Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Several problems, one is probably Trojan Downloader MDW [RESOLVED]

Started by frick , Jun 30 2008 01:07 AM

  • This topic is locked This topic is locked

#1
frick
Posted 30 June 2008 - 01:07 AM

frick

    New Member

  • Member
  • Pip
  • 6 posts
Hi,

I have several problems with the laptop, pop-ups for example

Task Manager was also disabled. But I got that back.

I have run Ad-aware, Malwarebytes' Anti-Malware, SUPERAntiSpyware Home Edition and Panda.

I would appreciate some help, thanks...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:38:15, on 2008-06-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program\QuickTime\qttask.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe
C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
C:\Program\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program\Delade filer\GtFlashSwitch\GtFlashSwitch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\HPQ\SHARED\HPQWMI.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program\Java\jre1.6.0_06\bin\javaw.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.se/0SES...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.se/0SES...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sv.wikipedia....ortal:Huvudsida
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.se/0SES...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {72e59b53-cd76-2228-f324-5f12e4077472} - {2747704e-21f5-423f-8222-67dc35b95e27} - C:\WINDOWS\system32\xdhcus.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [HPWUTOOLBOX] C:\Program\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe "-i"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [{9F-F1-1B-BE-DW}] C:\windows\system32\rwwnw64d.exe DWram1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Personal.lnk = C:\Program\Personal\bin\Personal.exe
O4 - Global Startup: Telenor Mobilt Bredband.lnk = C:\Program\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Skicka till &Bluetooth - C:\Program\WIDCOMM\Bluetooth-programvara\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program\WIDCOMM\Bluetooth-programvara\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program\Delade filer\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 11481 bytes
  • 0

Advertisements

#2
greyknight17
Posted 30 June 2008 - 07:19 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: {72e59b53-cd76-2228-f324-5f12e4077472} - {2747704e-21f5-423f-8222-67dc35b95e27} - C:\WINDOWS\system32\xdhcus.dll (file missing)
O4 - HKLM\..\Run: [{9F-F1-1B-BE-DW}] C:\windows\system32\rwwnw64d.exe DWram1
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\rwwnw64d.exe

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop PlugPlayRPC
sc delete PlugPlayRPC
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Edited by greyknight17, 30 June 2008 - 07:20 PM.

  • 0

#3
frick
Posted 01 July 2008 - 04:25 AM

frick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi greyknight17,

and thanks for helping me.

Just wondering, why needed "delete.bat" to be saved with the quotes?

I followed your instructions, but C:\WINDOWS\system32\rwwnw64d.exe wasn't found.

Here is the ComboFix log:

ComboFix 08-06-20.4 - Administratör 2008-07-01 9:16:06.1 - NTFSx86
Running from: C:\Documents and Settings\Administratör\Skrivbord\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM3f5ac28d.xml
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\deknbecn.ini
C:\WINDOWS\system32\eegprfdf.ini
C:\WINDOWS\system32\g21.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\phfblnpl.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4


((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-07-01 09:20 . 2008-07-01 09:20 268 --ah----- C:\sqmdata02.sqm
2008-07-01 09:20 . 2008-07-01 09:20 244 --ah----- C:\sqmnoopt02.sqm
2008-06-30 08:37 . 2008-06-30 08:37 <KAT> d-------- C:\Program\Trend Micro
2008-06-30 08:11 . 2008-06-30 08:11 812,344 --a------ C:\Temp\HJTInstall.exe
2008-06-30 07:58 . 2008-06-30 07:58 268 --ah----- C:\sqmdata01.sqm
2008-06-30 07:58 . 2008-06-30 07:58 244 --ah----- C:\sqmnoopt01.sqm
2008-06-30 07:54 . 2008-06-30 07:54 <KAT> d-------- C:\Program\Sun
2008-06-30 07:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-30 07:43 . 2008-06-30 07:43 74,966,424 --a------ C:\Temp\jdk-6u6-windows-i586-p.exe
2008-06-29 22:16 . 2008-06-29 22:16 268 --ah----- C:\sqmdata00.sqm
2008-06-29 22:16 . 2008-06-29 22:16 244 --ah----- C:\sqmnoopt00.sqm
2008-06-29 11:13 . 2008-06-29 11:13 <KAT> d-------- C:\Program\Panda Security
2008-06-28 23:13 . 2008-06-28 23:13 <KAT> d-------- C:\Program\Windows Media Connect 2
2008-06-28 23:10 . 2008-06-28 23:11 <KAT> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-28 21:34 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\system32\sv
2008-06-28 21:34 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\system32\bits
2008-06-28 21:34 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\l2schemas
2008-06-28 21:21 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\ServicePackFiles
2008-06-28 21:04 . 2008-04-14 18:05 1,213,440 --a------ C:\WINDOWS\system32\ntbackup.exe
2008-06-28 21:03 . 2008-04-14 18:04 2,091,520 --a------ C:\WINDOWS\system32\cdosys.dll
2008-06-28 21:02 . 2008-04-14 17:37 1,845,632 --a------ C:\WINDOWS\system32\win32k.sys
2008-06-28 21:01 . 2008-04-14 17:44 2,189,824 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-06-28 20:31 . 2004-08-03 22:29 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys
2008-06-28 20:24 . 2004-08-04 01:07 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-28 17:41 . 2008-06-28 17:41 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-06-28 17:33 . 2008-06-28 17:33 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-28 17:32 . 2008-06-29 19:40 <KAT> d-------- C:\Program\SUPERAntiSpyware
2008-06-28 15:15 . 2008-06-28 15:15 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-28 15:15 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 15:15 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-28 15:14 . 2008-06-28 15:18 <KAT> d-------- C:\Program\Malwarebytes' Anti-Malware
2008-06-28 15:05 . 2008-06-28 15:06 834 ---hs---- C:\WINDOWS\system32\jhsvicpy.tmp
2008-06-28 14:22 . 2008-06-30 07:20 <KAT> d-------- C:\Temp\geek
2008-06-28 10:26 . 2008-06-28 10:26 104,960 --a------ C:\WINDOWS\system32\rmchlmdu.dll
2008-06-28 00:25 . 2008-06-28 00:25 0 --a------ C:\WINDOWS\vpc32.INI
2008-06-27 19:58 . 2008-06-30 07:59 40 --a------ C:\WINDOWS\system32\profile.dat
2008-06-27 19:51 . 2008-06-27 19:54 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-27 19:51 . 2008-06-27 19:54 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-27 19:51 . 2008-06-27 19:54 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-27 19:51 . 2008-06-27 19:54 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-27 19:48 . 2008-06-27 19:54 <KAT> d-------- C:\Program\Symantec
2008-06-27 19:47 . 2008-06-27 19:47 <KAT> d-------- C:\Program\Symantec Client Security
2008-06-27 19:47 . 2008-06-27 19:48 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-27 19:35 . 2008-06-27 19:35 <KAT> d-------- C:\Temp\SCS_3.1.6_EN
2008-06-27 19:26 . 2008-06-27 19:26 <KAT> d-------- C:\Program\Lavasoft
2008-06-27 19:26 . 2008-06-27 19:29 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-27 19:25 . 2008-06-28 17:32 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard
2008-06-27 01:40 . 2008-06-29 19:56 <KAT> d-------- C:\WINDOWS\system32\8618
2008-06-27 01:35 . 2008-06-27 01:35 108,032 --a------ C:\WINDOWS\system32\elnuatda.dll
2008-06-27 01:34 . 2008-06-27 01:34 95,744 --a------ C:\WINDOWS\system32\uayyffhh.dll
2008-06-19 20:02 . 2008-06-19 20:02 109,056 --a------ C:\WINDOWS\system32\ydioslco.dll
2008-06-19 19:58 . 2008-06-19 19:58 109,056 --a------ C:\WINDOWS\system32\svtlklon.dll
2008-06-19 00:49 . 2008-06-19 00:49 <KAT> dr------- C:\Documents and Settings\LocalService\Favoriter
2008-06-19 00:48 . 2008-06-27 22:51 <KAT> d-------- C:\WINDOWS\system32\HRI
2008-06-19 00:48 . 2008-06-28 17:25 <KAT> d-------- C:\WINDOWS\system32\gov
2008-06-19 00:48 . 2008-06-27 22:48 <KAT> d-------- C:\WINDOWS\system32\cert
2008-06-19 00:48 . 2008-07-01 08:45 <KAT> d-------- C:\Temp
2008-06-18 02:14 . 2008-04-14 18:03 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-06-11 00:26 . 2008-06-14 19:36 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 00:26 . 2008-05-08 16:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 05:58 --------- d-----w C:\Program\Delade filer\Symantec Shared
2008-06-30 05:53 --------- d-----w C:\Program\Java
2008-06-28 21:08 --------- d-----w C:\Program\Windows Media Connect
2008-06-28 09:26 --------- d-----w C:\Program\HPQ
2008-06-14 17:36 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 16:05 69,632 ----a-w C:\WINDOWS\SET4BD.tmp
2008-04-14 16:05 69,632 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 16:05 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 16:05 32,866 ------w C:\WINDOWS\SET119E.tmp
2008-04-14 16:05 284,160 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 16:05 284,160 ----a-w C:\WINDOWS\SET4BA.tmp
2008-04-14 16:05 148,480 ----a-w C:\WINDOWS\SET4BC.tmp
2008-04-14 16:05 148,480 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 16:05 10,752 ----a-w C:\WINDOWS\SET4BE.tmp
2008-04-14 16:05 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 16:05 1,034,240 ----a-w C:\WINDOWS\SET4BF.tmp
2008-04-14 16:05 1,034,240 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 16:04 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 16:04 50,688 ----a-w C:\WINDOWS\SET4BB.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 18:05 15360]
"SUPERAntiSpyware"="C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-29 19:40 1506544]
"MsnMsgr"="C:\Program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:35 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"SynTPLpr"="C:\Program\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 14:12 102492]
"SynTPEnh"="C:\Program\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"Cpqset"="C:\Program\HPQ\Default Settings\cpqset.exe" [2004-11-19 09:14 233534]
"hpWirelessAssistant"="C:\Program\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 17:23 790528]
"WatchDog"="C:\Program\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 19:44 184320]
"HPWUTOOLBOX"="C:\Program\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-09-19 11:31 352256]
"Sony Ericsson PC Suite"="C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"ccApp"="C:\Program\Delade filer\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\Program\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 19:49 125632]
"SynTPStart"="C:\Program\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-21 14:16 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-21 14:11 126976]
"ANIWZCS2Service"="C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 12:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 18:05 15360]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
BTTray.lnk - C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe [2005-03-29 16:37:28 569405]
DVD Check.lnk - C:\Program\InterVideo\DVD Check\DVDCheck.exe [2006-01-04 09:43:41 184320]
Personal.lnk - C:\Program\Personal\bin\Personal.exe [2006-07-14 16:52:26 438272]
Telenor Mobilt Bredband.lnk - C:\Program\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe [2007-05-18 09:57:54 724992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program\SUPERAntiSpyware\SASSEH.DLL [2008-06-29 19:40 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program\SUPERAntiSpyware\SASWINLO.DLL 2008-06-29 19:40 294912 C:\Program\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MsSecurity1.209.4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\iTunes\\iTunes.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=

R2 GtFlashSwitch;GtFlashSwitch;"C:\Program\Delade filer\GtFlashSwitch\GtFlashSwitch.exe" [2007-02-09 14:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-09-02 14:30]
S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-02 16:36]
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\WINDOWS\system32\DRIVERS\Gtm51Irp.sys [2007-01-15 18:48]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-01-15 18:48]
S3 GTUQBUS;GT UQ BUS;C:\WINDOWS\system32\DRIVERS\gtuqbus.sys [2007-01-15 18:48]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\WINDOWS\system32\DRIVERS\s816bus.sys [2007-06-19 09:51]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s816mdfl.sys [2007-06-19 09:51]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s816mdm.sys [2007-06-19 09:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 15:18:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
"2008-07-01 07:25:00 C:\WINDOWS\Tasks\Kontrollera uppdateringar för Windows Live Toolbar.job"
  • 0

#4
greyknight17
Posted 01 July 2008 - 06:49 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You needed to use the double quotes to save that .bat file otherwise, it will be saved as delete.bat.txt which we don't want. If you don't want to use double quotes, then you can leave it as delete.bat but you must change the file type drop down to show All Files instead of the default notepad text file type.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

DirLook::
C:\Documents and Settings\LocalService\Favoriter
C:\WINDOWS\system32\HRI
C:\WINDOWS\system32\gov
C:\WINDOWS\system32\cert
File::
C:\WINDOWS\system32\jhsvicpy.tmp
C:\WINDOWS\system32\rmchlmdu.dll
C:\WINDOWS\system32\elnuatda.dll
C:\WINDOWS\system32\uayyffhh.dll
C:\WINDOWS\system32\ydioslco.dll
C:\WINDOWS\system32\svtlklon.dll
Folder::
C:\Temp\geek
C:\Temp\SCS_3.1.6_EN
C:\WINDOWS\system32\8618

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
frick
Posted 02 July 2008 - 12:31 PM

frick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

when I draged CFScript.txt into ComboFix.exe I received the following error:

Expired 08-06-20.4
Current date is 2008-07-02
This copy of combofix has expired. Please download an updated copy.

so I did...

here is the latest log from combofix:

ComboFix 08-07-01.5 - Administratör 2008-07-02 19:11:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.159 [GMT 2:00]
Running from: C:\Documents and Settings\Administratör\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administratör\Skrivbord\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\elnuatda.dll
C:\WINDOWS\system32\jhsvicpy.tmp
C:\WINDOWS\system32\rmchlmdu.dll
C:\WINDOWS\system32\svtlklon.dll
C:\WINDOWS\system32\uayyffhh.dll
C:\WINDOWS\system32\ydioslco.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\geek
C:\Temp\geek\ActiveScan.txt
C:\Temp\geek\ATF_Cleaner.exe
C:\Temp\geek\mbam-setup.exe
C:\Temp\geek\SUPERAntiSpyware Scan Log - 06-29-2008 - 22-14-44.log
C:\Temp\geek\SUPERAntiSpyware.exe
C:\Temp\SCS_3.1.6_EN
C:\Temp\SCS_3.1.6_EN\0x0409.ini
C:\Temp\SCS_3.1.6_EN\Americas_pki_grc.exe
C:\Temp\SCS_3.1.6_EN\AP_pki_grc.exe
C:\Temp\SCS_3.1.6_EN\CPOLICY.XML
C:\Temp\SCS_3.1.6_EN\Data1.cab
C:\Temp\SCS_3.1.6_EN\EMEA_pki_grc.exe
C:\Temp\SCS_3.1.6_EN\instmsiw.exe
C:\Temp\SCS_3.1.6_EN\INSTOPTS.DAT
C:\Temp\SCS_3.1.6_EN\LUSETUP.EXE
C:\Temp\SCS_3.1.6_EN\README_FIRST.txt
C:\Temp\SCS_3.1.6_EN\Setup.exe
C:\Temp\SCS_3.1.6_EN\Setup.ini
C:\Temp\SCS_3.1.6_EN\Symantec Client Security.msi
C:\Temp\SCS_3.1.6_EN\VDefHub.zip
C:\WINDOWS\system32\8618
C:\WINDOWS\system32\8618\~!8029p.spt
C:\WINDOWS\system32\elnuatda.dll
C:\WINDOWS\system32\jhsvicpy.tmp
C:\WINDOWS\system32\rmchlmdu.dll
C:\WINDOWS\system32\svtlklon.dll
C:\WINDOWS\system32\uayyffhh.dll
C:\WINDOWS\system32\ydioslco.dll
.
---- Previous Run -------
.
C:\WINDOWS\BM3f5ac28d.xml
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\deknbecn.ini
C:\WINDOWS\system32\eegprfdf.ini
C:\WINDOWS\system32\g21.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\phfblnpl.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4


((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-02 19:16 . 2008-07-02 19:16 268 --ah----- C:\sqmdata03.sqm
2008-07-02 19:16 . 2008-07-02 19:16 244 --ah----- C:\sqmnoopt03.sqm
2008-07-01 09:20 . 2008-07-01 09:20 268 --ah----- C:\sqmdata02.sqm
2008-07-01 09:20 . 2008-07-01 09:20 244 --ah----- C:\sqmnoopt02.sqm
2008-06-30 08:37 . 2008-06-30 08:37 <KAT> d-------- C:\Program\Trend Micro
2008-06-30 08:11 . 2008-06-30 08:11 812,344 --a------ C:\Temp\HJTInstall.exe
2008-06-30 07:58 . 2008-06-30 07:58 268 --ah----- C:\sqmdata01.sqm
2008-06-30 07:58 . 2008-06-30 07:58 244 --ah----- C:\sqmnoopt01.sqm
2008-06-30 07:54 . 2008-06-30 07:54 <KAT> d-------- C:\Program\Sun
2008-06-30 07:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-30 07:43 . 2008-06-30 07:43 74,966,424 --a------ C:\Temp\jdk-6u6-windows-i586-p.exe
2008-06-29 22:16 . 2008-06-29 22:16 268 --ah----- C:\sqmdata00.sqm
2008-06-29 22:16 . 2008-06-29 22:16 244 --ah----- C:\sqmnoopt00.sqm
2008-06-29 11:13 . 2008-06-29 11:13 <KAT> d-------- C:\Program\Panda Security
2008-06-28 23:13 . 2008-06-28 23:13 <KAT> d-------- C:\Program\Windows Media Connect 2
2008-06-28 23:10 . 2008-06-28 23:11 <KAT> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-28 21:34 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\system32\sv
2008-06-28 21:34 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\system32\bits
2008-06-28 21:34 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\l2schemas
2008-06-28 21:21 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\ServicePackFiles
2008-06-28 21:04 . 2008-04-14 18:05 1,213,440 --a------ C:\WINDOWS\system32\ntbackup.exe
2008-06-28 21:03 . 2008-04-14 18:04 2,091,520 --a------ C:\WINDOWS\system32\cdosys.dll
2008-06-28 21:02 . 2008-04-14 17:37 1,845,632 --a------ C:\WINDOWS\system32\win32k.sys
2008-06-28 21:01 . 2008-04-14 17:44 2,189,824 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-06-28 20:31 . 2004-08-03 22:29 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys
2008-06-28 20:24 . 2004-08-04 01:07 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-28 17:41 . 2008-06-28 17:41 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-06-28 17:33 . 2008-06-28 17:33 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-28 17:32 . 2008-06-29 19:40 <KAT> d-------- C:\Program\SUPERAntiSpyware
2008-06-28 15:15 . 2008-06-28 15:15 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-28 15:15 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 15:15 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-28 15:14 . 2008-06-28 15:18 <KAT> d-------- C:\Program\Malwarebytes' Anti-Malware
2008-06-28 00:25 . 2008-06-28 00:25 0 --a------ C:\WINDOWS\vpc32.INI
2008-06-27 19:58 . 2008-06-30 07:59 40 --a------ C:\WINDOWS\system32\profile.dat
2008-06-27 19:51 . 2008-06-27 19:54 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-27 19:51 . 2008-06-27 19:54 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-27 19:51 . 2008-06-27 19:54 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-27 19:51 . 2008-06-27 19:54 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-27 19:48 . 2008-06-27 19:54 <KAT> d-------- C:\Program\Symantec
2008-06-27 19:47 . 2008-06-27 19:47 <KAT> d-------- C:\Program\Symantec Client Security
2008-06-27 19:47 . 2008-06-27 19:48 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-27 19:26 . 2008-06-27 19:26 <KAT> d-------- C:\Program\Lavasoft
2008-06-27 19:26 . 2008-06-27 19:29 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-27 19:25 . 2008-06-28 17:32 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard
2008-06-19 00:49 . 2008-06-19 00:49 <KAT> dr------- C:\Documents and Settings\LocalService\Favoriter
2008-06-19 00:48 . 2008-06-27 22:51 <KAT> d-------- C:\WINDOWS\system32\HRI
2008-06-19 00:48 . 2008-06-28 17:25 <KAT> d-------- C:\WINDOWS\system32\gov
2008-06-19 00:48 . 2008-06-27 22:48 <KAT> d-------- C:\WINDOWS\system32\cert
2008-06-19 00:48 . 2008-07-02 19:13 <KAT> d-------- C:\Temp
2008-06-18 02:14 . 2008-04-14 18:03 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-06-11 00:26 . 2008-06-14 19:36 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 00:26 . 2008-05-08 16:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 05:58 --------- d-----w C:\Program\Delade filer\Symantec Shared
2008-06-30 05:53 --------- d-----w C:\Program\Java
2008-06-28 21:08 --------- d-----w C:\Program\Windows Media Connect
2008-06-28 09:26 --------- d-----w C:\Program\HPQ
2008-06-14 17:36 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 16:07 234,108 ----a-w C:\WINDOWS\AppPatch\SET570.tmp
2008-04-14 16:07 204,396 ----a-w C:\WINDOWS\AppPatch\SET56F.tmp
2008-04-14 16:07 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET56E.tmp
2008-04-14 16:05 69,632 ----a-w C:\WINDOWS\SET4BD.tmp
2008-04-14 16:05 69,632 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 16:05 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 16:05 32,866 ------w C:\WINDOWS\SET119E.tmp
2008-04-14 16:05 284,160 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 16:05 284,160 ----a-w C:\WINDOWS\SET4BA.tmp
2008-04-14 16:05 148,480 ----a-w C:\WINDOWS\SET4BC.tmp
2008-04-14 16:05 148,480 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 16:05 10,752 ----a-w C:\WINDOWS\SET4BE.tmp
2008-04-14 16:05 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 16:05 1,034,240 ----a-w C:\WINDOWS\SET4BF.tmp
2008-04-14 16:05 1,034,240 ----a-w C:\WINDOWS\explorer.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\LocalService\Favoriter ----

2008-06-19 00:49 122 --ahs---- C:\Documents and Settings\LocalService\Favoriter\Desktop.ini

---- Directory of C:\WINDOWS\system32\cert ----


---- Directory of C:\WINDOWS\system32\gov ----


---- Directory of C:\WINDOWS\system32\HRI ----



((((((((((((((((((((((((((((( snapshot@2008-07-01_ 9.34.21.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 07:22:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 17:18:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-01 07:25:32 10,344 ----a-w C:\WINDOWS\TEMP\symlcbrd.sys
+ 2008-07-02 17:21:40 10,344 ----a-w C:\WINDOWS\TEMP\symlcbrd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 18:05 15360]
"SUPERAntiSpyware"="C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-29 19:40 1506544]
"MsnMsgr"="C:\Program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:35 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"SynTPLpr"="C:\Program\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 14:12 102492]
"SynTPEnh"="C:\Program\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"Cpqset"="C:\Program\HPQ\Default Settings\cpqset.exe" [2004-11-19 09:14 233534]
"WatchDog"="C:\Program\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 19:44 184320]
"HPWUTOOLBOX"="C:\Program\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-09-19 11:31 352256]
"Sony Ericsson PC Suite"="C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"ccApp"="C:\Program\Delade filer\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\Program\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 19:49 125632]
"SynTPStart"="C:\Program\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-21 14:16 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-21 14:11 126976]
"ANIWZCS2Service"="C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 12:12 88209 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 18:05 15360]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
BTTray.lnk - C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe [2005-03-29 16:37:28 569405]
DVD Check.lnk - C:\Program\InterVideo\DVD Check\DVDCheck.exe [2006-01-04 09:43:41 184320]
Personal.lnk - C:\Program\Personal\bin\Personal.exe [2006-07-14 16:52:26 438272]
Telenor Mobilt Bredband.lnk - C:\Program\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe [2007-05-18 09:57:54 724992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program\SUPERAntiSpyware\SASSEH.DLL" [2008-06-29 19:40 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-06-29 19:40 294912 C:\Program\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MsSecurity1.209.4"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\iTunes\\iTunes.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=

R2 GtFlashSwitch;GtFlashSwitch;"C:\Program\Delade filer\GtFlashSwitch\GtFlashSwitch.exe" [2007-02-09 14:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-09-02 14:30]
S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-02 16:36]
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\WINDOWS\system32\DRIVERS\Gtm51Irp.sys [2007-01-15 18:48]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-01-15 18:48]
S3 GTUQBUS;GT UQ BUS;C:\WINDOWS\system32\DRIVERS\gtuqbus.sys [2007-01-15 18:48]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\WINDOWS\system32\DRIVERS\s816bus.sys [2007-06-19 09:51]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s816mdfl.sys [2007-06-19 09:51]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s816mdm.sys [2007-06-19 09:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 15:18:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
"2008-07-02 17:25:00 C:\WINDOWS\Tasks\Kontrollera uppdateringar för Windows Live Toolbar.job"
  • 0

#6
greyknight17
Posted 02 July 2008 - 06:53 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
MsSecurity1.209.4
Folder::
C:\Documents and Settings\LocalService\Favoriter
C:\WINDOWS\system32\HRI
C:\WINDOWS\system32\gov
C:\WINDOWS\system32\cert
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MsSecurity1.209.4"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#7
frick
Posted 03 July 2008 - 01:15 AM

frick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

the new log looks like this:

ComboFix 08-07-01.5 - Administratör 2008-07-03 8:47:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1053.18.134 [GMT 2:00]
Running from: C:\Documents and Settings\Administratör\Skrivbord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administratör\Skrivbord\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\LocalService\Favoriter :#:
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cert
C:\WINDOWS\system32\gov
C:\WINDOWS\system32\HRI
.
---- Previous Run -------
.
C:\Temp\geek
C:\Temp\geek\ActiveScan.txt
C:\Temp\geek\ATF_Cleaner.exe
C:\Temp\geek\mbam-setup.exe
C:\Temp\geek\SUPERAntiSpyware Scan Log - 06-29-2008 - 22-14-44.log
C:\Temp\geek\SUPERAntiSpyware.exe
C:\Temp\SCS_3.1.6_EN
C:\Temp\SCS_3.1.6_EN\0x0409.ini
C:\Temp\SCS_3.1.6_EN\Americas_pki_grc.exe
C:\Temp\SCS_3.1.6_EN\AP_pki_grc.exe
C:\Temp\SCS_3.1.6_EN\CPOLICY.XML
C:\Temp\SCS_3.1.6_EN\Data1.cab
C:\Temp\SCS_3.1.6_EN\EMEA_pki_grc.exe
C:\Temp\SCS_3.1.6_EN\instmsiw.exe
C:\Temp\SCS_3.1.6_EN\INSTOPTS.DAT
C:\Temp\SCS_3.1.6_EN\LUSETUP.EXE
C:\Temp\SCS_3.1.6_EN\README_FIRST.txt
C:\Temp\SCS_3.1.6_EN\Setup.exe
C:\Temp\SCS_3.1.6_EN\Setup.ini
C:\Temp\SCS_3.1.6_EN\Symantec Client Security.msi
C:\Temp\SCS_3.1.6_EN\VDefHub.zip
C:\WINDOWS\BM3f5ac28d.xml
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\8618
C:\WINDOWS\system32\8618\~!8029p.spt
C:\WINDOWS\system32\deknbecn.ini
C:\WINDOWS\system32\eegprfdf.ini
C:\WINDOWS\system32\elnuatda.dll
C:\WINDOWS\system32\g21.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\jhsvicpy.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\phfblnpl.ini
C:\WINDOWS\system32\rmchlmdu.dll
C:\WINDOWS\system32\svtlklon.dll
C:\WINDOWS\system32\uayyffhh.dll
C:\WINDOWS\system32\ydioslco.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4


((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-07-03 08:53 . 2008-07-03 08:53 268 --ah----- C:\sqmdata04.sqm
2008-07-03 08:53 . 2008-07-03 08:53 244 --ah----- C:\sqmnoopt04.sqm
2008-07-02 19:16 . 2008-07-02 19:16 268 --ah----- C:\sqmdata03.sqm
2008-07-02 19:16 . 2008-07-02 19:16 244 --ah----- C:\sqmnoopt03.sqm
2008-07-01 09:20 . 2008-07-01 09:20 268 --ah----- C:\sqmdata02.sqm
2008-07-01 09:20 . 2008-07-01 09:20 244 --ah----- C:\sqmnoopt02.sqm
2008-06-30 08:37 . 2008-06-30 08:37 <KAT> d-------- C:\Program\Trend Micro
2008-06-30 08:11 . 2008-06-30 08:11 812,344 --a------ C:\Temp\HJTInstall.exe
2008-06-30 07:58 . 2008-06-30 07:58 268 --ah----- C:\sqmdata01.sqm
2008-06-30 07:58 . 2008-06-30 07:58 244 --ah----- C:\sqmnoopt01.sqm
2008-06-30 07:54 . 2008-06-30 07:54 <KAT> d-------- C:\Program\Sun
2008-06-30 07:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-30 07:43 . 2008-06-30 07:43 74,966,424 --a------ C:\Temp\jdk-6u6-windows-i586-p.exe
2008-06-29 22:16 . 2008-06-29 22:16 268 --ah----- C:\sqmdata00.sqm
2008-06-29 22:16 . 2008-06-29 22:16 244 --ah----- C:\sqmnoopt00.sqm
2008-06-29 11:13 . 2008-06-29 11:13 <KAT> d-------- C:\Program\Panda Security
2008-06-28 23:13 . 2008-06-28 23:13 <KAT> d-------- C:\Program\Windows Media Connect 2
2008-06-28 23:10 . 2008-06-28 23:11 <KAT> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-28 21:34 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\system32\sv
2008-06-28 21:34 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\system32\bits
2008-06-28 21:34 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\l2schemas
2008-06-28 21:21 . 2008-06-28 22:41 <KAT> d-------- C:\WINDOWS\ServicePackFiles
2008-06-28 21:04 . 2008-04-14 18:05 1,213,440 --a------ C:\WINDOWS\system32\ntbackup.exe
2008-06-28 21:03 . 2008-04-14 18:04 2,091,520 --a------ C:\WINDOWS\system32\cdosys.dll
2008-06-28 21:02 . 2008-04-14 17:37 1,845,632 --a------ C:\WINDOWS\system32\win32k.sys
2008-06-28 21:01 . 2008-04-14 17:44 2,189,824 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2008-06-28 20:31 . 2004-08-03 22:29 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys
2008-06-28 20:31 . 2004-08-03 22:29 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys
2008-06-28 20:24 . 2004-08-04 01:07 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-28 17:41 . 2008-06-28 17:41 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-06-28 17:33 . 2008-06-28 17:33 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-28 17:32 . 2008-06-29 19:40 <KAT> d-------- C:\Program\SUPERAntiSpyware
2008-06-28 15:15 . 2008-06-28 15:15 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-28 15:15 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 15:15 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-28 15:14 . 2008-06-28 15:18 <KAT> d-------- C:\Program\Malwarebytes' Anti-Malware
2008-06-28 00:25 . 2008-06-28 00:25 0 --a------ C:\WINDOWS\vpc32.INI
2008-06-27 19:58 . 2008-06-30 07:59 40 --a------ C:\WINDOWS\system32\profile.dat
2008-06-27 19:51 . 2008-06-27 19:54 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-27 19:51 . 2008-06-27 19:54 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-27 19:51 . 2008-06-27 19:54 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-27 19:51 . 2008-06-27 19:54 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-27 19:48 . 2008-06-27 19:54 <KAT> d-------- C:\Program\Symantec
2008-06-27 19:47 . 2008-06-27 19:47 <KAT> d-------- C:\Program\Symantec Client Security
2008-06-27 19:47 . 2008-06-27 19:48 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-27 19:26 . 2008-06-27 19:26 <KAT> d-------- C:\Program\Lavasoft
2008-06-27 19:26 . 2008-06-27 19:29 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-27 19:25 . 2008-06-28 17:32 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard
2008-06-19 00:49 . 2008-06-19 00:49 <KAT> dr------- C:\Documents and Settings\LocalService\Favoriter
2008-06-19 00:48 . 2008-07-02 19:13 <KAT> d-------- C:\Temp
2008-06-18 02:14 . 2008-04-14 18:03 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-06-11 00:26 . 2008-06-14 19:36 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 00:26 . 2008-05-08 16:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 05:58 --------- d-----w C:\Program\Delade filer\Symantec Shared
2008-06-30 05:53 --------- d-----w C:\Program\Java
2008-06-28 21:08 --------- d-----w C:\Program\Windows Media Connect
2008-06-28 09:26 --------- d-----w C:\Program\HPQ
2008-06-14 17:36 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 16:07 234,108 ----a-w C:\WINDOWS\AppPatch\SET570.tmp
2008-04-14 16:07 204,396 ----a-w C:\WINDOWS\AppPatch\SET56F.tmp
2008-04-14 16:07 1,202,774 ----a-w C:\WINDOWS\AppPatch\SET56E.tmp
2008-04-14 16:05 69,632 ----a-w C:\WINDOWS\SET4BD.tmp
2008-04-14 16:05 69,632 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 16:05 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 16:05 32,866 ------w C:\WINDOWS\SET119E.tmp
2008-04-14 16:05 284,160 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 16:05 284,160 ----a-w C:\WINDOWS\SET4BA.tmp
2008-04-14 16:05 148,480 ----a-w C:\WINDOWS\SET4BC.tmp
2008-04-14 16:05 148,480 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 16:05 10,752 ----a-w C:\WINDOWS\SET4BE.tmp
2008-04-14 16:05 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 16:05 1,034,240 ----a-w C:\WINDOWS\SET4BF.tmp
2008-04-14 16:05 1,034,240 ----a-w C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-01_ 9.34.21.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 07:22:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-03 06:54:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-01 07:25:32 10,344 ----a-w C:\WINDOWS\TEMP\symlcbrd.sys
+ 2008-07-03 06:57:51 10,344 ----a-w C:\WINDOWS\TEMP\symlcbrd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 18:05 15360]
"SUPERAntiSpyware"="C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-29 19:40 1506544]
"MsnMsgr"="C:\Program\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:35 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"SynTPLpr"="C:\Program\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 14:12 102492]
"SynTPEnh"="C:\Program\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"Cpqset"="C:\Program\HPQ\Default Settings\cpqset.exe" [2004-11-19 09:14 233534]
"WatchDog"="C:\Program\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 19:44 184320]
"HPWUTOOLBOX"="C:\Program\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-09-19 11:31 352256]
"Sony Ericsson PC Suite"="C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"ccApp"="C:\Program\Delade filer\Symantec Shared\ccApp.exe" [2006-11-21 17:38 52840]
"vptray"="C:\Program\SYMANT~1\SYMANT~2\VPTray.exe" [2007-03-14 19:49 125632]
"SynTPStart"="C:\Program\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"QuickTime Task"="C:\Program\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-21 14:16 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-21 14:11 126976]
"ANIWZCS2Service"="C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 12:12 88209 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 18:05 15360]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
BTTray.lnk - C:\Program\WIDCOMM\Bluetooth-programvara\BTTray.exe [2005-03-29 16:37:28 569405]
DVD Check.lnk - C:\Program\InterVideo\DVD Check\DVDCheck.exe [2006-01-04 09:43:41 184320]
Personal.lnk - C:\Program\Personal\bin\Personal.exe [2006-07-14 16:52:26 438272]
Telenor Mobilt Bredband.lnk - C:\Program\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe [2007-05-18 09:57:54 724992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program\SUPERAntiSpyware\SASSEH.DLL" [2008-06-29 19:40 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-06-29 19:40 294912 C:\Program\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program\\iTunes\\iTunes.exe"=
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"=

R2 GtFlashSwitch;GtFlashSwitch;"C:\Program\Delade filer\GtFlashSwitch\GtFlashSwitch.exe" [2007-02-09 14:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-09-02 14:30]
S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-09-02 16:36]
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\WINDOWS\system32\DRIVERS\Gtm51Irp.sys [2007-01-15 18:48]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-01-15 18:48]
S3 GTUQBUS;GT UQ BUS;C:\WINDOWS\system32\DRIVERS\gtuqbus.sys [2007-01-15 18:48]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\WINDOWS\system32\DRIVERS\s816bus.sys [2007-06-19 09:51]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s816mdfl.sys [2007-06-19 09:51]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s816mdm.sys [2007-06-19 09:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 15:18:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program\Apple Software Update\SoftwareUpdate.exe
"2008-07-02 18:25:00 C:\WINDOWS\Tasks\Kontrollera uppdateringar för Windows Live Toolbar.job"
  • 0

#8
greyknight17
Posted 04 July 2008 - 01:15 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is that the whole log? I noticed from your first post that this was happening. There should be a handful of more lines after that last part you posted with the Scheduled Tasks Folder.
  • 0

#9
frick
Posted 05 July 2008 - 03:51 AM

frick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

yes it's the whole log.

It's take it from C:\ComboFix\ComboFix.txt

The first time I ran Combofix.exe I thought that it would open notepad in the end to present the log, but no. Then I assumed that C:\ComboFix\ComboFix.txt was the log. In the same directory is also a file temp00 that only has the two last lines that can be found in ComboFix.txt.

/frick
  • 0

#10
greyknight17
Posted 05 July 2008 - 05:17 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Need to look into why that happened...but it looks good now.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#11
frick
Posted 06 July 2008 - 08:27 AM

frick

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

yes it looks like it's normal again.

Thank you very much for your help. I appreciate it alot.

/frick
  • 0

#12
greyknight17
Posted 06 July 2008 - 12:20 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP