Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Windows Update - spontaneous reboots/bluescreens "lzx32.sys" - "Exploit/ByteVerify"

This is a discussion on Windows Update - spontaneous reboots/bluescreens "lzx32.sys" - "Exploit/ByteVerify" within the Resolved HJT Threads forums, part of the Tech Support Forum category. When trying to update with Windows update, i get a spontaneous reboot or a bluescreen-crash. The filename "lzx32.sys" is mentioned.


 
 
Thread Tools Search this Thread
Old 03-19-2007, 03:23 PM   #1
Guest
 
Join Date: Mar 2007
Posts: 4
OS:



When trying to update with Windows update, i get a spontaneous reboot or a bluescreen-crash.
The filename "lzx32.sys" is mentioned.

The updates i'm trying to install are the following (roughly translated from norwegian):
"Update for Windows Media Format 11 SDK for Windows XP (KB939399)"
"Windows Tool for removal of dangerous software - march 2007 (KB890830)"
Other than that, i believe i have all other windows-updates.

I do however recall there beeing a third update on the list when i started the installation for the first time.
After the third or forth spontanous restart/bluscreen, when i figured something was wrong, it has disappeared from the list.
I do not know if it actually got installed or not.

I've been following the 5-steps-before-posting as good as possible.
From my normal startup programs msn-messenger and daemon-tools were shutted down before the dss-scan.
Here are the three logs (panda-activescan, dss-main and dss-extra attached):
PS: note that the "extra.txt" is from the first scan, which was done abit earlier than my last scan where the pasted "main.txt" is from.
This is because i was unable to get a fresh "extra.txt" from the last scan (no minimized window at all).
OK, here we go now:

Incident Status Location

Adware:adware/abox Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
Adware:adware/azesearch Not disinfected Windows Registry
Adware:adware/adshooter Not disinfected Windows Registry
Adware:adware/fastvideoplayer Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Dialer:dialer.dk Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{91433D86-9F27-402C-B5E3-DEBDD122C339}
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Serv-U\fo-su317.zip[fo-su317.exe][SERVUDAEMON.EXE]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Claw_\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Claw_\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Claw_\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\cookies.txt[ad.yieldmanager.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Claw_\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-4f011c4-3ee7e2f4.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Claw_\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-4f011c4-3ee7e2f4.zip[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Claw_\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv449.jar-1514521b-448efe26.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Claw_\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv449.jar-1514521b-448efe26.zip[Dummy.class]
Adware:Adware/Give4free Not disinfected C:\Programfiler\Give4Free Plugin\ibho.dll

Deckard's System Scanner v20070318.32
Run by Claw_ on 2007-03-19 at 23:01:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Claw_.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:02:50, on 19.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton Internet Security\ISSVC.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
C:\Programfiler\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\PeerGuardian2\pg2.exe
C:\Programfiler\Windows Media Player\WMPNSCFG.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\SpywareGuard\sgmain.exe
C:\Programfiler\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Claw_\Skrivebord\dss.exe
C:\PROGRA~1\HIJACK~1\Claw_.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: (no name) - {208E7E77-507A-4649-B0C9-D39E9049C7A2} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programfiler\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinPatrol] C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Programfiler\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programfiler\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Snarvei til Plans.txt.lnk = C:\Documents and Settings\Claw_\Skrivebord\Plans.txt
O4 - Startup: SpywareGuard.lnk = C:\Programfiler\SpywareGuard\sgmain.exe
O4 - Startup: Windows Live Messenger.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://javadl-esd.sun.com/update/1.5...ndows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WB - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programfiler\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programfiler\WZCBDL Service\WZCBDLS.exe


-- Files created between 2007-02-19 and 2007-03-19 -----------------------------

2007-03-19 22:16:31 21312 --a------ C:\WINDOWS\choice.exe
2007-03-19 22:05:42 0 d-------- C:\Programfiler\SpywareGuard<SPYWAR~2>
2007-03-19 21:22:56 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-19 21:22:54 0 d-------- C:\WINDOWS\LastGood
2007-03-19 20:22:26 0 d-------- C:\Avenger
2007-03-19 20:22:25 16 --a------ C:\chdir.bat
2007-03-19 20:22:24 0 d-------- C:\Rustbfix
2007-03-19 20:01:40 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-03 16:48:06 0 d-------- C:\Programfiler\Messenger Plus! Live<MESSEN~2>
2007-02-24 10:02:30 1164 --a------ C:\WINDOWS\mozver.dat
2007-02-24 05:05:36 0 d-------- C:\Programfiler\Lavasoft
2007-02-24 04:39:46 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-02-24 04:39:32 75512 --a------ C:\WINDOWS\zllsputility.exe<ZLLSPU~1.EXE>
2007-02-24 04:39:31 11264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-02-24 04:39:20 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-02-24 04:39:20 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-02-24 04:37:56 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-24 04:32:21 0 d-------- C:\Programfiler\SpywareBlaster<SPYWAR~1>
2007-02-20 16:31:33 34308 --a------ C:\WINDOWS\system32\Chip.dll
2007-02-19 21:49:07 72192 --a------ C:\WINDOWS\cadkasdeinst01e.exe<CADKAS~1.EXE>
2007-02-19 21:49:07 0 d-------- C:\Programfiler\PDF Reader 2<PDFREA~1>
2007-02-19 03:20:31 0 d-------- C:\Programfiler\uTorrent


-- Find3M Report ---------------------------------------------------------------

2007-03-19 22:33:45 0 d-------- C:\Programfiler\Fellesfiler\Symantec Shared<SYMANT~1>
2007-03-19 21:51:31 0 d-------- C:\Programfiler\WZCBDL Service<WZCBDL~1>
2007-03-19 21:49:40 0 d-------- C:\Programfiler\PeerGuardian2<PEERGU~1>
2007-03-19 21:49:37 0 d-------- C:\Programfiler\Norton Internet Security<NORTON~1>
2007-03-19 21:49:29 0 d-------- C:\Programfiler\MSN Messenger<MSNMES~1>
2007-03-19 21:43:53 0 d-------- C:\Programfiler\DAEMON Tools<DAEMON~1>
2007-03-19 21:16:03 0 d-------- C:\Programfiler\Fellesfiler<FELLES~1>
2007-03-12 12:32:57 0 d-------- C:\Documents and Settings\Claw_\Programdata\uTorrent
2007-03-11 04:25:12 0 d-------- C:\Programfiler\Warcraft III<WARCRA~1>
2007-03-09 02:55:14 0 d-------- C:\Programfiler\IrfanView<IRFANV~1>
2007-03-06 19:30:10 0 d-------- C:\Programfiler\WC3Banlist<WC3BAN~1>
2007-03-04 15:38:55 0 d-------- C:\Programfiler\World of Warcraft<WORLDO~1>
2007-03-03 16:49:36 0 d-------- C:\Documents and Settings\Claw_\Programdata\Screenshot Sender<SCREEN~1>
2007-03-03 16:30:48 0 d-------- C:\Programfiler\DC++<DC__~1>
2007-02-27 00:29:10 385084 --a------ C:\WINDOWS\system32\perfh014.dat
2007-02-27 00:29:10 60442 --a------ C:\WINDOWS\system32\perfc014.dat
2007-02-24 19:42:05 0 d-------- C:\Documents and Settings\Claw_\Programdata\vlc
2007-02-24 10:01:20 0 d-------- C:\Programfiler\VideoLAN
2007-02-24 05:16:49 0 d-------- C:\Documents and Settings\Claw_\Programdata\Lavasoft
2007-02-24 05:05:29 0 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard<WISEIN~1>
2007-02-24 04:37:45 0 d-------- C:\Documents and Settings\Claw_\Programdata\Mozilla
2007-02-23 01:23:15 0 d-------- C:\Programfiler\Symantec
2007-02-21 19:16:19 0 d--h----- C:\Programfiler\InstallShield Installation Information<INSTAL~1>
2007-02-19 21:43:48 0 d-------- C:\Documents and Settings\Claw_\Programdata\Adobe
2007-02-19 07:38:18 0 d-------- C:\Programfiler\Mv2Player<MV2PLA~1>
2007-02-19 07:37:36 0 d-------- C:\Programfiler\Azureus
2007-02-11 16:29:47 0 d-------- C:\Programfiler\Eidos
2007-02-07 12:39:08 517840 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-02-07 12:39:04 132816 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-01-27 23:42:10 0 d-------- C:\Programfiler\WinPcap
2007-01-23 14:01:58 90099 --a------ C:\WINDOWS\War3Unin.dat
2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-18 11:44:45 453788 ---hs---- C:\WINDOWS\system32\rstwa.bak1<RSTWA~1.BAK>
2007-01-18 11:08:29 1443495 --a------ C:\Documents and Settings\Claw_\Programdata\Install.dat
2007-01-18 11:08:18 2 --a------ C:\1691783176<169178~1>
2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="~\"C:\\Programfiler\\MSN Messenger\\MsnMsgr.Exe\" /background"
"SpybotSD TeaTimer"="C:\\Programfiler\\Spybot - Search & Destroy\\TeaTimer.exe"
"PeerGuardian"="C:\\Programfiler\\PeerGuardian2\\pg2.exe"
"WMPNSCFG"="C:\\Programfiler\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"WinPatrol"="C:\\Programfiler\\BillP Studios\\WinPatrol\\winpatrol.exe"
"DAEMON Tools"="\"C:\\Programfiler\\DAEMON Tools\\daemon.exe\" -lang 1033"
"ccApp"="\"C:\\Programfiler\\Fellesfiler\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"ZoneAlarm Client"="\"C:\\Programfiler\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57A62825-840C-4FFE-8717-80A308558154}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_PGFILTER


-- End of Deckard's System Scanner: finished at 2007-03-19 at 23:03:08 ---------
Attached Files
File Type: txt extra.txt (10.5 KB, 29 views)
shimba is offline  
Sponsored Links
Advertisement
 
Old 03-22-2007, 06:24 AM   #2
Guest
 
Join Date: Mar 2007
Posts: 4
OS:



BUMP

In addition I've done some work myself (Rustbfix.exe, SpywareGuard, SuperAntiSpyware Free Edition, AVG Anti-Spyware), and it seems to be cleaner than it was (i.e. Windows Update works).

It would be nice anyways to get the facts straight, so here's a fresh log from Deckards System Scanner:

Deckard's System Scanner v20070318.32
Run by Claw_ on 2007-03-22 at 14:16:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Claw_.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 14:17:16, on 22.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton Internet Security\ISSVC.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
C:\Programfiler\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
C:\Programfiler\DAEMON Tools\daemon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\PeerGuardian2\pg2.exe
C:\Programfiler\Windows Media Player\WMPNSCFG.exe
C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programfiler\SpywareGuard\sgmain.exe
C:\Programfiler\SpywareGuard\sgbhp.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\Winamp\winamp.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Claw_\Skrivebord\Security-stuff\dss.exe
C:\PROGRA~1\HIJACK~1\Claw_.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.no/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: (no name) - {208E7E77-507A-4649-B0C9-D39E9049C7A2} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programfiler\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinPatrol] C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Programfiler\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programfiler\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Snarvei til Plans.txt.lnk = C:\Documents and Settings\Claw_\Skrivebord\Plans.txt
O4 - Startup: SpywareGuard.lnk = C:\Programfiler\SpywareGuard\sgmain.exe
O4 - Startup: Windows Live Messenger.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - https://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://javadl-esd.sun.com/update/1.5...ndows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WB - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programfiler\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programfiler\WZCBDL Service\WZCBDLS.exe


-- Files created between 2007-02-22 and 2007-03-22 -----------------------------

2007-03-20 19:38:26 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-03-20 19:17:52 0 d-------- C:\avenger
2007-03-20 19:10:46 0 d-------- C:\Rustbfix
2007-03-20 16:09:00 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-20 15:53:36 0 d-------- C:\Programfiler\SUPERAntiSpyware<SUPERA~1>
2007-03-19 22:16:31 21312 --a------ C:\WINDOWS\choice.exe
2007-03-19 22:05:42 0 d-------- C:\Programfiler\SpywareGuard<SPYWAR~2>
2007-03-19 21:22:56 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-19 20:01:40 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-03 16:48:06 0 d-------- C:\Programfiler\Messenger Plus! Live<MESSEN~2>
2007-02-24 10:02:30 1164 --a------ C:\WINDOWS\mozver.dat
2007-02-24 05:05:36 0 d-------- C:\Programfiler\Lavasoft
2007-02-24 04:39:46 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-02-24 04:39:32 75512 --a------ C:\WINDOWS\zllsputility.exe<ZLLSPU~1.EXE>
2007-02-24 04:39:31 11264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-02-24 04:39:20 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-02-24 04:39:20 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-02-24 04:37:56 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-24 04:32:21 0 d-------- C:\Programfiler\SpywareBlaster<SPYWAR~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-22 14:08:46 0 d-------- C:\Programfiler\PeerGuardian2<PEERGU~1>
2007-03-22 14:08:32 0 d-------- C:\Documents and Settings\Claw_\Programdata\uTorrent
2007-03-22 03:49:14 0 d-------- C:\Programfiler\Warcraft III<WARCRA~1>
2007-03-20 23:16:24 0 d-------- C:\Programfiler\World of Warcraft<WORLDO~1>
2007-03-20 21:31:58 0 d-------- C:\Programfiler\Fellesfiler<FELLES~1>
2007-03-20 16:10:40 0 d-------- C:\Programfiler\Fellesfiler\Symantec Shared<SYMANT~1>
2007-03-20 16:01:07 0 d---s---- C:\Documents and Settings\Claw_\Programdata\Microsoft<MICROS~1>
2007-03-20 15:53:36 0 d-------- C:\Documents and Settings\Claw_\Programdata\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-20 15:53:21 0 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard<WISEIN~1>
2007-03-20 13:22:24 0 d-------- C:\Programfiler\Norton Internet Security<NORTON~1>
2007-03-19 21:51:31 0 d-------- C:\Programfiler\WZCBDL Service<WZCBDL~1>
2007-03-19 21:49:29 0 d-------- C:\Programfiler\MSN Messenger<MSNMES~1>
2007-03-19 21:43:53 0 d-------- C:\Programfiler\DAEMON Tools<DAEMON~1>
2007-03-09 02:55:51 0 d-------- C:\Programfiler\PDF Reader 2<PDFREA~1>
2007-03-09 02:55:14 0 d-------- C:\Programfiler\IrfanView<IRFANV~1>
2007-03-06 19:30:10 0 d-------- C:\Programfiler\WC3Banlist<WC3BAN~1>
2007-03-03 16:49:36 0 d-------- C:\Documents and Settings\Claw_\Programdata\Screenshot Sender<SCREEN~1>
2007-03-03 16:30:48 0 d-------- C:\Programfiler\DC++<DC__~1>
2007-02-27 00:29:10 385084 --a------ C:\WINDOWS\system32\perfh014.dat
2007-02-27 00:29:10 60442 --a------ C:\WINDOWS\system32\perfc014.dat
2007-02-24 19:42:05 0 d-------- C:\Documents and Settings\Claw_\Programdata\vlc
2007-02-24 10:01:20 0 d-------- C:\Programfiler\VideoLAN
2007-02-24 05:16:49 0 d-------- C:\Documents and Settings\Claw_\Programdata\Lavasoft
2007-02-24 04:37:45 0 d-------- C:\Documents and Settings\Claw_\Programdata\Mozilla
2007-02-23 01:23:15 0 d-------- C:\Programfiler\Symantec
2007-02-21 19:16:19 0 d--h----- C:\Programfiler\InstallShield Installation Information<INSTAL~1>
2007-02-20 16:31:33 34308 --a------ C:\WINDOWS\system32\Chip.dll
2007-02-19 21:49:07 72192 --a------ C:\WINDOWS\cadkasdeinst01e.exe<CADKAS~1.EXE>
2007-02-19 21:43:48 0 d-------- C:\Documents and Settings\Claw_\Programdata\Adobe
2007-02-19 07:38:18 0 d-------- C:\Programfiler\Mv2Player<MV2PLA~1>
2007-02-19 07:37:36 0 d-------- C:\Programfiler\Azureus
2007-02-19 03:20:33 0 d-------- C:\Programfiler\uTorrent
2007-02-11 16:29:47 0 d-------- C:\Programfiler\Eidos
2007-02-07 12:39:08 517840 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-02-07 12:39:04 132816 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-01-27 23:42:10 0 d-------- C:\Programfiler\WinPcap
2007-01-23 14:01:58 90099 --a------ C:\WINDOWS\War3Unin.dat
2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-18 11:44:45 453788 ---hs---- C:\WINDOWS\system32\rstwa.bak1<RSTWA~1.BAK>
2007-01-18 11:08:29 1443495 --a------ C:\Documents and Settings\Claw_\Programdata\Install.dat
2007-01-18 11:08:18 2 --a------ C:\1691783176<169178~1>
2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="~\"C:\\Programfiler\\MSN Messenger\\MsnMsgr.Exe\" /background"
"SpybotSD TeaTimer"="C:\\Programfiler\\Spybot - Search & Destroy\\TeaTimer.exe"
"PeerGuardian"="C:\\Programfiler\\PeerGuardian2\\pg2.exe"
"WMPNSCFG"="C:\\Programfiler\\Windows Media Player\\WMPNSCFG.exe"
"SUPERAntiSpyware"="C:\\Programfiler\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"WinPatrol"="C:\\Programfiler\\BillP Studios\\WinPatrol\\winpatrol.exe"
"DAEMON Tools"="\"C:\\Programfiler\\DAEMON Tools\\daemon.exe\" -lang 1033"
"ccApp"="\"C:\\Programfiler\\Fellesfiler\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"ZoneAlarm Client"="\"C:\\Programfiler\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Programfiler\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ALERTER
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_PGFILTER


-- End of Deckard's System Scanner: finished at 2007-03-22 at 14:17:38 ---------
shimba is offline  
Old 03-22-2007, 10:56 PM   #3
TSF Team, Emeritus
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2



Hi shimba,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, letís do this first.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

To disable Spybotís TeaTimer function:
  • Run Spybot-S&D.
  • Go to the Mode menu, and make sure "Advanced Mode" is selected.
  • On the left hand side, choose Tools -> Resident.
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Please download ResetTeaTimer.bat and save it to your desktop.
  • Double-click ResetTeaTimer.bat to remove all entries set by TeaTimer.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: (no name) - {208E7E77-507A-4649-B0C9-D39E9049C7A2} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) Ė



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Using Windows Explorer (right-click your Start button and select Explore), please navigate to and delete the following FILES (if they exist):

C:\Programfiler\Give4Free Plugin\ibho.dll
C:\WINDOWS\system32\rstwa.bak1


Please let me know if you encountered any problems finding or deleting the files/folders.


NEXT:

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:

    C:\WINDOWS\system32\perfh014.dat

  • Click "Open".
  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply together with a new HijackThis log.


Then please do the same as above for the following files:


C:\WINDOWS\system32\perfc014.dat
C:\WINDOWS\cadkasdeinst01e.exe


NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:
  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the Windows tab.
  4. Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  5. Then, click the Applications tab:
    • UNCHECK everything there.
  6. Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  7. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you donít know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Kaspersky Online Scanner:
  1. Click on Kaspersky Online Scanner.
  2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on Next.
  5. Now click on Scan Settings.
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  7. Click OK.
  8. Now under select a target to scan:
    • Select My Computer.
  9. This program will start and scan your system.
  10. The scan will take a while so be patient and let it run.
  11. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  12. Save the file to your desktop.
  13. Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The reports from VirusTotal.
  2. The log from the ComboFix scan.
  3. The log from the Kaspersky scan.
  4. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
Sempurna is offline  
Sponsored Links
Advertisement
 
Old 03-23-2007, 10:17 AM   #4
Guest
 
Join Date: Mar 2007
Posts: 4
OS:



Hi Sempurna,

Thank you for welcoming me!
As for the wait, it was no problem really :P
Furthermore I had no problems whatsoever while following your directions, and things seem to be running fine.
PS: I've deleted some stuff Kaspersky dug up for me: the Norton-AV Quarantine-folder and the "Give4Free Plugin"-folder aswell as mIRC, mailbomber and netpumper (those last were nasty programs I didn't even know still were on my harddrive.)
Logs coming up:


Complete scanning result of "perfh014.dat", received in VirusTotal at 03.23.2007, 10:12:50 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.23.0 03.22.2007 no virus found
AntiVir 7.3.1.44 03.23.2007 no virus found
Authentium 4.93.8 03.22.2007 no virus found
Avast 4.7.936.0 03.22.2007 no virus found
AVG 7.5.0.447 03.22.2007 no virus found
BitDefender 7.2 03.23.2007 no virus found
CAT-QuickHeal 9.00 03.22.2007 no virus found
ClamAV devel-20070312 03.23.2007 no virus found
DrWeb 4.33 03.23.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3504 03.23.2007 no virus found
Ewido 4.0 03.22.2007 no virus found
FileAdvisor 1 03.23.2007 no virus found
Fortinet 2.85.0.0 03.23.2007 no virus found
F-Prot 4.3.1.45 03.23.2007 no virus found
F-Secure 6.70.13030.0 03.23.2007 no virus found
Ikarus T3.1.1.3 03.23.2007 no virus found
Kaspersky 4.0.2.24 03.23.2007 no virus found
McAfee 4990 03.22.2007 no virus found
Microsoft 1.2306 03.23.2007 no virus found
NOD32v2 2138 03.23.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.22.2007 no virus found
Prevx1 V2 03.23.2007 no virus found
Sophos 4.15.0 03.23.2007 no virus found
Sunbelt 2.2.907.0 03.22.2007 no virus found
Symantec 10 03.23.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.22.2007 no virus found
VirusBuster 4.3.7:9 03.22.2007 no virus found
Webwasher-Gateway 6.0.1 03.23.2007 no virus found

Aditional Information
File size: 385084 bytes
MD5: 86592c7daf028c287b5a1081866b430f
SHA1: 61a24ee4295988b3fe37a1518cf9bcc9d9d1f9b8


Complete scanning result of "perfc014.dat", received in VirusTotal at 03.23.2007, 10:20:04 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.23.0 03.22.2007 no virus found
AntiVir 7.3.1.44 03.23.2007 no virus found
Authentium 4.93.8 03.22.2007 no virus found
Avast 4.7.936.0 03.22.2007 no virus found
AVG 7.5.0.447 03.22.2007 no virus found
BitDefender 7.2 03.23.2007 no virus found
CAT-QuickHeal 9.00 03.22.2007 no virus found
ClamAV devel-20070312 03.23.2007 no virus found
DrWeb 4.33 03.23.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3504 03.23.2007 no virus found
Ewido 4.0 03.22.2007 no virus found
FileAdvisor 1 03.23.2007 no virus found
Fortinet 2.85.0.0 03.23.2007 no virus found
F-Prot 4.3.1.45 03.23.2007 no virus found
F-Secure 6.70.13030.0 03.23.2007 no virus found
Ikarus T3.1.1.3 03.23.2007 no virus found
Kaspersky 4.0.2.24 03.23.2007 no virus found
McAfee 4990 03.22.2007 no virus found
Microsoft 1.2306 03.23.2007 no virus found
NOD32v2 2138 03.23.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.22.2007 no virus found
Prevx1 V2 03.23.2007 no virus found
Sophos 4.15.0 03.23.2007 no virus found
Sunbelt 2.2.907.0 03.22.2007 no virus found
Symantec 10 03.23.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.22.2007 no virus found
VirusBuster 4.3.7:9 03.22.2007 no virus found
Webwasher-Gateway 6.0.1 03.23.2007 no virus found

Aditional Information
File size: 60442 bytes
MD5: e1f450e9b132da4dc33b9a6dbc8d1f39
SHA1: 46def02dd2b18ea023227682f5128f245349f0ca


Complete scanning result of "cadkasdeinst01e.exe", received in VirusTotal at 03.23.2007, 10:26:20 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.3.23.0 03.22.2007 no virus found
AntiVir 7.3.1.44 03.23.2007 no virus found
Authentium 4.93.8 03.22.2007 no virus found
Avast 4.7.936.0 03.22.2007 no virus found
AVG 7.5.0.447 03.22.2007 no virus found
BitDefender 7.2 03.23.2007 no virus found
CAT-QuickHeal 9.00 03.22.2007 no virus found
ClamAV devel-20070312 03.23.2007 no virus found
DrWeb 4.33 03.23.2007 no virus found
eSafe 7.0.14.0 03.22.2007 no virus found
eTrust-Vet 30.6.3504 03.23.2007 no virus found
Ewido 4.0 03.22.2007 no virus found
FileAdvisor 1 03.23.2007 No threat detected
Fortinet 2.85.0.0 03.23.2007 no virus found
F-Prot 4.3.1.45 03.23.2007 no virus found
F-Secure 6.70.13030.0 03.23.2007 no virus found
Ikarus T3.1.1.3 03.23.2007 no virus found
Kaspersky 4.0.2.24 03.23.2007 no virus found
McAfee 4990 03.22.2007 no virus found
Microsoft 1.2306 03.23.2007 no virus found
NOD32v2 2138 03.23.2007 no virus found
Norman 5.80.02 03.23.2007 no virus found
Panda 9.0.0.4 03.22.2007 no virus found
Prevx1 V2 03.23.2007 no virus found
Sophos 4.15.0 03.23.2007 no virus found
Sunbelt 2.2.907.0 03.22.2007 no virus found
Symantec 10 03.23.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.22.2007 no virus found
VirusBuster 4.3.7:9 03.22.2007 no virus found
Webwasher-Gateway 6.0.1 03.23.2007 no virus found

Aditional Information
File size: 72192 bytes
MD5: daac4576382f4d95170f00dda0cac355
SHA1: 35138fc090f8aa3ec5433e8e56bd49b3ac574a1b
Bit9 info: https://fileadvisor.bit9.com/services...0f00dda0cac355


"Claw_" - 07-03-23 10:48:09 Service Pack 2
ComboFix 07-03-22 - Running from: "C:\Documents and Settings\Claw_\Skrivebord"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Claw_\PROGRA~1.\install.dat


((((((((((((((((((((((((((((((( Files Created from 2007-02-23 to 2007-03-23 ))))))))))))))))))))))))))))))))))


2007-03-23 10:31 <DIR> dr-h----- C:\DOCUME~1\Claw_\Siste
2007-03-22 14:16 <DIR> d-------- C:\Deckard
2007-03-20 19:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-03-20 19:17 <DIR> d-------- C:\avenger
2007-03-20 19:10 <DIR> d-------- C:\Rustbfix
2007-03-20 16:09 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-20 15:53 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware
2007-03-20 15:53 <DIR> d-------- C:\DOCUME~1\Claw_\PROGRA~1\SUPERAntiSpyware.com
2007-03-20 15:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SUPERAntiSpyware.com
2007-03-19 22:16 21,312 --a------ C:\WINDOWS\choice.exe
2007-03-19 22:05 <DIR> d-------- C:\Programfiler\SpywareGuard
2007-03-19 21:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-19 20:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1\PROGRA~1\Lavasoft
2007-03-19 20:01 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-19 19:59 <DIR> d-------- C:\DOCUME~1\Claw_\.housecall6.6
2007-03-03 16:49 <DIR> d-------- C:\DOCUME~1\Claw_\PROGRA~1\Screenshot Sender
2007-03-03 16:48 <DIR> d-------- C:\Programfiler\Messenger Plus! Live
2007-03-03 16:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Messenger Plus!
2007-02-24 19:42 <DIR> d-------- C:\DOCUME~1\Claw_\PROGRA~1\vlc
2007-02-24 10:02 1,164 --a------ C:\WINDOWS\mozver.dat
2007-02-24 05:16 <DIR> d-------- C:\DOCUME~1\Claw_\PROGRA~1\Lavasoft
2007-02-24 05:05 <DIR> d-------- C:\Programfiler\Lavasoft
2007-02-24 04:39 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-02-24 04:39 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-02-24 04:39 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-02-24 04:39 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-02-24 04:39 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-02-24 04:37 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-24 04:32 <DIR> d-------- C:\Programfiler\SpywareBlaster


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-23 10:04 -------- d--h----- C:\Programfiler\give4free plugin
2007-03-22 21:01 -------- d-------- C:\Programfiler\peerguardian2
2007-03-22 17:55 -------- d-------- C:\Programfiler\warcraft iii
2007-03-22 14:46 -------- d-------- C:\DOCUME~1\Claw_\PROGRA~1\utorrent
2007-03-20 23:16 -------- d-------- C:\Programfiler\world of warcraft
2007-03-20 15:53 -------- d-------- C:\Programfiler\Fellesfiler\wise installation wizard
2007-03-20 13:22 -------- d-------- C:\Programfiler\norton internet security
2007-03-19 21:51 -------- d-------- C:\Programfiler\wzcbdl service
2007-03-19 21:49 -------- d-------- C:\Programfiler\msn messenger
2007-03-19 21:43 -------- d-------- C:\Programfiler\daemon tools
2007-03-09 02:55 -------- d-------- C:\Programfiler\pdf reader 2
2007-03-09 02:55 -------- d-------- C:\Programfiler\irfanview
2007-03-06 19:30 -------- d-------- C:\Programfiler\wc3banlist
2007-03-03 16:30 -------- d-------- C:\Programfiler\dc++
2007-02-28 09:09 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-02-27 00:29 60442 --a------ C:\WINDOWS\system32\perfc014.dat
2007-02-27 00:29 385084 --a------ C:\WINDOWS\system32\perfh014.dat
2007-02-24 10:01 -------- d-------- C:\Programfiler\videolan
2007-02-23 01:23 -------- d-------- C:\Programfiler\symantec
2007-02-21 19:16 -------- d--h----- C:\Programfiler\installshield installation information
2007-02-20 16:31 34308 --a------ C:\WINDOWS\system32\chip.dll
2007-02-19 21:49 72192 --a------ C:\WINDOWS\cadkasdeinst01e.exe
2007-02-19 07:38 -------- d-------- C:\Programfiler\mv2player
2007-02-19 03:20 -------- d-------- C:\Programfiler\utorrent
2007-02-11 16:29 -------- d-------- C:\Programfiler\eidos
2007-02-07 12:39 517840 --a------ C:\WINDOWS\system32\symneti.dll
2007-02-07 12:39 269616 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-02-07 12:39 132816 --a------ C:\WINDOWS\system32\symredir.dll
2007-02-07 12:38 47184 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-02-07 12:38 36976 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-02-07 12:38 17968 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-02-07 12:38 173392 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-02-07 12:38 11536 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-01-27 23:42 -------- d-------- C:\Programfiler\winpcap
2007-01-23 14:01 90099 --a------ C:\WINDOWS\war3unin.dat
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 19:01 17408 --a------ C:\WINDOWS\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="~\"C:\\Programfiler\\MSN Messenger\\MsnMsgr.Exe\" /background"
"PeerGuardian"="C:\\Programfiler\\PeerGuardian2\\pg2.exe"
"WMPNSCFG"="C:\\Programfiler\\Windows Media Player\\WMPNSCFG.exe"
"SUPERAntiSpyware"="C:\\Programfiler\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"WinPatrol"="C:\\Programfiler\\BillP Studios\\WinPatrol\\winpatrol.exe"
"DAEMON Tools"="\"C:\\Programfiler\\DAEMON Tools\\daemon.exe\" -lang 1033"
"ccApp"="\"C:\\Programfiler\\Fellesfiler\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"ZoneAlarm Client"="\"C:\\Programfiler\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"!AVG Anti-Spyware"="\"C:\\Programfiler\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070323-100138-834
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
backup-20070323-100138-570
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
backup-20070323-100138-748
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070323-100138-996
O2 - BHO: (no name) - {208E7E77-507A-4649-B0C9-D39E9049C7A2} - (no file)
backup-20070323-100138-821
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20070323-100138-601
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
backup-20070323-100138-467
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
https://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-23 10:50:25


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 23, 2007 5:48:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/03/2007
Kaspersky Anti-Virus database records: 284837
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 94814
Number of viruses found: 15
Number of infected objects: 41 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:41:59

Infected Object Name / Virus Name / Last Action
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Div\mail.bomber.&.loca.smtp.server[keygens.included]\setup.exe/data0002 Infected: Email-Flooder.Win32.MailBomber.89 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Div\mail.bomber.&.loca.smtp.server[keygens.included]\setup.exe Inno: infected - 1 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - DL\Netpumper\netpumper-1[1].20.1-setup.exe/data0081/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - DL\Netpumper\netpumper-1[1].20.1-setup.exe/data0081/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - DL\Netpumper\netpumper-1[1].20.1-setup.exe/data0081 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - DL\Netpumper\netpumper-1[1].20.1-setup.exe Inno: infected - 3 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Mirc 6.16\MiRC.v6.16.WinALL.Incl.Keygen-NGEN\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Mirc 6.16\MiRC.v6.16.WinALL.Incl.Keygen-NGEN\mirc616.exe mIRC: infected - 1 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Mirc 6.16\MiRC.v6.16.WinALL.Incl.Keygen-NGEN.tar/MiRC.v6.16.WinALL.Incl.Keygen-NGEN/ngnm616a.zip/ngnm616.rar/mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Mirc 6.16\MiRC.v6.16.WinALL.Incl.Keygen-NGEN.tar/MiRC.v6.16.WinALL.Incl.Keygen-NGEN/ngnm616a.zip/ngnm616.rar/mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Mirc 6.16\MiRC.v6.16.WinALL.Incl.Keygen-NGEN.tar/MiRC.v6.16.WinALL.Incl.Keygen-NGEN/ngnm616a.zip/ngnm616.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Mirc 6.16\MiRC.v6.16.WinALL.Incl.Keygen-NGEN.tar/MiRC.v6.16.WinALL.Incl.Keygen-NGEN/ngnm616a.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Mirc 6.16\MiRC.v6.16.WinALL.Incl.Keygen-NGEN.tar Tar: infected - 4 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Serv-U\fo-su317.zip/fo-su317.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Serv-U\fo-su317.zip/fo-su317.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 skipped
C:\Burn-Backup 14.11.2004 kl05-30\Burn\Stuff\Progz - Inet\Serv-U\fo-su317.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\LiveUpdate\2007-03-23_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\0E4B46BA.exe Infected: Trojan-PSW.Win32.Delf.ik skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\0E5444AF.EXE Infected: Trojan-PSW.Win32.Delf.ik skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\23C87DA5.dll Infected: Trojan-Downloader.Win32.Busky.s skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\23E57784.dll Infected: Trojan.Win32.Obfuscated.ev skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\247104EA.exe Infected: Trojan-Downloader.Win32.Small.dgk skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\24882AD1.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\29DA0EF6.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ft skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\2B860B1F.htm Infected: Exploit.HTML.IESlice.c skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\2B89351C.htm Infected: Trojan-Downloader.Win32.Small.dgk skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\2B99070A.htm Infected: Trojan-Downloader.JS.Psyme.dy skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\2BA304FF.htm Infected: Trojan-Proxy.Win32.Wopla.ac skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\43DB3400.tmp Infected: Trojan-PSW.Win32.Delf.ik skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\701E4F4A.dll Infected: Trojan-PSW.Win32.Delf.ik skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BDE5C5C.tmp/Stream/data0005 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.b skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BDE5C5C.tmp/Stream Infected: not-a-virus:Monitor.Win32.ActivityMonitor.b skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BDE5C5C.tmp Inno: infected - 2 skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BDE5C5C.tmp CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BE10659.tmp/Stream/data0019/Stream/data0005 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.b skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BE10659.tmp/Stream/data0019/Stream Infected: not-a-virus:Monitor.Win32.ActivityMonitor.b skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BE10659.tmp/Stream/data0019 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.b skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BE10659.tmp/Stream Infected: not-a-virus:Monitor.Win32.ActivityMonitor.b skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BE10659.tmp Inno: infected - 4 skipped
C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Quarantine\7BE10659.tmp CryptFF: infected - 4 skipped
C:\Documents and Settings\Claw_\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Claw_\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claw_\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Claw_\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Claw_\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Claw_\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Claw_\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Claw_\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Claw_\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claw_\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Claw_\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Claw_\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\cert8.db Object is locked skipped
C:\Documents and Settings\Claw_\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\history.dat Object is locked skipped
C:\Documents and Settings\Claw_\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\key3.db Object is locked skipped
C:\Documents and Settings\Claw_\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\parent.lock Object is locked skipped
C:\Documents and Settings\Claw_\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Claw_\Programdata\Mozilla\Firefox\Profiles\hfevyay7.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Programfiler\Fellesfiler\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDCON.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDFW.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SPStart.log Object is locked skipped
C:\Programfiler\Fellesfiler\Symantec Shared\SPStop.log Object is locked skipped
C:\Programfiler\Give4Free Plugin\uninstall.exe Infected: not-a-virus:AdWare.Win32.Chiem.c skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Programfiler\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 18:14:51, on 23.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton Internet Security\ISSVC.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
C:\Programfiler\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
C:\Programfiler\DAEMON Tools\daemon.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\PeerGuardian2\pg2.exe
C:\Programfiler\Windows Media Player\WMPNSCFG.exe
C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programfiler\SpywareGuard\sgmain.exe
C:\Programfiler\SpywareGuard\sgbhp.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\MSN Messenger\usnsvc.exe
C:\Programfiler\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.no/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programfiler\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinPatrol] C:\Programfiler\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Programfiler\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programfiler\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Programfiler\SpywareGuard\sgmain.exe
O4 - Startup: Windows Live Messenger.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - https://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://javadl-esd.sun.com/update/1.5...ndows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WB - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programfiler\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programfiler\WZCBDL Service\WZCBDLS.exe
shimba is offline  
Old 03-23-2007, 06:49 PM   #5
TSF Team, Emeritus
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2



Hi shimba,

You're most welcome, shimba. You've done a great job! The logs appear to be clean.

Any persistent problems or suspicious behaviour I should know about?
Sempurna is offline  
Old 03-24-2007, 04:24 AM   #6
Guest
 
Join Date: Mar 2007
Posts: 4
OS:



Hello again Sempurna,

I'm glad to hear that, and I really cannot see any persistent problems nor suspicious behaviour at this moment.

Thank you very much for your help, really appreciate it.

Sincerely,
shimba
shimba is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trojan Virus
hi, hope you can help i have a trojan not sure which one sorry heres my log Logfile of HijackThis v1.99.1 Scan saved at 17:33:47, on 18/01/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe...
paul.c Inactive Malware Help Topics 7 01-26-2007 08:45 AM
Please check my post for nicdan (TexRanger)[Resolved]
Please check my post for nicdan (TexRanger) https://www.techsupportforum.com/showthread.php?t=112374 Hi nicdan, Please read this post completely before begining the fix. If there's anything that you do not understand, please ask your questions before proceeding. Please ensure that...
TexRanger Resolved Back Me Up Threads 9 08-18-2006 10:57 AM
Adware.BHO.HotWebFinder.A - BehavesLike:Win32.ExplorerHijack - ...
CoolWWWSearch.Feat2Installer - Trojan horse Downloader.Agent.DRH - Trojan horse Downloader.Generic2.AH - Trojan horse Downloader.Generic2.ARW *The aforementioned issues were detected with the implementation of: Ad-Aware SE Personal Edition, Spybot Search & Destroy, CWShredder, Trend-Micro...
Adonsia Resolved HJT Threads 10 06-05-2006 06:28 PM
Please check my post for Sentry (dahli)
https://www.bleepingcomputer.com/forums/index.php?showtopic=45413&hl= ******************************************************** Hello, You are using an outdated version of HijackThis. Please delete your current version and download HijackThis. Double-click on the file you just...
dahli Resolved Back Me Up Threads 6 03-01-2006 07:43 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:09 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts