Pleace help with Hijack this file

[coffan]

Need help to analyze my Hijackthis log.
Lately mine computer started to be rather tough.

Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:23, on 2008-06-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program\Java\jre1.6.0_05\bin\jusched.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program\ESET\ESET Smart Security\egui.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program\Messenger\msmsgs.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/ig?hl=sv
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [egui] "C:\Program\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/...l/gtdownde.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8943 bytes

[forhockey]

Hi coffan,

Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

P2P Software

I see you have P2P software ( BearShare) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

--------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

--------------------------------------------------------------

Please include the following in your next reply:

C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt - Attached please

[coffan]

Thank's for the help!

Here's main.txt:


Deckard's System Scanner v20071014.68
Run by Coffan on 2008-06-29 22:44:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2008-06-29 20:44:58 UTC - RP10 - Deckard's System Scanner Restore Point
9: 2008-06-29 19:16:12 UTC - RP9 - Systemkontrollpunkt
8: 2008-06-28 09:37:10 UTC - RP8 - Telenor Mobilt Bredband installerades
7: 2008-06-26 10:50:23 UTC - RP7 - Systemkontrollpunkt
6: 2008-06-25 09:56:41 UTC - RP6 - Installed Empire Earth


-- First Restore Point --
1: 2008-06-22 21:00:25 UTC - RP1 - Systemkontrollpunkt


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Coffan.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:11, on 2008-06-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program\Java\jre1.6.0_05\bin\jusched.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program\Messenger\msmsgs.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\ESET\ESET Smart Security\ekrn.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program\Delade filer\GtFlashSwitch\GtFlashSwitch.exe
C:\Program\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Coffan\Lokala inställningar\Temporary Internet Files\Content.IE5\INFEEJU3\dss[1].exe
C:\Program\TRENDM~1\HIJACK~1\Coffan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Telenor Mobilt Bredband.lnk = C:\Program\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/...l/gtdownde.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program\Delade filer\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8777 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys (file missing)
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys (file missing)
S3 catchme - c:\docume~1\coffan\lokala~1\temp\catchme.sys (file missing)
S3 SE2Ebus (Sony Ericsson Device 046 Driver driver (WDM)) - c:\windows\system32\drivers\se2ebus.sys <Not Verified; MCCI; Sony Ericsson Device 046 Driver>
S3 SE2Emdfl (Sony Ericsson Device 046 USB WMC Modem Filter) - c:\windows\system32\drivers\se2emdfl.sys <Not Verified; MCCI; Sony Ericsson Device 046 USB WMC Modem Filter Driver>
S3 SE2Emdm (Sony Ericsson Device 046 USB WMC Modem Driver) - c:\windows\system32\drivers\se2emdm.sys <Not Verified; MCCI; Sony Ericsson Device 046 USB WMC Data Modem>
S3 SE2Emgmt (Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se2emgmt.sys <Not Verified; MCCI; Sony Ericsson Device 046 USB WMC Device Management>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program\delade filer\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - c:\program\bonjour\mdnsresponder.exe <Not Verified; Apple Computer, Inc.; Bonjour>
R2 GtFlashSwitch - "c:\program\delade filer\gtflashswitch\gtflashswitch.exe" <Not Verified; OptionNV; GtFlashSwitch>

S3 FLEXnet Licensing Service - "c:\program\delade filer\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: SM-busstyrenhet
Device ID: PCI\VEN_1002&DEV_4385&SUBSYS_01F51028&REV_13\3&13C0B0C5&0&A0
Manufacturer:
Name: SM-busstyrenhet
PNP Device ID: PCI\VEN_1002&DEV_4385&SUBSYS_01F51028&REV_13\3&13C0B0C5&0&A0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-26 18:39:03 272 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-28 11:37:12 0 d-------- C:\Program\Option
2008-06-28 11:37:12 0 d-------- C:\Program\Delade filer\GtFlashSwitch
2008-06-23 00:29:14 0 dr-h----- C:\Documents and Settings\Coffan\Recent
2008-06-22 2308 0 d-------- C:\VundoFix Backups
2008-06-22 22:36:43 0 d-------- C:\Program\PFConfig
2008-06-22 22:31:30 0 d-------- C:\Program\uTorrent
2008-06-22 22:31:24 0 d-------- C:\Documents and Settings\Coffan\Application Data\uTorrent
2008-06-22 22:20:11 0 d-------- C:\Program\Trend Micro
2008-06-21 14:49:07 0 d-------- C:\GameSpy Arcade Setup
2008-06-18 19:46:22 0 d-------- C:\WINDOWS\A6W_DATA
2008-06-18 19:45:05 0 d-------- C:\Program\Trafik4
2008-06-18 17:22:48 0 d-------- C:\Program\Körkortsteori B
2008-06-18 17:22:42 37136 -ra------ C:\WINDOWS\VIREG32.EXE <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
2008-06-16 13:08:53 0 d-------- C:\Program\GameSpy Arcade
2008-06-16 12:56:28 0 d-------- C:\Program\Microsoft Games
2008-06-08 22:16:43 0 d-------- C:\Documents and Settings\Coffan\Application Data\Leadertech


-- Find3M Report ---------------------------------------------------------------

2008-06-29 20:52:30 411740 --a------ C:\WINDOWS\system32\perfh01D.dat
2008-06-29 20:52:30 77020 --a------ C:\WINDOWS\system32\perfc01D.dat
2008-06-28 11:37:12 0 d-------- C:\Program\Delade filer
2008-06-25 20:03:10 0 d-------- C:\Program\LimeWire
2008-06-25 11:56:42 0 d--h----- C:\Program\InstallShield Installation Information
2008-06-24 00:23:28 0 d-------- C:\Program\Windows Live Safety Center
2008-06-21 14:42:22 0 d-------- C:\Documents and Settings\Coffan\Application Data\Hamachi
2008-06-19 01:21:55 0 d-------- C:\Documents and Settings\Coffan\Application Data\Azureus
2008-06-16 14:31:16 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2008-06-16 14:31:16 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2008-06-16 14:31:16 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2008-05-16 18:10:38 0 d-------- C:\Program\Yahoo!
2008-05-16 17:07:38 0 d-------- C:\Program\CCleaner
2008-05-14 22:18:44 0 d-------- C:\Program\NudgeMania
2008-05-09 19:53:47 0 d-------- C:\Program\Paradox Interactive
2008-05-01 15:53:20 0 d-------- C:\Documents and Settings\Coffan\Application Data\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 14:19 C:\WINDOWS\stsystra.exe]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"Adobe Photo Downloader"="C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-22 15:09]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 20:55]
"@"="" []
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2008-03-28 23:37]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2008-03-30 10:36]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"egui"="C:\Program\ESET\ESET Smart Security\egui.exe" [2008-03-13 16:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-16 17:16]
"@"="" []
"StartCCC"="C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35]
"msnmsgr"="C:\Program\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:35]
"MSMSGS"="C:\Program\Messenger\msmsgs.exe" [2004-10-13 18:24]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Telenor Mobilt Bredband.lnk - C:\Program\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe [2007-05-18 09:57:54]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtstt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Coffan^Start-meny^Program^Autostart^hamachi.lnk]
path=C:\Documents and Settings\Coffan\Start-meny\Program\Autostart\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Coffan^Start-meny^Program^Autostart^Last.fm Helper.lnk]
path=C:\Documents and Settings\Coffan\Start-meny\Program\Autostart\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Coffan^Start-meny^Program^Autostart^MagicDisc.lnk]
path=C:\Documents and Settings\Coffan\Start-meny\Program\Autostart\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program\DAEMON Tools\daemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df765e3d-7f4a-11dc-aa3b-00197d183f8e}]
AutoRun\command- F:\SETUP.EXE




-- End of Deckard's System Scanner: finished at 2008-06-29 22:48:50 ------------

[forhockey]

Hi coffan,

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix


IMPORTANT: Make sure you install the Recovery Console before running ComboFix.

--------------------------------------------------------------

After running ComboFix, establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Reply back with the following:

• C:\ComboFix.txt
• kaspersky online scan results

[coffan]

Here's the log from the online scanner:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 30, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 30, 2008 11:47:42
Records in database: 898476
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 101035
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 0230


File name / Threat name / Threats count
C:\Deckard\System Scanner\backup\DOCUME~1\Coffan\LOKALA~1\Temp\n80_31m_en.exe Infected: Trojan-Dropper.Win32.Agent.qvx 1
C:\Documents and Settings\Coffan\Shared\criss brown forever.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\WINDOWS\system32\pmls.dll Infected: not-a-virus:AdWare.Win32.RK.z 1

The selected area was scanned.

--------------------------------

ComboFix


ComboFix 08-06-20.4 - Coffan 2008-06-30 15:38:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.521 [GMT 2:00]
Running from: C:\Documents and Settings\Coffan\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Coffan\Skrivbord\WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMcff3ae44.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\foeunqtl.ini
C:\WINDOWS\system32\fphdnvxx.ini
C:\WINDOWS\system32\mbbuuasj.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\npqfrxgw.ini
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-29 22:44 . 2008-06-29 22:44 <KAT> d-------- C:\Deckard
2008-06-28 11:37 . 2008-06-28 11:37 <KAT> d-------- C:\Program\Option
2008-06-28 11:37 . 2008-06-28 11:37 <KAT> d-------- C:\Program\Delade filer\GtFlashSwitch
2008-06-22 23:06 . 2008-06-22 23:06 <KAT> d-------- C:\VundoFix Backups
2008-06-22 22:36 . 2008-06-22 23:00 <KAT> d-------- C:\Program\PFConfig
2008-06-22 22:31 . 2008-06-22 22:31 <KAT> d-------- C:\Program\uTorrent
2008-06-22 22:31 . 2008-06-26 23:04 <KAT> d-------- C:\Documents and Settings\Coffan\Application Data\uTorrent
2008-06-22 22:20 . 2008-06-22 22:20 <KAT> d-------- C:\Program\Trend Micro
2008-06-21 14:49 . 2008-06-21 14:49 <KAT> d-------- C:\GameSpy Arcade Setup
2008-06-18 19:47 . 2008-06-18 19:47 99,835 --a------ C:\WINDOWS\Run32A60.mch
2008-06-18 19:46 . 2008-06-18 19:46 <KAT> d-------- C:\WINDOWS\A6W_DATA
2008-06-18 19:46 . 2008-06-18 19:46 35 --a------ C:\WINDOWS\A6W.INI
2008-06-18 19:45 . 2008-06-18 19:45 <KAT> d-------- C:\Program\Trafik4
2008-06-18 19:45 . 2008-06-18 19:45 37 --a------ C:\WINDOWS\trafik.ini
2008-06-18 17:22 . 2008-06-18 17:23 <KAT> d-------- C:\Program\K”rkortsteori B
2008-06-18 17:22 . 1997-09-14 04:00 37,136 -ra------ C:\WINDOWS\VIREG32.EXE
2008-06-16 13:08 . 2008-06-22 21:39 <KAT> d-------- C:\Program\GameSpy Arcade
2008-06-16 12:56 . 2008-06-16 12:56 <KAT> d-------- C:\Program\Microsoft Games
2008-06-11 12:13 . 2008-06-14 20:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 12:13 . 2008-06-14 20:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 22:19 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-06-08 22:19 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-06-08 22:19 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-06-08 22:19 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-06-08 22:19 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-06-08 22:19 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-06-08 22:19 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-06-08 22:19 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-06-08 22:16 . 2008-06-08 22:16 <KAT> d-------- C:\Documents and Settings\Coffan\Application Data\Leadertech
2008-05-16 17:07 . 2008-05-16 18:10 <KAT> d-------- C:\Program\Yahoo!
2008-05-16 17:06 . 2008-05-16 17:07 <KAT> d-------- C:\Program\CCleaner
2008-05-14 22:21 . 2007-10-13 19:33 352,256 --a------ C:\WINDOWS\system32\pmls.dll
2008-05-14 22:18 . 2008-05-14 22:18 <KAT> d-------- C:\Program\NudgeMania
2008-05-09 18:04 . 2008-05-09 19:53 <KAT> d-------- C:\Program\Paradox Interactive
2008-05-05 20:54 . 2008-06-24 00:23 <KAT> d-------- C:\Program\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 18:03 --------- d-----w C:\Program\LimeWire
2008-06-25 09:56 --------- d--h--w C:\Program\InstallShield Installation Information
2008-06-23 11:16 --------- d-----w C:\Program\ESET
2008-06-21 12:42 --------- d-----w C:\Documents and Settings\Coffan\Application Data\Hamachi
2008-06-18 23:21 --------- d-----w C:\Documents and Settings\Coffan\Application Data\Azureus
2008-06-18 15:23 --------- d-----w C:\Program\Körkortsteori B
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-01 13:53 --------- d-----w C:\Documents and Settings\Coffan\Application Data\LimeWire
2008-02-03 14:05 226,938 --sha-w C:\WINDOWS\system32\aycdd.ini.vir
2008-02-03 14:03 226,938 --sha-w C:\WINDOWS\system32\aycdd.ini2.vir
2008-01-29 20:54 12,063 --sha-w C:\WINDOWS\system32\fhkmp.ini.vir
2008-01-29 20:54 12,063 --sha-w C:\WINDOWS\system32\fhkmp.ini2.vir
2008-02-02 21:08 235,272 --sha-w C:\WINDOWS\system32\gjkkj.ini.vir
2008-02-02 21:08 235,272 --sha-w C:\WINDOWS\system32\gjkkj.ini2.vir
2008-01-27 15:26 391 --sha-w C:\WINDOWS\system32\hjkmp.ini.vir
2008-01-27 15:26 391 --sha-w C:\WINDOWS\system32\hjkmp.ini2.vir
2008-01-28 16:06 228,193 --sha-w C:\WINDOWS\system32\hjllm.ini.vir
2008-01-28 16:04 228,193 --sha-w C:\WINDOWS\system32\hjllm.ini2.vir
2008-02-02 16:21 231,986 --sha-w C:\WINDOWS\system32\jjkkj.ini.vir
2008-02-02 16:19 231,850 --sha-w C:\WINDOWS\system32\jjkkj.ini2.vir
2008-01-30 22:04 6,784 --sha-w C:\WINDOWS\system32\kjkkj.ini.vir
2008-01-30 22:02 6,784 --sha-w C:\WINDOWS\system32\kjkkj.ini2.vir
2008-02-01 17:41 226,877 --sha-w C:\WINDOWS\system32\kmllm.ini.vir
2008-01-26 14:36 310,596 --sha-w C:\WINDOWS\system32\mlkkj.ini.vir
2008-01-26 14:34 310,596 --sha-w C:\WINDOWS\system32\mlkkj.ini2.vir
2008-02-01 21:22 261,553 --sha-w C:\WINDOWS\system32\qrqss.ini.vir
2008-02-01 21:22 261,553 --sha-w C:\WINDOWS\system32\qrqss.ini2.vir
2008-02-01 21:57 231,962 --sha-w C:\WINDOWS\system32\uvvwa.ini.vir
2008-02-01 21:57 231,962 --sha-w C:\WINDOWS\system32\uvvwa.ini2.vir
2008-02-01 16:30 1,184,512 --sha-w C:\WINDOWS\system32\vvnaccxv.ini.vir
2008-01-29 12:38 229,846 --sha-w C:\WINDOWS\system32\yybeg.ini.vir
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-16 17:16 15360]
"StartCCC"="C:\Program\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"msnmsgr"="C:\Program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:35 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 14:19 282624 C:\WINDOWS\stsystra.exe]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"Adobe Photo Downloader"="C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-22 15:09 63712]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 20:55 73728]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"egui"="C:\Program\ESET\ESET Smart Security\egui.exe" [2008-03-13 16:48 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-16 17:16 15360]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Telenor Mobilt Bredband.lnk - C:\Program\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe [2007-05-18 09:57:54 724992]

[HKLM\~\startupfolder\C:^Documents and Settings^Coffan^Start-meny^Program^Autostart^hamachi.lnk]
path=C:\Documents and Settings\Coffan\Start-meny\Program\Autostart\hamachi.lnk
backup=C:\WINDOWS\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Coffan^Start-meny^Program^Autostart^Last.fm Helper.lnk]
path=C:\Documents and Settings\Coffan\Start-meny\Program\Autostart\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Coffan^Start-meny^Program^Autostart^MagicDisc.lnk]
path=C:\Documents and Settings\Coffan\Start-meny\Program\Autostart\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
C:\Program\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-12-06 14:06 167368 C:\Program\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 18:17 159744 C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
c:\program\valve\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Sierra\\Empire Earth\\EMPIRE_EARTH.EXE"=
"C:\\Program\\LimeWire\\LimeWire.exe"=
"C:\\Program\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"C:\\Program\\DNA\\btdna.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program\\Internet Explorer\\iexplore.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program\\iTunes\\iTunes.exe"=
"C:\\Program\\uTorrent\\uTorrent.exe"=

R2 GtFlashSwitch;GtFlashSwitch;"C:\Program\Delade filer\GtFlashSwitch\GtFlashSwitch.exe" [2007-02-09 14:48]
R3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\WINDOWS\system32\DRIVERS\Gtm51Irp.sys [2007-01-15 18:48]
R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-01-15 18:48]
R3 GTUQBUS;GT UQ BUS;C:\WINDOWS\system32\DRIVERS\gtuqbus.sys [2007-01-15 18:48]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-05-01 13:16]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-05-01 13:17]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-05-01 13:17]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-05-01 13:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df765e3d-7f4a-11dc-aa3b-00197d183f8e}]
\Shell\AutoRun\command - F:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 16:39:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 15:45:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\ati2evxx.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-30 15:51:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 13:50:59

Pre-Run: 47,035,777,024 byte ledigt
Post-Run: 47,319,666,688 byte ledigt

WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

222 --- E O F --- 2008-06-20 1437

[forhockey]

Hello,


P2P Software

I see you have P2P software ( uTorrent, Azureus, and LimeWire) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KILLALL::

File::
C:\WINDOWS\Run32A60.mch
C:\WINDOWS\A6W.INI
C:\WINDOWS\trafik.ini
C:\WINDOWS\system32\pmls.dll
C:\Documents and Settings\Coffan\Shared\criss brown forever.mp3
C:\WINDOWS\system32\aycdd.ini.vir
C:\WINDOWS\system32\aycdd.ini2.vir
C:\WINDOWS\system32\fhkmp.ini.vir
C:\WINDOWS\system32\fhkmp.ini2.vir
C:\WINDOWS\system32\gjkkj.ini.vir
C:\WINDOWS\system32\gjkkj.ini2.vir
C:\WINDOWS\system32\hjkmp.ini.vir
C:\WINDOWS\system32\hjkmp.ini2.vir
C:\WINDOWS\system32\hjllm.ini.vir
C:\WINDOWS\system32\hjllm.ini2.vir
C:\WINDOWS\system32\jjkkj.ini.vir
C:\WINDOWS\system32\jjkkj.ini2.vir
C:\WINDOWS\system32\kjkkj.ini.vir
C:\WINDOWS\system32\kjkkj.ini2.vir
C:\WINDOWS\system32\kmllm.ini.vir
C:\WINDOWS\system32\mlkkj.ini.vir
C:\WINDOWS\system32\mlkkj.ini2.vir
C:\WINDOWS\system32\qrqss.ini.vir
C:\WINDOWS\system32\qrqss.ini2.vir
C:\WINDOWS\system32\uvvwa.ini.vir
C:\WINDOWS\system32\uvvwa.ini2.vir
C:\WINDOWS\system32\vvnaccxv.ini.vir
C:\WINDOWS\system32\yybeg.ini.vir
Folder::
C:\WINDOWS\A6W_DATA
C:\Program\Trafik4

Save this as CFScript




Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems

--------------------------------------------------------------

Please reply back with the following:

C:\ComboFix.txt
ESET online scan results
Update on how your system is behaving

[coffan]

ESET didn't find any problems, do you need the log file anyway?

The system seems to work fine, but when I start the computer I can choose to start it from the restorepoint. Can I make this disappear, as the computer seems to work fine?
I would also appreciate if you could recommend a good antivirus/firewall software (right now I'm using a limited edition of ESET)

Thanks!

[forhockey]

You're talking about the two options you get at post-boot?

1) Windows Recovery Console
2) Your Operating System


Windows Recovery Console

Selecting the "Recovery Console" from the Boot Menu will take you to a logon menu where only an Administrator can login to conduct a REPAIR not Destroy, of the Operating System.

Also, there is an advantage to keeping this option. If your computer ever does become unbootable in the future, then you will be able to repair your windows through the recovery console.

Finally, you shouldn't have to select anything when your computer is booting up. After a few seconds your computer will boot into Windows normally, so just leave the keyboard alone at startup.

Please let me know after reading the above if you still wish to keep the recovery console.

-------------------------------------

Quote:

ESET didn't find any problems, do you need the log file anyway?

No, I do not need the log.

-------------------------------------

Quote:

I would also appreciate if you could recommend a good antivirus/firewall software (right now I'm using a limited edition of ESET)

Usually depends on the users preference, and whether they are will to spend money on a decent product.


Free software:

• Avira Personal Edition Classic
• Avast!
• AVG

Paid software:

• Bitdefender
• Kaspersky
• ESET NOD32

---------------------------------------------------

Well done, your logs are clean! There are just a few more things I would like you to do.


The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

----------------------------------------------------------------

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected it