Unknown virus/trojan

[quarq]

Hi there, i have had some serious issues with an some sort of virus/trojan. I have searched for answers on many forums and support sites. I have tried out a couple of registry fixes and antiviruses. (all done in safe mode).

My problem is: I cant run .exe files, neither use regedit or services.

[Window Title]
C:\Windows\System32\services.exe

[Content]
C:\Windows\System32\services.exe

Tjänsten kan inte startas. Anledningen är antingen att tjänsten är spärrad eller att inga aktiva enheter är associerade med den.
(translation: Service can not start. Reson is either that service is sealed/shut/closed or that no active units are associated with it.)


[OK]

I have installed Avira AntiVirus (which could be done in safe mode) it have removed 'TR/Drop.QuickBatch.U.1' [trojan] to 'TR/Drop.QuickBatch.U.5' [trojan] all 10 of them deleted.

I also have used hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:34:09, on 2008-07-16
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\p2phost.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Age of Conan\ConanPatcher.exe
C:\Windows\system32\dxdiag.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CollaborationHost] C:\Windows\system32\p2phost.exe -s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O13 - Gopher Prefix:
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 4886 bytes

Though... there were issues like this:

---------------------------
HijackThis
---------------------------
For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.



If that happens, you need to edit the file yourself. To do this, click Start, Run and type:



notepad C:\Windows\System32\drivers\etc\hosts



and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts.' (with quotes), and reboot.



For Vista: simply, exit HijackThis, right click on the HijackThis icon, choose 'Run as administrator'.
---------------------------
OK
---------------------------


After more search i also found these "malwares" in devicetree nonplugnplay hidden: catchme, beep


Any help regarding this issue would be most welcome. Antivirus doesnt seem to handle it. Seems like a registry issue, but there must be some sort of script involed reedting the registry everytime i start in normal mode.

// Roger

[Egwene]

Hello quarq, and welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

We require a more comprehensive set of logs to determine the presence of malware. Please follow the instructions in our sticky topic Read This Before Posting for Malware Removal Help and post the requested logs in your next reply.

Once those logs are posted, I will review them and be back with a fix for your problem as soon as possible.

Regards,
Egwene.

[quarq]

DDS (Ver_09-01-07.01) - NTFSx86 NETWORK
Run by Roger at 16:47:33,11 on 2009-01-18
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.46.1053.18.2046.1601 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Roger\Downloads\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: commandondemand.com\www

================= FIREFOX ===================

FF - ProfilePath - c:\users\roger\appdata\roaming\mozilla\firefox\profiles\9ovrct78.default\
FF - plugin: c:\program files\personal\bin\np_prsnl.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\system32\drivers\CtUsbMs.sys [2009-1-11 14848]
S3 P0250VID;Creative PC-CAM 550 (Video);c:\windows\system32\drivers\p0250v2k.sys [2008-6-15 102456]
S4 P0250BUK;Creative PC-CAM 550 (Still);c:\windows\system32\drivers\p0250buk.sys [2008-6-15 13348]

=============== Created Last 30 ================

2009-01-18 12:53 <DIR> --d----- c:\programdata\Avira
2009-01-18 12:53 <DIR> --d----- c:\program files\Avira
2009-01-18 12:53 <DIR> --d----- c:\progra~2\Avira
2009-01-18 12:32 <DIR> --d----- C:\wr
2009-01-18 12:17 <DIR> --d----- C:\SDFix
2009-01-18 12:06 <DIR> --d----- C:\VundoFix Backups
2009-01-18 10:56 161,792 a------- c:\windows\SWREG.exe
2009-01-18 10:56 98,816 a------- c:\windows\sed.exe
2009-01-18 10:56 49,152 a------- c:\windows\VFIND.exe
2009-01-18 10:56 <DIR> --d----- C:\ComboFix
2009-01-18 10:22 0 a------- c:\windows\acroread.ini
2009-01-18 10:14 <DIR> --d----- c:\program files\Innovative Solutions
2009-01-18 10:11 <DIR> --d----- c:\windows\pss
2009-01-17 18:24 <DIR> -cd-h--- c:\programdata\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-01-17 18:24 <DIR> -cd-h--- c:\progra~2\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-01-17 08:49 <DIR> --d----- C:\csscod
2009-01-14 17:41 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-13 18:45 <DIR> --d----- c:\programdata\eSellerate
2009-01-13 18:45 <DIR> --d----- c:\progra~2\eSellerate
2009-01-13 18:33 <DIR> --d----- c:\programdata\TEMP
2009-01-13 18:33 <DIR> --d----- c:\program files\PC Doc Pro
2009-01-11 17:21 <DIR> --d----- c:\windows\system32\Data
2009-01-11 17:21 20,480 a------- c:\windows\INRES.DLL
2009-01-11 17:21 14,848 a------- c:\windows\system32\drivers\CtUsbMs.sys
2009-01-11 17:21 <DIR> --d----- c:\program files\Creative
2009-01-06 10:44 2,048 a------- c:\windows\system32\tzres.dll
2009-01-05 17:36 1,645,568 a------- c:\windows\system32\connect.dll
2009-01-05 17:36 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-01-05 17:35 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-01-05 17:35 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-01-05 17:35 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-01-05 17:35 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-01-05 17:35 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-01-01 15:16 <DIR> --d----- c:\users\roger\appdata\roaming\Mount&Blade
2009-01-01 15:05 <DIR> --d----- c:\program files\Mount&Blade
2008-12-28 20:22 <DIR> --d----- c:\users\roger\appdata\roaming\SPORE
2008-12-23 18:34 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

==================== Find3M ====================

2009-01-18 16:46 67,584 a--s---- c:\windows\bootstat.dat
2009-01-18 15:19 595,748 a------- c:\windows\system32\perfh009.dat
2009-01-18 15:19 457,324 a------- c:\windows\system32\perfh01D.dat
2009-01-18 15:19 105,078 a------- c:\windows\system32\perfc009.dat
2009-01-18 15:19 82,762 a------- c:\windows\system32\perfc01D.dat
2009-01-18 12:56 75,072 a------- c:\windows\system32\drivers\avipbb.sys
2009-01-18 12:23 181,040 a------- c:\windows\system32\FNTCACHE.DAT
2009-01-11 17:22 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-11 17:22 51,200 a------- c:\windows\inf\infpub.dat
2009-01-11 17:22 86,016 a------- c:\windows\inf\infstor.dat
2009-01-09 17:35 20,853,704 a------- c:\windows\system32\mrt.exe
2008-12-17 19:02 148,888 a------- c:\windows\system32\javaws.exe
2008-12-17 19:02 144,792 a------- c:\windows\system32\javaw.exe
2008-12-17 19:02 144,792 a------- c:\windows\system32\java.exe
2008-12-17 19:02 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 06:52 3,578,880 a------- c:\windows\system32\mshtml.dll
2008-12-11 21:37 42,320 a------- c:\windows\system32\xfcodec.dll
2008-11-06 14:14 11,580,928 a------- c:\windows\system32\shell32.dll
2008-11-03 10:44 108,144 a------- c:\windows\system32\CmdLineExt.dll
2008-11-01 04:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 04:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 04:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 04:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 04:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-29 07:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-21 06:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-07-03 12:48 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-12 08:28 290,490 a------- c:\windows\inf\perflib\041d\perfi.dat
2008-04-12 08:28 290,490 a------- c:\windows\inf\perflib\041d\perfh.dat
2008-04-12 08:28 35,978 a------- c:\windows\inf\perflib\041d\perfd.dat
2008-04-12 08:28 35,978 a------- c:\windows\inf\perflib\041d\perfc.dat
2008-01-21 03:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-08-05 17:42 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-08-05 17:42 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-08-05 17:42 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 16:48:24,29 ===============



Note: This was all recorded/logged in SAFE mode


And thanks for the fast reply, i really do hope it will and can be solved.

[Egwene]

Quote:

Note: This was all recorded/logged in SAFE mode

I would rather a lot you do this in normal mode. Could you do it please ?

I see nothing wrong in your logs for the time being.

:)

[quarq]

But that is the problem... i cant run the program in NORMAL mode =/

When i try and start all program/.exe (without a fixed exe / nocd) it will just reply this:
(this is how it looks when i try and start services for exampel)

[Window Title]
C:\Windows\System32\services.exe

[Content]
C:\Windows\System32\services.exe

Tjänsten kan inte startas. Anledningen är antingen att tjänsten är spärrad eller att inga aktiva enheter är associerade med den.
(translation: Service can not start. Reson is either that service is sealed/shut/closed or that no active units are associated with it.)


[OK]


So the question is, what shall i do ?

[Egwene]

Hello quarq,

To begin, three questions for you

1) It appears you ran combofix by your own way.

You shouldn't have run combofix : it is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

http://i266.photobucket.com/albums/i...er_ENU_B-1.gif

Could you please post me the contents of the report you got ?

2) Could you please post me the antivir report ?

Open Antivir.
Select "report" tab.
Double-click on the report.
Then, click on "report file" buton.
Post me the contents of the file which will open.


3) Could you open windows in "safe mode with networking" ?

If so, please do this :

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Regards,
Egwene.

[quarq]

ComboFix 09-01-17.03 - Roger 2009-01-18 10:57:47.1 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1053.18.2046.1645 [GMT 1:00]
: c:\users\Roger\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Roger\FAVORI~1\Translator.url
c:\users\Roger\Favorites\Translator.url

.
(((((((((((((((((((((((( Filer Skapade från 2008-12-18 till 2009-01-18 ))))))))))))))))))))))))))))))
.



.

.
2009-01-18 09:27 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-18 09:27 --------- d-----w c:\program files\Ubisoft
2009-01-18 09:20 --------- d-----w c:\program files\BitComet
2009-01-18 09:19 --------- d-----w c:\program files\Swapper
2009-01-18 09:18 --------- d-----w c:\program files\Dyyno
2009-01-18 09:14 --------- d-----w c:\program files\Innovative Solutions
2009-01-18 08:41 --------- d-----w c:\users\Roger\AppData\Roaming\Xfire
2009-01-18 00:35 --------- d-----w c:\program files\Warcraft III
2009-01-17 17:24 --------- dc-h--w c:\progra~2\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-01-15 16:05 --------- d-----w c:\program files\Windows Mail
2009-01-15 16:00 --------- d-----w c:\progra~2\Xfire
2009-01-13 17:45 --------- d-----w c:\progra~2\eSellerate
2009-01-13 17:36 --------- d-----w c:\program files\PC Doc Pro
2009-01-13 17:33 --------- d-----w c:\progra~2\TEMP
2009-01-11 16:21 --------- d-----w c:\program files\Creative
2009-01-01 23:35 --------- d-----w c:\program files\Mount&Blade
2009-01-01 23:31 --------- d-----w c:\users\Roger\AppData\Roaming\Mount&Blade
2008-12-28 19:24 --------- d-----w c:\users\Roger\AppData\Roaming\SPORE
2008-12-28 19:11 --------- d-----w c:\program files\Electronic Arts
2008-12-23 17:34 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-12-18 07:40 --------- d-----w c:\program files\Xfire
2008-12-17 18:02 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-12-17 18:02 --------- d-----w c:\program files\Java
2008-12-17 17:51 --------- d-----w c:\users\Roger\AppData\Roaming\Personal
2008-12-17 17:50 --------- d-----w c:\program files\Personal
2008-12-16 02:42 288,768 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 20:37 42,320 ----a-w c:\windows\System32\xfcodec.dll
2008-12-08 06:18 --------- d-----w c:\users\Roger\AppData\Roaming\dvdcss
2008-11-27 19:25 --------- d-----w c:\program files\Bethesda Softworks
2008-11-25 21:01 --------- d-----w c:\program files\World of Warcraft
2008-11-25 20:10 --------- d-----w c:\progra~2\Blizzard
2008-11-18 08:35 --------- d-----w c:\program files\Firaxis Games
2008-11-18 07:31 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-03 09:44 108,144 ----a-w c:\windows\System32\CmdLineExt.dll
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-22 01:22 2,048 ----a-w c:\windows\System32\tzres.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini
2008-08-05 16:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-08-05 16:42 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-08-05 16:42 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"CollaborationHost"="c:\windows\system32\p2phost.exe" [2008-01-21 192000]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-05-07 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BankID säkerhetsprogram.lnk]
backup=c:\windows\pss\BankID säkerhetsprogram.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Roger^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Xfire.lnk]
backup=c:\windows\pss\Xfire.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6FC5AC6E-BA41-4CCB-A23A-60BC2F9E90A0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{A1598B47-8337-4296-85EE-6C22D7812AC3}c:\\users\\roger\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\mz2jzoo0\\wow-engb-installer-downloader[1].exe"= UDP:c:\users\roger\appdata\local\microsoft\windows\temporary internet files\content.ie5\mz2jzoo0\wow-engb-installer-downloader[1].exe:wow-engb-installer-downloader[1].exe
"UDP Query User{2AF8797B-6C6C-4C9F-B605-A9AD0282DB08}c:\\users\\roger\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\mz2jzoo0\\wow-engb-installer-downloader[1].exe"= TCP:c:\users\roger\appdata\local\microsoft\windows\temporary internet files\content.ie5\mz2jzoo0\wow-engb-installer-downloader[1].exe:wow-engb-installer-downloader[1].exe
"TCP Query User{952A94E7-C3C0-438C-B638-E95D92383EDE}c:\\program files\\swapper\\swapper.exe"= UDP:c:\program files\swapper\swapper.exe:swapper
"UDP Query User{6379015D-C6F8-4368-8AD3-39E2F73F0897}c:\\program files\\swapper\\swapper.exe"= TCP:c:\program files\swapper\swapper.exe:swapper
"TCP Query User{82890F17-B8C4-4AD4-916B-40238154B688}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{63FAF907-D062-4604-9063-BC056D752CB8}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{E46D5DAE-E173-4026-B09B-DBC6208CB281}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{3B90712C-2CCC-4578-95EB-FCF4835E3988}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{A27B8890-EC72-442A-AA23-AABFF72AB71B}c:\\program files\\ccp\\eve\\bin\\exefile.exe"= UDP:c:\program files\ccp\eve\bin\exefile.exe:CCP ExeFile
"UDP Query User{4ED46997-E740-41FA-8B0A-DA9ED359E06A}c:\\program files\\ccp\\eve\\bin\\exefile.exe"= TCP:c:\program files\ccp\eve\bin\exefile.exe:CCP ExeFile
"{2590F0DD-1050-4065-A9C3-CEC0119B5B56}"= UDP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization IV Colonization\Colonization.exe:Sid Meier's Civilization IV Colonization
"{85DAB017-5C39-4F85-8A80-5C410827BDC1}"= TCP:c:\program files\2K Games\Firaxis Games\Sid Meier's Civilization IV Colonization\Colonization.exe:Sid Meier's Civilization IV Colonization
"{F72CF2FC-1617-45FF-A3E3-498091DB27CB}"= UDP:c:\program files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{86888286-4DAE-45AB-98DF-86766DA34521}"= TCP:c:\program files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{F351923F-D26A-4DAD-AD39-9AB051DBD357}"= UDP:c:\program files\THQ\Gas Powered Games\Supreme Commander - Forged Alliance\bin\ForgedAlliance.exe:Supreme Commander - Forged Alliance
"{EDD52C10-FD83-4CE8-ACDE-0AE9C6620BD5}"= TCP:c:\program files\THQ\Gas Powered Games\Supreme Commander - Forged Alliance\bin\ForgedAlliance.exe:Supreme Commander - Forged Alliance
"{F9AC9856-744F-456B-A01A-A4482343A60D}"= UDP:c:\program files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander - Forged Alliance
"{74D770A7-19E8-4523-97B1-737E9174D888}"= TCP:c:\program files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander - Forged Alliance
"TCP Query User{FF586426-02B9-46E2-B31D-734510ECEBE3}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{21A0F825-44A5-4D57-B000-E4FE12DCE8B2}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{9EE36831-44C6-48B8-88BD-D60156D487B0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{4A12E6D7-6038-42D3-815D-CC4C12951211}c:\\program files\\xfire\\xfire.exe"= UDP:c:\program files\xfire\xfire.exe:Xfire
"UDP Query User{D4B224CE-D6AC-4CCF-8843-5751E562304D}c:\\program files\\xfire\\xfire.exe"= TCP:c:\program files\xfire\xfire.exe:Xfire
"TCP Query User{53D32E9A-6A38-45B7-B5F6-9BEA4F6D7F1E}c:\\users\\roger\\appdata\\locallow\\dyyno receiver\\dppm.exe"= UDP:c:\users\roger\appdata\locallow\dyyno receiver\dppm.exe:dppm.exe
"UDP Query User{45998359-98CE-4C79-9BCD-477D40C805A3}c:\\users\\roger\\appdata\\locallow\\dyyno receiver\\dppm.exe"= TCP:c:\users\roger\appdata\locallow\dyyno receiver\dppm.exe:dppm.exe
"TCP Query User{E00E70CC-151E-4772-ADA6-E41F4F79A3A0}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{0FD6ABBB-6AB2-4ECA-867F-5CB4FFB8D1EC}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{28713108-7F5A-4109-B87C-BB265FA4C1D1}"= UDP:25491:BitComet 25491 TCP
"{AF2BF61F-9E4A-4A71-8C52-AAADC9FC4180}"= TCP:25491:BitComet 25491 UDP
"TCP Query User{A0D46EA1-79EF-44BA-8798-A7E6AEB0A338}c:\\program files\\xfire\\xfire.exe"= UDP:c:\program files\xfire\xfire.exe:Xfire
"UDP Query User{345F5DA9-8C49-40BB-BF0F-4650E82C95FD}c:\\program files\\xfire\\xfire.exe"= TCP:c:\program files\xfire\xfire.exe:Xfire
"TCP Query User{8A37E3D1-C8B4-4C8D-84CC-D7F274CD3317}c:\\program files\\swapper\\swapper.exe"= UDP:c:\program files\swapper\swapper.exe:swapper
"UDP Query User{FE6454EA-5592-4CB7-B4C0-C757AF80958F}c:\\program files\\swapper\\swapper.exe"= TCP:c:\program files\swapper\swapper.exe:swapper
"{6ACDF584-DEF6-40D4-A090-4E05D59012E9}"= UDP:12571:BitComet 12571 TCP
"{E1BBD6EB-460E-4A97-A3C8-228011321C96}"= TCP:12571:BitComet 12571 UDP

S3 CtUsbMs;Creative HID USB Filter Driver;c:\windows\System32\drivers\CtUsbMs.sys [2009-01-11 14848]
S3 P0250VID;Creative PC-CAM 550 (Video);c:\windows\System32\drivers\p0250v2k.sys [2008-06-15 102456]
S4 P0250BUK;Creative PC-CAM 550 (Still);c:\windows\System32\drivers\p0250buk.sys [2008-06-15 13348]

--- Övriga tjänster/drivrutiner i minnet ---

*NewlyCreated* - ECACHE
*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WerSvcGroup REG_MULTI_SZ
.
.
------- -------
.
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
Trusted Zone: www.commandondemand.com

c:\windows\Downloaded Program Files\DyynoX.dll - O16 -: {4E218431-2F07-40BD-A9D3-035324C1F13F}
hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
c:\windows\Downloaded Program Files\DyynoCAB.inf

c:\windows\Downloaded Program Files\csswlng.dll - c:\windows\Downloaded Program Files\cssweb.dll
O16 -: {6CCE3920-3183-4B3D-808A-B12EB769DE12}
hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab
c:\windows\Downloaded Program Files\cssweb.inf
FF - ProfilePath - c:\users\Roger\AppData\Roaming\Mozilla\Firefox\Profiles\9ovrct78.default\
FF - plugin: c:\program files\Personal\bin\np_prsnl.dll

---- FIREFOX POLICY ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 11:01:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
: 2009-01-18 11:02:53
ComboFix-quarantined-files.txt 2009-01-18 10:02:51

: Det går inte att hitta meddelandetexten för meddelandenumret 0x2379 i meddelandefilen för Application.
: 72,692,727,808 byte ledigt

173 --- E O F --- 2009-01-18 08:36:02




Avira AntiVir Personal
Report file date: 2009-01-18 12:58

Scanning for 1223257 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows Vista
Windows version: (Service Pack 1) [6.0.6001]
Boot mode: Normally booted
Username: SYSTEM
Computer name: ROGER-DATOR

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 2008-11-18 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 2009-01-18 11:56:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 2008-05-26 08:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 2008-06-12 13:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 2008-05-26 08:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 11:56:53
ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 2009-01-14 11:56:54
ANTIVIR2.VDF : 7.1.1.114 2048 Bytes 2009-01-14 11:56:54
ANTIVIR3.VDF : 7.1.1.135 286208 Bytes 2009-01-17 11:56:54
Engineversion : 8.2.0.57
AEVDF.DLL : 8.1.0.6 102772 Bytes 2009-01-18 11:56:54
AESCRIPT.DLL : 8.1.1.26 340347 Bytes 2009-01-18 11:56:54
AESCN.DLL : 8.1.1.5 123251 Bytes 2009-01-18 11:56:54
AERDL.DLL : 8.1.1.3 438645 Bytes 2009-01-18 11:56:54
AEPACK.DLL : 8.1.3.5 393588 Bytes 2009-01-18 11:56:54
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 2009-01-18 11:56:54
AEHEUR.DLL : 8.1.0.84 1540471 Bytes 2009-01-18 11:56:54
AEHELP.DLL : 8.1.2.0 119159 Bytes 2009-01-18 11:56:54
AEGEN.DLL : 8.1.1.10 323957 Bytes 2009-01-18 11:56:54
AEEMU.DLL : 8.1.0.9 393588 Bytes 2009-01-18 11:56:54
AECORE.DLL : 8.1.5.2 172405 Bytes 2009-01-18 11:56:54
AEBB.DLL : 8.1.0.3 53618 Bytes 2009-01-18 11:56:54
AVWINLL.DLL : 1.0.0.12 15105 Bytes 2008-07-09 09:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 2008-05-16 10:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 2009-01-18 11:56:54
AVREG.DLL : 8.0.0.1 33537 Bytes 2008-05-09 12:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2008-02-12 09:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 2008-06-12 13:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2008-01-22 18:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 2008-06-12 13:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 2008-01-25 13:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 2008-06-12 14:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 2008-06-27 14:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2009-01-18 12:58

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'msdtc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'p2phost.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'RtHDVCpl.exe' - '1' Module(s) have been scanned
Scan process 'vdsldr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '39' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003581.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.3 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003587.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.5 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003589.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.4 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003590.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.1 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003594.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.5 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003603.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.3 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003609.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.5 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003611.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.4 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003612.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.4 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{4C629B9C-7D54-49C7-8CCE-63C410077A85}\RP31\A0003613.exe
[DETECTION] Is the TR/Drop.QuickBatch.U.1 Trojan
[NOTE] The file was deleted!
C:\Windows\System32\drivers\sptd.sys
[WARNING] The file could not be opened!


End of the scan: 2009-01-18 13:58
Used time: 59:38 Minute(s)

The scan has been done completely.

15192 Scanning directories
479593 Files were scanned
10 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
10 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
479580 Files not concerned
4854 Archives were scanned
3 Warnings
10 Notes


Hi again Egwene,

I noticed that i will have to go SAFE mode and run Kasperskys, but i reply with the other info stated in 1) and 2).
Will return soon with 3)

Thanks for beeing there !

Edit: Just noticed i had DyynoX, but that cant be all of the problem, can it ?
...and i was aware of the combofix, at this point (before coming here) i was thinking of formating the hole computer. But i really needed to know what i really was infected with first

[quarq]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, January 19, 2009
Operating System: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 19, 2009 14:58:54
Records in database: 1648341
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 173523
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:42:47

No malware has been detected. The scan area is clean.

The selected area was scanned.

[Egwene]

Hello quarq,

All your logs look clean to me. Anything worrying. I even don't see any active malware.

You have a lot of p2p programs, please read this :

Your logs indicate the presence of a p2p file sharing programs. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Also by default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft.

I would strongly urge you to remove them via Add or Remove Programs in Control Panel before we begin to clean your system as suggested in our NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help page

Quote:

Uninstall the following via Add or Remove Programs in Control Panel:

• If you have more than one antivirus software installed, leave only ONE but uninstall the others.
• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this http://www.techsupportforum.com/secu...e-sharing.html

And Kaspersky report is clean.

Quote:

But i really needed to know what i really was infected with first

It appears to me it's not a malware issue.

You can try to repair windows, if you have your CD. Maybe you can open a new thread in the Vista forum to ask some help because it's not a malware issue for me.

[quarq]

Ok, thanks i guess. It strange though, that all standard Windows .exe files wont work. And those with fixed/nocd .exe works fine. That sounds like a human made malware... either gone now, or there somewhere. Nothing with inside Windows started in normal mode wont work.
And in safe mode it works fine... there must be something harming/stalling windows.

I guess ill have to do it the old fashion: format c:/

About the uninstall, i have tried uninstall the following with the program Advanced Uninstall. But the program still cant uninstall it (not even forced):

*Magicdisc
*Java(TM) 6 Update 11
*J2SE Runtime Environment 5.0 Update 3
*and many others, but i cant use admin... as "the problem" is linked to "Run as admin" and thus it wont work =/

><
A

[Egwene]

Hello quarq,

Before formatting, you can try to reinstall Windows vista if your CD/DVD include the SP1. A reparation of windows will not solve registry or software issues.

You're probably right, the quickest thing for you to do would be formating.

Let me know please what you've chosen.

Regards,
Egwene.

[quarq]

Hi again Egwene,

Today im indeed very happy. I managed to solve the problem. On a popup box saying this action wont work, there was also attached an error code: 0x80070422
I looked this up, and it seems to have something to do with the windows update auto management. Getting angry once again... i was damned to fix this problem (meaning i will delete anything that gets in my way). Started up in safe mode (had problem here, windows stalled when i tried to use controlpanel), rebooted, safe mode. Used Advanced Uninstaller, and forced uninstall anything i had with windows tagged to it. And most programs that didnt include game, graphic card, sound card and "considered safe".

Then i started services and switched on automatic on about every services there was (left maybe 10 to manual). I did notice that windows update service was put on "Automatic, Delayed" mode. Swtiched it to clean Automatic as well.

Then i used Advanced Uninstall, cleaned/fixed registry (couple of errors, links fixed), then i optimized registry (defraged it). If something was wrong there, it now is shredded/defraged into oblivion (sure hope so).

I dont know what caused all this malbehavior of vista in the first place. It might have been a script, trojan/virus or malware. After all i did have one that got deleted with AntiVir.

Im glad that i didnt have to reinstall windows again. And maybe i didnt have to go so hard on all programs (deleting them)... with a fast broadband, nothing is ever deleted ;)

Cheers and thanks for listening and beeing there !

[Egwene]

Hello quarq,

No problem, you did all the job by the way.

I'm glad to hear your issue is resolved and thanks for letting me know how you manage to fix it !

Quote:

After all i did have one that got deleted with AntiVir.

It might be... but all virus detected by Antivirus were in system restore point, so "inactive".

I'm guess this topic can be mark as solved ? Do you still need something ?

Regards,
Egwene.

[quarq]

Hi Egwene,

Oh, didnt see that the virus was inactive and packed. Maybe i did come to the wrong thread. But you did convince me that i did all i could do (you could do) to ensure me an hazardous free environment for windows, and thus reducing my options to search for the problem.

There are no further question, and the thread can be marked as solved.

Thanks once again, and hopefully we wont see eachother again :)

// Roger

[Egwene]

Hello quarq,

Glad to hear it !

Let me give you some final advices.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• If you haven't a firewall on your computer, I advice you to install one of the following : Kerio / Commodo / ZoneAlarme.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
• To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
  
• IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
  Have a look at this tutorial for IE-Spyad here
  
  Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  
  
• Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
  secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
  blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
  Here
• You can install these two very good extension for firefox : Ad-Block and NoScript.

Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

PC Safety and Security--What Do I Need?
Think Prevention

Thank you for your patience, and performing all of the procedures requested.

Regards,
Egwene.

[tetonbob]

Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help