karmen9

Hi guys,
thanks for this marvellous service you offer. Sorry but this is going to be a long post as I started having boot problems a couple of days ago and fidgeted with the laptop a while before I found this forum. So please bear with me.

Monday night at start up the computer dispalyed a blue screen which said UNMOUNTABLE_BOOT_VOLUME. It did not restart in save mode nor using the last working configuration. The only way I managed to restart was through the Windows XP recovery console (from CD).

In the recovery console I run the chkdsk /p and it only worked up to 75% and then found errors. I tried chkdsk /r but it did the same then I run fixboot. I only managed to restart the laptop when I run fixmbr.

I searched a little more and found out that probably there was a virus/trojan that writes itself over at start up. After that I disinstalled AVG and installed Norman antivirus (i deleted one file but do not remember its name) and also run Spybot S&D.

Then I got to this forum. As I was going throught the 5 steps suggested before posting I uninstalled Spybot S&D (as I had no idea if it would crash with Spyware Blaster) then updated XP to SP3. When required to restart a different blue page appeared saying that some files where lost or corrupted (I am not sure anymore). I restarted the recovery console again and tried chkdsk /p... it run to 100% but found errors. Then I tried chkdsk /r: it got up to 75% then back to 50% then suddenly was over.
As I thought I had nothing to lose by doing so I also run fixboot and fixmbr and restarted. Since I have restarded a few times and everything seems to work fine.

Still the panda scan log shows the virus/trojan VB.XB. (log attached)

What do I do? where the two things correlated? or maybe not?

Thanks again for your help,
Karmen

This is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:20, on 08.05.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe
C:\Programfiler\Norman\Ngs\bin\NPROSEC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
C:\Programfiler\Norman\Npm\Bin\Zanda.exe
C:\Programfiler\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\Programfiler\Ahead\InCD\InCDsrv.exe
C:\Programfiler\MPICH\mpd\bin\mpd.exe
C:\Programfiler\Intel\Wireless\Bin\OProtSvc.exe
C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE
C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE
C:\Programfiler\Norman\npc\bin\npcsvc32.exe
C:\Programfiler\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Norman\npc\bin\nuaa.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\ltmoh\Ltmoh.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programfiler\Wistron\AVManager\AVManager.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\Programfiler\Norman\Npm\bin\ZLH.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Norman\Nvc\BIN\NIP.EXE
C:\Programfiler\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programfiler\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVManager] "C:\Programfiler\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Programfiler\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [NPCTray] C:\Programfiler\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {358DFA15-D48C-4296-8D16-7405F918333B} (Fronter OES2 release 21) - https://fronter.com/hia/links/fronter_oes2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193752552109
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programfiler\Ahead\InCD\InCDsrv.exe
O23 - Service: MPICH Daemon (C) 2001 Argonne National Lab (mpich_mpd) - Unknown owner - C:\Programfiler\MPICH\mpd\bin\mpd.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Programfiler\Norman\npc\bin\npcsvc32.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Programfiler\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Programfiler\Norman\Ngs\bin\NPROSEC.EXE
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Programfiler\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Programfiler\Norman\npm\bin\nvoy.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programfiler\Fellesfiler\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 10070 bytes

Attached Files

ActiveScan.txt (3.8 KB, 1 views)

karmen9

Hi!
I was in a bit of a rush to use my machine again so i decided to buy a malaware removal (Exterminate-it!). It seems to me that worked.

here is the new hjt log... just in case!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:00:14, on 10.05.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe
C:\Programfiler\Norman\Ngs\bin\NPROSEC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
C:\Programfiler\Norman\Npm\Bin\Zanda.exe
C:\Programfiler\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Programfiler\Norman\npm\bin\nvoy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\Programfiler\Ahead\InCD\InCDsrv.exe
C:\Programfiler\Mil Incorporated\Mil Shield\ShieldService.exe
C:\Programfiler\Intel\Wireless\Bin\OProtSvc.exe
C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE
C:\Programfiler\Norman\npc\bin\npcsvc32.exe
C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE
C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
C:\Programfiler\Norman\npc\bin\nuaa.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\ltmoh\Ltmoh.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programfiler\Wistron\AVManager\AVManager.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\Programfiler\Norman\Npm\bin\ZLH.EXE
C:\Programfiler\Norman\Nvc\BIN\NIP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Mil Incorporated\Mil Shield\ShieldWorker.exe
C:\Programfiler\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programfiler\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVManager] "C:\Programfiler\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Programfiler\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [NPCTray] C:\Programfiler\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MilShieldSlave] "C:\Programfiler\Mil Incorporated\Mil Shield\ShieldWorker.exe" -logon
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {358DFA15-D48C-4296-8D16-7405F918333B} (Fronter OES2 release 21) - https://fronter.com/hia/links/fronter_oes2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193752552109
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programfiler\Ahead\InCD\InCDsrv.exe
O23 - Service: MilShieldCleaner - Unknown owner - C:\Programfiler\Mil Incorporated\Mil Shield\ShieldService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Programfiler\Norman\npc\bin\npcsvc32.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Programfiler\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Programfiler\Norman\Ngs\bin\NPROSEC.EXE
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Programfiler\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Programfiler\Norman\npm\bin\nvoy.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programfiler\Fellesfiler\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 9937 bytes

Thanks,
Karmen

Ried

Hello Karmen,

The trojan Panda found is nothing to be concerned about. When did you download ComboFix?

We prefer a more comprehensive set of logs to assist in detecting any malware that may be present. As noted in the final step (Step 5) of our sticky topic IMPORTANT - Read This Before Posting For Malware Removal Help....

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review.
• DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

karmen9

Hi Ried,

Thanks! Obviously I was so eager to post that I missed a step! Sorry!
After working for two days my laptop gave me the UNMOUNTABLE_BOOT_ERROR blue screen again today. I managed to start up in safe mode and restore to yesterdays restore point and it seems fine again now.
I am starting to suspect that this is related to some software I used last night (e.g. Femap and/or solid works, simulation programs I am using for my final project at uni).
Anyway here are the logs you asked for.
Thanks again,
Karmen

Main:

Deckard's System Scanner v20071014.68
Run by Morgan on 2008-05-11 17:55:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
19: 2008-05-11 15:55:07 UTC - RP170 - Deckard's System Scanner Restore Point
18: 2008-05-11 15:29:11 UTC - RP169 - Morgan
17: 2008-05-11 14:40:34 UTC - RP168 - Gjenopprettingsoperasjon
16: 2008-05-09 22:32:07 UTC - RP167 - Removed Windows Live installer
15: 2008-05-09 21:53:49 UTC - RP166 - Kontrollpunkt for system


-- First Restore Point --
1: 2008-04-25 21:05:51 UTC - RP152 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Morgan.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:57:38, on 11.05.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe
C:\Programfiler\Norman\Ngs\bin\NPROSEC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
C:\Programfiler\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Programfiler\Norman\Npm\Bin\Zanda.exe
C:\Programfiler\Norman\npm\bin\nvoy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Norman\npf\bin\npfsvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\Programfiler\Ahead\InCD\InCDsrv.exe
C:\Programfiler\Mil Incorporated\Mil Shield\ShieldService.exe
C:\Programfiler\MPICH\mpd\bin\mpd.exe
C:\Programfiler\Intel\Wireless\Bin\OProtSvc.exe
C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
C:\Programfiler\Norman\npf\bin\npfuser.exe
C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE
C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programfiler\Norman\npc\bin\npcsvc32.exe
C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
C:\Programfiler\Norman\npc\bin\nuaa.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\ltmoh\Ltmoh.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programfiler\Wistron\AVManager\AVManager.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe
C:\Programfiler\Norman\Npm\bin\ZLH.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Norman\Nvc\BIN\NIP.EXE
C:\Programfiler\Mil Incorporated\Mil Shield\ShieldWorker.exe
C:\Programfiler\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Morgan\Skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Morgan.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programfiler\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programfiler\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVManager] "C:\Programfiler\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Programfiler\Norman\Npm\bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [NPCTray] C:\Programfiler\Norman\npc\bin\npc_tray.exe /LOAD
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MilShieldSlave] "C:\Programfiler\Mil Incorporated\Mil Shield\ShieldWorker.exe" -logon
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O10 - Unknown file in Winsock LSP: c:\programfiler\norman\npc\bin\nlf.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {358DFA15-D48C-4296-8D16-7405F918333B} (Fronter OES2 release 21) - https://fronter.com/hia/links/fronter_oes2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193752552109
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programfiler\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programfiler\Fellesfiler\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programfiler\Ahead\InCD\InCDsrv.exe
O23 - Service: MilShieldCleaner - Unknown owner - C:\Programfiler\Mil Incorporated\Mil Shield\ShieldService.exe
O23 - Service: MPICH Daemon (C) 2001 Argonne National Lab (mpich_mpd) - Unknown owner - C:\Programfiler\MPICH\mpd\bin\mpd.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Programfiler\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Parental Control (NPC) - Norman ASA - C:\Programfiler\Norman\npc\bin\npcsvc32.exe
O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Programfiler\Norman\npf\bin\npfsvc32.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Programfiler\Norman\Ngs\bin\NPROSEC.EXE
O23 - Service: Norman User Activity Agent (NUAA) - Norman ASA - C:\Programfiler\Norman\npc\bin\nuaa.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Programfiler\Norman\Npm\bin\NVCSCHED.EXE
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Programfiler\Norman\npm\bin\nvoy.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Programfiler\Fellesfiler\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 10226 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Hotkey - c:\windows\system32\drivers\hotkey.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S1 Wbutton - c:\windows\system32\drivers\wbutton.sys (file missing)
S3 MS1000 - c:\windows\system32\drivers\ms1000.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MilShieldCleaner - c:\programfiler\mil incorporated\mil shield\shieldservice.exe
R2 mpich_mpd (MPICH Daemon (C) 2001 Argonne National Lab) - c:\programfiler\mpich\mpd\bin\mpd.exe
R2 OwnershipProtocol - c:\programfiler\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - c:\programfiler\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

S3 Autodesk Licensing Service - "c:\programfiler\fellesfiler\autodesk shared\service\adskscsrv.exe" <Not Verified; Autodesk; Autodesk Licensing Service>
S3 SolidWorks Licensing Service - "c:\programfiler\fellesfiler\solidworks shared\service\solidworkslicensing.exe" <Not Verified; SolidWorks; SolidWorks Licensing Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Files created between 2008-04-11 and 2008-05-11 -----------------------------

2008-05-11 16:47:51 0 d-------- C:\Programfiler\SpywareBlaster
2008-05-11 16:47:46 0 d-------- C:\Programfiler\The Cleaner Free
2008-05-11 16:47:46 0 d-------- C:\Programfiler\MPICH
2008-05-11 16:47:39 0 d-------- C:\Programfiler\ScanSoft
2008-05-11 16:47:38 0 d-------- C:\Programfiler\Google
2008-05-11 16:41:13 0 d-------- C:\Programfiler\CD-adapco
2008-05-11 16:41:13 0 d-------- C:\ie-spyad_zo
2008-05-11 16:41:12 0 d-------- C:\VundoFix Backups
2008-05-10 11:28:51 0 d-------- C:\Programfiler\SpywareBlaster(2)
2008-05-09 23:29:26 0 d-------- C:\Programfiler\Mil Incorporated
2008-05-09 23:00:46 0 d-------- C:\Programfiler\Enigma Software Group
2008-05-09 20:54:37 5376 --a------ C:\WINDOWS\system32\drivers\MS1000.sys
2008-05-09 19:59:37 0 d-------- C:\Programfiler\Exterminate It!
2008-05-08 12:21:18 0 d-------- C:\WINDOWS\Prefetch
2008-05-08 10:44:52 0 d-------- C:\WINDOWS\system32\no
2008-05-08 10:44:52 0 d-------- C:\WINDOWS\l2schemas
2008-05-08 10:44:51 0 d-------- C:\WINDOWS\system32\bits
2008-05-08 10:40:36 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-07 23:17:03 0 d-------- C:\Programfiler\Panda Security
2008-05-07 22:45:54 0 d-------- C:\Programfiler\Eusing Free Registry Cleaner
2008-05-07 19:20:18 0 d-------- C:\Programfiler\Trend Micro
2008-05-06 23:44:12 0 d-------- C:\Programfiler\Norman
2008-04-26 13:01:42 0 d-------- C:\Programfiler\EngiLab Beam.2D ML
2008-04-26 13:01:12 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-25 23:07:04 0 d-------- C:\Programfiler\MSXML 6.0
2008-04-22 12:14:49 0 d-------- C:\Programfiler\AOEMView 2008
2008-04-22 12:14:31 0 d-------- C:\Programfiler\Microsoft WSE
2008-04-22 12:12:32 0 d-------- C:\Programfiler\DWG TrueView 2007
2008-04-22 12:11:59 0 d-------- C:\Programfiler\Fellesfiler\Autodesk Shared
2008-04-22 12:11:59 0 d-------- C:\Programfiler\Autodesk


-- Find3M Report ---------------------------------------------------------------

2008-05-10 23:07:21 0 d-------- C:\Documents and Settings\Morgan\Programdata\SolidWorks
2008-05-10 00:32:41 0 d-------- C:\Documents and Settings\Morgan\Programdata\Macromedia
2008-05-09 23:59:15 405228 --a------ C:\WINDOWS\system32\perfh014.dat
2008-05-09 23:59:15 69306 --a------ C:\WINDOWS\system32\perfc014.dat
2008-05-08 18:47:35 0 d-------- C:\Documents and Settings\Morgan\Programdata\Smart PC Solutions
2008-05-08 18:23:50 0 d-------- C:\Documents and Settings\Morgan\Programdata\Uniblue
2008-05-08 10:45:29 0 d-------- C:\Programfiler\Messenger
2008-05-08 10:44:50 0 d-------- C:\Programfiler\Movie Maker
2008-05-08 10:39:57 0 d-------- C:\Programfiler\Windows NT
2008-05-06 10:53:23 0 d-------- C:\Programfiler\Skype
2008-05-04 21:52:53 0 d-------- C:\Documents and Settings\Morgan\Programdata\Microgaming
2008-05-02 21:14:52 0 d-------- C:\Documents and Settings\Morgan\Programdata\Skype
2008-05-02 20:24:39 0 d-------- C:\Documents and Settings\Morgan\Programdata\skypePM
2008-04-22 13:02:17 0 d-------- C:\Documents and Settings\Morgan\Programdata\Autodesk
2008-04-22 12:11:59 0 d-------- C:\Programfiler\Fellesfiler
2008-04-20 23:35:58 6553 --a------ C:\Documents and Settings\Morgan\Programdata\PrimoPDFSet.xml
2008-04-20 23:01:06 310 --a------ C:\Documents and Settings\Morgan\Programdata\APUSet.xml
2008-04-04 11:57:21 0 d-------- C:\Programfiler\activePDF
2008-04-03 08:20:00 0 d-------- C:\Documents and Settings\Morgan\Programdata\Help
2008-04-03 08:10:28 0 d--h----- C:\Programfiler\InstallShield Installation Information
2008-03-27 16:02:09 0 d-------- C:\Documents and Settings\Morgan\Programdata\uTorrent
2008-03-25 16:35:27 0 d-------- C:\Programfiler\uTorrent
2008-03-24 10:44:57 0 d-------- C:\Documents and Settings\Morgan\Programdata\DassaultSystemes
2008-03-20 21:00:09 0 d-------- C:\Programfiler\Java
2008-03-20 20:56:17 0 d-------- C:\Programfiler\Fellesfiler\Skype


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [13.04.2004 06:49 C:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="C:\Programfiler\ltmoh\Ltmoh.exe" [04.09.2003 18:00]
"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [07.05.2004 04:49]
"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [07.05.2004 04:49]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [06.08.2004 15:04]
"HotkeyApp"="C:\Program Files\Launch Manager\HotkeyApp.exe" [11.11.2004 16:13]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [16.09.2003 15:28]
"LMgrOSD"="C:\Program Files\Launch Manager\OSD.exe" [26.07.2004 15:52]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [06.09.2004 15:11]
"IntelWireless"="C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [06.08.2004 17:48]
"AVManager"="C:\Programfiler\Wistron\AVManager\AVManager.exe" [08.06.2004 19:32]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02.11.2004 03:03]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02.11.2004 02:59]
"GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [24.08.2007 08:00]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [22.02.2008 05:25]
"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16]
"Norman ZANDA"="C:\Programfiler\Norman\Npm\bin\ZLH.exe" [17.12.2007 14:37]
"NPCTray"="C:\Programfiler\Norman\npc\bin\npc_tray.exe" [17.09.2007 14:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [14.04.2008 18:22]
"MilShieldSlave"="C:\Programfiler\Mil Incorporated\Mil Shield\ShieldWorker.exe" [09.05.2008 23:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll 06.08.2004 17:48 110592 C:\Programfiler\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-05-11 18:00:42 ------------

Attached Files

extra.txt (17.7 KB, 1 views)

karmen9

Hi Ried,

about combofix, I honestly do not remember when I downloaded it. Probably during my quest to find out what happended to my machine, at some point. I must have deleted it too, at some point as it does not appear in my programs.

Karmen

Ried

I'm not seeing anything in these logs. The title of this thread is "Bck/VB.XB - Virus/Trojan", where did you get that name from?

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

karmen9

Hi Ried,
I removed the trojan with exterminate it as I say in my second post.
I was just wandering if there is anything which neither antivirus nor spyware will find... but if you say that you cannot see anything the problem must originate elsewhere then (I suspect from Femap).

Thanks a lot for your help anyway,
karmen

Ried

Let's double check anyway. It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

karmen9

Hi Ried,

here is the log you asked for. I am keeping my fingers crossed!

Thanks,
Karmen


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 12, 2008 11:51:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/05/2008
Kaspersky Anti-Virus database records: 765113
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 89557
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:32:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Morgan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Morgan\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Morgan\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Morgan\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Morgan\Lokale innstillinger\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Morgan\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Morgan\ntuser.dat Object is locked skipped
C:\Documents and Settings\Morgan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programfiler\Norman\Npf\data\npfldata.bin Object is locked skipped
C:\Programfiler\Norman\Resources\store.nts Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5678E8B4-8472-46FD-BD7F-4E0A52E4CF5F}\RP171\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.