multiple selections can be made by holding down the Ctrl key before selecting.
    9. Select Cleaner from the left menu and the Windows tab
      • Under Internet Explorer place ticks in all but the last box
      • Under Windows Explorer tick the last two only
      • Under System tick all boxes
      • There is no need to tick anything under Advanced
    10. From the menu on the left click on Analyze
    11. When the analysis is complete, click on Run Cleaner and OK at the next screen
    12. Close CCleaner

    I suggest that you print out the following instructions or highlight the remainder and save to a WordPad file on your desktop as you will no longer have an internet connection until we have finished the clean up
  3. Physically disconnect your computer from the internet by unplugging the lead.
  4. Reboot the computer into safe mode using a clean boot sequence
    1. Select the Start button and Turn Off Computer
    2. Select the Turn Off option, when the computer has shut down switch off the power supply.
    3. After 10 seconds, restore the power supply and switch on the computer
      • Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
      • As soon as the BIOS loads, or a single Beep is heard then begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
      • If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
      • Using the arrow keys on the keyboard, select Safe mode and then press Enter.
    4. When in Safe mode you will have your desktop with the word ‘Safe’ in the 4 corners.
  5. To reduce the chance of AntiSpyware interfering with the fixes, please stop all antispyware on your computer. If you right-click on the icon in the systems tray you will find an option to ‘exit’. When you reboot, this will all return to normal.
  6. The next tool to run is Ewido[list=] which MUST be run in Safe mode
    1. Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
    2. Open the programme by clicking on the large e
      • Select the Update option from the left and then Start Update on the right.
    3. When the update has completed click on scanner
      • Click on Settings
      • Confirm that all check boxes are ticked
      • and scan every file is selected
      • Click OK
    4. Select Complete system scan and let the program scan the machine
    5. If Ewido finds anything, it will pop up a notification.
      • Select Remove as the action
      • Place a check against Perform action with all infections.
    6. Repeat the scan until there is no detected malware
    7. When you have the clean result from Ewido click on the Save Report button at the bottom of the screen and save the file to the desktop.
    8. Exit Ewido
  7. Reboot to Normal mode and reconnect to the Internet
  8. To assist further diagnosis, please go to Kaspersky Online Scanner from within Internet Explorer
    1. Carry out a scan by clicking the top button labelled Kaspersky Online Scanner
    2. On the next screen press the Accept option
    3. Near the bottom of the next screen there will be a need to install an ActiveX component, click and install.
    4. The program will now install together with its database
      When complete, disconnect from the internet and then switch off any Anti-Virus
    5. Click Next and select the My Computer option
    6. This will take a long time so go off and have a break from the computer.
  9. When the scan is complete please reboot the computer and reconnect to the internet and carry out a further HijackThis scan.
  10. Logs required please
    • Post the Kaspersky report back in this thread
    • Post the Ewido log
    • Post an updated HijackThis log
    • Please advise how the computer is now behaving

GT
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Riis » April 16th, 2006, 12:27 pm

Are you saying that the 46malware and the 2 vira and the one hacker tool all are fake?
Also what is northon then finding and telling me is a trojan?

i will try those ones out right away :)

Also questions for later:
I was told i didnt needed a firewall since im behind a standart router. If i need a firewall, im willing to pay for a good one.
Which should i prefer? and whats the difrence between the pro and the free zonealarm in practise.

Also will the northon complete security work best together or should i get something completly difrent?

Lots of questions, so take your time or if you have a link where i can find the answers myslef its also ok :)

Again thanks for helping out here.
Riis
Active Member
 
Posts: 8
Joined: April 14th, 2006, 11:41 am

Unread postby whisperer » April 16th, 2006, 12:39 pm

Hi Riis,

CCleaner and Ewido will, between them get rid of the 46 malware and probably the others as well.

Nortons is reporting an IRC Trojan and as such it is a general report as opposed to a specific threat, again Ewido might recognise and get rid of it, but Kaspersky will provide a thorough appreciation of your computer as of now.

Looking forward to the results. :)
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Riis » April 20th, 2006, 1:19 pm

Hi
I thought i was clear, since kaspersky didnt find anything. So i waitet a little, but no its still there. Same problems.

On another forum i read about someone with similar problems which was solved with a manuel update, the automatic update wasnt enough. So i tryed doing that, but the update failed, with no other error message than it couldnt be done..

Also i have blocked a couple of unknow procesess with zonealarm.
mpas-fe.exe
a crash tester i think it was called
dr. watch or something similar.

Now im about to buy northon gohst and northon internet security. And then my plan is a full format of the internal drives. Then installing spybot and northon. connecting to the internet and updating those 2 and windows. After that making a image of the entire drive.
Then connect the external drive and scan it and hopefully get rid of tha last malware and trojans.

How does this sound? oh yeah im also considering getting Trojan hunter, even though it didnt worked in this case..

Any more steps i need to do before connecting to the internet?

/Lasse -Risici
Riis
Active Member
 
Posts: 8
Joined: April 14th, 2006, 11:41 am

Unread postby whisperer » April 20th, 2006, 1:36 pm

Hi Riis,

Sorry to hear that you still have a problem, would you please post the Kaspersky log, the Ewido log and also a new HijackThis log in case anything else has crept in

GT
User avatar
whisperer
Retired Graduate
 
Posts: 615
Joined: May 28th, 2005, 6:00 am
Location: Cornwall

Unread postby Riis » April 20th, 2006, 11:47 pm

Hi
I uninstalled zone and spybot and installed northon internet scurity package.
It scanned the entire system and found and this time quarentined the irc trojan :)

So i hope im done with all this trouble :)

anyway i have a new fresh hijack log. do you still need those other logs? as i havnt run them again. the kaspersky didnt gave me any log it just said i was clear at the time.

well the log:
------------------------

Logfile of HijackThis v1.99.1
Scan saved at 05:43:02, on 21-04-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccProxy.exe
C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programmer\D-Tools\daemon.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\TrojanHunter 4.5\THGuard.exe
C:\Programmer\Windows Defender\MSASCui.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Games\Steam\Steam.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Extensis\Portfolio 8\Portfolio Express.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Programmer\Fælles filer\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Programmer\iTunes\iTunes.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Risici\LOKALE~1\Temp\Adobelm_Cleanup.0001
C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Risici\LOKALE~1\Temp\Adobelm_Cleanup.0001
C:\Programmer\Mozilla Thunderbird\thunderbird.exe
C:\Programmer\Fælles filer\Symantec Shared\NMain.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Documents and Settings\Risici\Skrivebord\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmer\Fælles filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmer\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programmer\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmer\Fælles filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmer\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Programmer\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Stone's TimeTool] "C:\Programmer\TimeTool\TimeTool.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Programmer\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmer\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Steam] C:\Games\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [updateMgr] C:\Programmer\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Portfolio Express.lnk = C:\Programmer\Extensis\Portfolio 8\Portfolio Express.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3277870089
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3884029048
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programmer\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmer\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmer\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
--------------

Again thanks for your help :)
Riis
Active Member
 
Posts: 8
Joined: April 14th, 2006, 11:41 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware