Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Strange behavior [RESOLVED]


  • This topic is locked This topic is locked

#1
Viper Jr.

Viper Jr.

    Member

  • Member
  • PipPip
  • 30 posts
Hello.

Recently, I got some help cleaning up my system from some naughty files, but now a friend have som problems with her computer. Sometimes, it fails to boot, it's running slow etc. etc., but I don't have any specific name on a virus/malware. So, here's the log, and I hope someone can help me clean her system. After the log is clean, I'm installing Ad-aware, Spybot and NOD32, but I'm not sure if I sould install it before or after the cleaning with your help has been done. Any ideas?

Thanks!

The Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:29:14, on 2008-04-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Internet Security\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program\Java\jre1.6.0_05\bin\jusched.exe
C:\Program\Macrogaming\SweetIM\SweetIM.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program\QuickTime\QTTask.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program\Windows Live\Messenger\usnsvc.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program\HijackThis\HijackThis.exe
C:\Program\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.slizone.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll
O1 - Hosts: 213.21.215.181 gg.muchina.com
O1 - Hosts: 213.21.215.181 ogg.muchina.com
O1 - Hosts: 213.21.215.181 update.nprotect.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Program\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [NI.UERSL_0001_N91M2407] "C:\Documents and Settings\Simon\Skrivbord\ErrorSafeFreeInstall_se.exe" -nag
O4 - HKLM\..\Run: [NI.UWA6PL_0001_N91M2107] "C:\documents and settings\simon\application data\winantiviruspro2006freeinstall_se[1].exe" -nag
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrayServer] C:\Program\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program\Delade filer\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1390067357-1060284298-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Alf')
O4 - HKUS\S-1-5-21-1390067357-1060284298-839522115-1004\..\Run: [updateMgr] "C:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User 'Alf')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-1390067357-1060284298-839522115-1004 Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Alf')
O4 - S-1-5-21-1390067357-1060284298-839522115-1004 Startup: Picture Motion Browser verktyg för mediekontroll.lnk = C:\Program\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Alf')
O4 - S-1-5-21-1390067357-1060284298-839522115-1004 User Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Alf')
O4 - S-1-5-21-1390067357-1060284298-839522115-1004 User Startup: Picture Motion Browser verktyg för mediekontroll.lnk = C:\Program\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Alf')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v5.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBD8B655-7D72-4B28-B265-C3E44F4C2DB0}: NameServer = 83.219.207.25,213.79.168.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12077 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [NI.UERSL_0001_N91M2407] "C:\Documents and Settings\Simon\Skrivbord\ErrorSafeFreeInstall_se.exe" -nag
O4 - HKLM\..\Run: [NI.UWA6PL_0001_N91M2107] "C:\documents and settings\simon\application data\winantiviruspro2006freeinstall_se[1].exe" -nag


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Documents and Settings\Simon\Skrivbord\ErrorSafeFreeInstall_se.exe
C:\documents and settings\simon\application data\winantiviruspro2006freeinstall_se[1].exe


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
Viper Jr.

Viper Jr.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Thanks for the reply!

I could not find the Files/Folders not by search or with manual searching. They did not existed in the HijackThis-search either, so I guess the got deleted.
Here is the ComboFix log:

ComboFix 08-04-16.5 - Elin 2008-04-17 15:41:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1053.18.583 [GMT 2:00]
Running from: C:\Documents and Settings\Elin\Skrivbord\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-13 15:02 . 2008-04-13 15:02 <KAT> d-------- C:\Program\CCleaner
2008-04-06 18:01 . 2008-04-06 18:01 <KAT> d-------- C:\Program\Microsoft CAPICOM 2.1.0.2
2008-04-06 11:33 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-06 11:33 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-06 11:33 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-05 08:54 . 2008-04-05 08:54 <KAT> d-------- C:\Program\Windows Live
2008-04-05 08:54 . 2008-04-05 08:54 <KAT> d--hsc--- C:\Program\Delade filer\WindowsLiveInstaller
2008-04-05 08:53 . 2008-04-05 08:53 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-26 13:41 . 2008-03-26 13:41 <KAT> d-------- C:\Logs
2008-03-25 19:52 . 2008-03-25 19:52 <KAT> d-------- C:\Documents and Settings\Alf\Application Data\Xfire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 20:56 --------- d-----w C:\Program\Delade filer\Symantec Shared
2008-04-16 09:27 --------- d-----w C:\Documents and Settings\Simon\Application Data\Xfire
2008-04-10 20:26 --------- d-----w C:\Program\DC++
2008-04-04 11:56 --------- d-----w C:\Program\Norton Internet Security
2008-04-03 20:31 --------- d-----w C:\Program\Java
2008-04-02 15:25 --------- d-----w C:\Program\World of Warcraft
2008-03-20 08:10 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 21:39 --------- d-----w C:\Documents and Settings\Elin\Application Data\Apple Computer
2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 15:55 --------- d-----w C:\Program\Playlogic
2008-02-23 12:00 --------- d-----w C:\Program\Delade filer\Adobe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-28 13:53 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-21 15:17 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"MsnMsgr"="C:\Program\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:35 5724184]
"AdobeUpdater"="C:\Program\Delade filer\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 17:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"ccApp"="C:\Program\Delade filer\Symantec Shared\ccApp.exe" [2008-01-31 14:06 58728]
"Symantec NetDriver Monitor"="C:\Program\SYMNET~1\SNDMon.exe" [2007-05-27 23:01 100056]
"NVMixerTray"="C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12 131072]
"NeroFilterCheck"="C:\Program\Delade filer\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SweetIM"="C:\Program\Macrogaming\SweetIM\SweetIM.exe" [2006-06-06 10:07 40960]
"HP Software Update"="C:\Program\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"TkBellExe"="C:\Program\Delade filer\Real\Update_OB\realsched.exe" [2007-04-05 16:33 185896]
"Adobe Photo Downloader"="C:\Program\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"TrayServer"="C:\Program\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe" [2006-10-04 17:41 86016]
"Adobe Reader Speed Launcher"="C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\Alf\Start-meny\Program\Autostart\
Adobe Gamma.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Picture Motion Browser verktyg f”r mediekontroll.lnk - C:\Program\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-04-22 17:17:19 344064]

C:\Documents and Settings\Simon\Start-meny\Program\Autostart\
Registration Heroes of Might & Magic 5 - Hammers of Fate.LNK - C:\Program\Ubisoft\Heroes of Might and Magic V\registrationa1\RegistrationReminder.exe [2008-01-21 17:15:08 868352]
Xfire.lnk - C:\Program\Xfire\Xfire.exe [2008-01-17 00:37:12 2872144]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
HP Image Zone Snabbstarta.lnk - C:\Program\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program\\iTunes\\iTunes.exe"=
"C:\\Program\\DC++\\DCPlusPlus.exe"=
"C:\\Program\\Valve\\Steam\\SteamApps\\simand\\condition zero\\hl.exe"=
"C:\\Program\\THQ\\Company of Heroes - Opposing Fronts Demo\\RelicCOH.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 18:08]
S3 asbp2poa;asbp2poa;C:\DOCUME~1\Simon\LOKALA~1\Temp\asbp2poa.sys []
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 16:18]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2006-10-30 13:46]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 16:01:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
"2008-04-17 10:00:07 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job"
- C:\Program\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe
"2008-04-11 18:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Sök igenom datorn - Alf.job"
- C:\Program\NORTON~1\NORTON~1\Navw32.exeh/task:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 15:42:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-17 15:42:53
ComboFix-quarantined-files.txt 2008-04-17 13:42:49
ComboFix2.txt 2008-04-17 13:40:11

Pre-Run: 59,253,096,448 byte ledigt
Post-Run: 59,244,294,144 byte ledigt
.
2008-04-11 16:04:38 --- E O F ---
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop asbp2poa
sc delete asbp2poa
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.


Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and type in Combofix /u to remove Combofix. You should be set to go.
  • 0

#5
Viper Jr.

Viper Jr.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Thanks a lot for the help!!

It's semse that the system is running smoother now, but there is a thing that worries me. I a Spybot - Search and Destroy search and found some entries, including one called "virtumonde". I belive that is a malware that sometimes could be hard to get rid of... So I´m just a little currious, should I worry or did Spybot/your instructions get rid of it?
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where is Spybot finding virtumundo? Give me the exact location and name of the file infected. If it's from the system restore, we can ignore it and use Combofix /u to clear the restore points and remove Combofix and its related files/folders.

Otherwise, if it actually gives you a path to the infected file like c:\windows\system32\....some file, do the below:

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers when you are following the procedures below.

Download VundoFix at http://www.atribune..../click.php?id=4 and save it to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files. Click Yes.
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer. Click OK.
- Post the contents of C:\vundofix.txt here.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears upon rebooting.

Also run Combofix again and post the log here.
  • 0

#7
Viper Jr.

Viper Jr.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I ran Spybot again to locate Vundo, but it did not find anything. Should I install Vundoscan anyway or not? Sorry if I'm asking alot of question, just want to be sure.

Thanks again for the help!
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where was it located when Spybot found it? If it was in the System Volume folder, you can probably ignore it. Uninstall Combofix will clear out all your restore points. If it found Vundo in some system32 folder or elsewhere, then run the VundoFix tool.
  • 0

#9
Viper Jr.

Viper Jr.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I do not remember were spybot found it, but it appears that ComboFix got it, so problem is sovled. Thanks alot for all the help!! I really appriciate it!
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP