Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bloodhound.W32.Ep [resolved]

Started by Erik0726 , Jul 26 2005 01:19 PM

  • This topic is locked This topic is locked

#1
Erik0726
Posted 26 July 2005 - 01:19 PM

Erik0726

    New Member

  • Member
  • Pip
  • 8 posts
Hi, I am from Sweden and found your forum when I searched for help in order to cure my computer from the above mentioned virus. First let me say that I am a total beginner when it comes to viruses and fixing computers infected by one. I have done all the virus-scans you suggest and the resutl are the following logs. The are from Hijack, exido and Ad-awere. If any of you hav a succestion on how I cah fix my computer or if you need further info in order to help, please bare with me and the fact that I don't know the meaning of all words and instructions suronding virus-hunting. So please try to keep it simple.

The virus that I have cought have installed a new background on my desk telling me to klick on an icon in order to upgrade my security. Furthermore Norton, I had Norton 2003 when I got the virus but have now upgraded it to Norton 2005, tells me that it has detected the virus in my title but is unable to place it in quarenteen.

Many thanks/ Erik :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 20:48:30, on 2005-07-26
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Real\RealPlayer\RealPlay.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\SECRETMAKER\secretmaker.exe
C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\Ägaren\Skrivbord\Virus\hijackthis1991.exe
C:\Program\Norton AntiVirus\OPScan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{CFF7BFD6-8361-49D1-A786-ACFB146908C9}\SECURITY.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program\SECRETMAKER\secretmaker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Goolahpg.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\hkqmopjn.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:40:21, 2005-07-26
+ Report-Checksum: E0F5C09E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0003991.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0003998.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0004013.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0004396.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0004404.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0004407.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0004415.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0005414.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0005416.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0005422.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0005427.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0006425.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0006428.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0006495.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0006500.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0006739.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0006747.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0006963.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0006993.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007006.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007012.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007034.exe -> Backdoor.Padodor.ax : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007053.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007055.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007059.dll -> Worm.Prox.c : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007062.exe -> TrojanDownloader.Agent.lv : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007063.dll -> Backdoor.Thunk.e : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007064.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007065.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007066.dll -> TrojanDownloader.Small.asy : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007067.DLL -> Trojan.WebSearch.j : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007068.EXE -> Trojan.WebSearch.j : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007069.DLL -> Trojan.WebSearch.j : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007070.exe -> Trojan.WebSearch.j : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007071.exe -> TrojanDropper.Agent.ii : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007072.dll -> TrojanDownloader.Adload.g : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007074.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007079.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007083.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007087.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007092.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007098.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007101.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP76\A0007107.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP77\A0007116.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP77\A0007325.exe -> Trojan.Agent.eo : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP77\A0007334.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP77\A0007339.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP77\A0007349.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP77\A0007357.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\WINDOWS\system32\Services\{CFF7BFD6-8361-49D1-A786-ACFB146908C9}\SECURITY.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\WINDOWS\system32\Services\{CFF7BFD6-8361-49D1-A786-ACFB146908C9}\SECURITY.EXE -> Trojan.WebSearch.j : Cleaned with backup
C:\WINDOWS\system32\spoolsrv32.exe -> Spyware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\srpcsrv32.dll -> TrojanDownloader.Adload.g : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__OLEEXT.dll -> TrojanDownloader.Agent.ns : Cleaned with backup


::Report End



Ad-Aware SE Build 1.06r1
Logfile Created on:den 26 juli 2005 17:32:21
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R56 21.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):27 total references
Tracking Cookie(TAC index:3):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R56 21.07.2005
Internal build : 65
File location : C:\Program\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 501264 Bytes
Total size : 1511688 Bytes
Signature data size : 1479157 Bytes
Reference data size : 32019 Bytes
Signatures total : 42142
CSI Fingerprints total : 979
CSI data size : 34474 Bytes
Target categories : 15
Target families : 718


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:24 %
Total physical memory:261612 kb
Available physical memory:62616 kb
Total page file size:633456 kb
Available on page file:383288 kb
Total virtual memory:2097024 kb
Available virtual memory:2040320 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2005-07-26 17:32:21 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 452
ThreadCreationTime : 2005-07-26 15:16:57
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 512
ThreadCreationTime : 2005-07-26 15:16:59
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 536
ThreadCreationTime : 2005-07-26 15:16:59
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 580
ThreadCreationTime : 2005-07-26 15:16:59
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Tjänst- och styrenhetsprogram
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Med ensamrätt.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 592
ThreadCreationTime : 2005-07-26 15:16:59
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 760
ThreadCreationTime : 2005-07-26 15:17:00
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 812
ThreadCreationTime : 2005-07-26 15:17:00
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 996
ThreadCreationTime : 2005-07-26 15:17:01
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 1056
ThreadCreationTime : 2005-07-26 15:17:01
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1140
ThreadCreationTime : 2005-07-26 15:17:02
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Utforskaren
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Med ensamrätt.
OriginalFilename : EXPLORER.EXE

#:11 [ccsetmgr.exe]
ModuleName : C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
Command Line : n/a
ProcessID : 1240
ThreadCreationTime : 2005-07-26 15:17:02
BasePriority : Normal
FileVersion : 103.0.3.8
ProductVersion : 103.0.3.8
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:12 [sndsrvc.exe]
ModuleName : C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
Command Line : n/a
ProcessID : 1256
ThreadCreationTime : 2005-07-26 15:17:02
BasePriority : Normal
FileVersion : 5.5.1.6
ProductVersion : 5.5
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:13 [spbbcsvc.exe]
ModuleName : C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
Command Line : n/a
ProcessID : 1272
ThreadCreationTime : 2005-07-26 15:17:03
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:14 [ccevtmgr.exe]
ModuleName : C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
Command Line : n/a
ProcessID : 1328
ThreadCreationTime : 2005-07-26 15:17:03
BasePriority : Normal
FileVersion : 103.0.3.8
ProductVersion : 103.0.3.8
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:15 [hpsysdrv.exe]
ModuleName : C:\windows\system\hpsysdrv.exe
Command Line : "c:\windows\system\hpsysdrv.exe"
ProcessID : 1488
ThreadCreationTime : 2005-07-26 15:17:04
BasePriority : Normal
FileVersion : 1, 7, 0, 0
ProductVersion : 1, 7, 0, 0
ProductName : hpsysdrv
CompanyName : Hewlett-Packard Company
FileDescription : hpsysdrv
InternalName : hpsysdrv
LegalCopyright : Copyright © 1998
OriginalFilename : hpsysdrv.exe

#:16 [kbd.exe]
ModuleName : C:\HP\KBD\KBD.EXE
Command Line : "C:\HP\KBD\KBD.EXE"
ProcessID : 1524
ThreadCreationTime : 2005-07-26 15:17:04
BasePriority : High


#:17 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1708
ThreadCreationTime : 2005-07-26 15:17:06
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:18 [realplay.exe]
ModuleName : C:\Program\Real\RealPlayer\RealPlay.exe
Command Line : "C:\Program\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
ProcessID : 1728
ThreadCreationTime : 2005-07-26 15:17:06
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:19 [ccapp.exe]
ModuleName : C:\Program\Delade filer\Symantec Shared\ccApp.exe
Command Line : n/a
ProcessID : 1740
ThreadCreationTime : 2005-07-26 15:17:06
BasePriority : Normal
FileVersion : 103.0.3.8
ProductVersion : 103.0.3.8
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:20 [msmsgs.exe]
ModuleName : C:\Program\Messenger\msmsgs.exe
Command Line : "C:\Program\Messenger\msmsgs.exe" /background
ProcessID : 1900
ThreadCreationTime : 2005-07-26 15:17:07
BasePriority : Normal
FileVersion : 4.7.0041
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 1997-2001
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:21 [spysweeper.exe]
ModuleName : C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
Command Line : "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
ProcessID : 1908
ThreadCreationTime : 2005-07-26 15:17:07
BasePriority : Normal
FileVersion : 3.0.0.118
ProductVersion : 3.0i
ProductName : Spy Sweeper
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
LegalCopyright : Copyright © 2001-2004 Webroot Software, Inc.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.

#:22 [rundll32.exe]
ModuleName : C:\WINDOWS\System32\rundll32.exe
Command Line : rundll32 nView.dll,nViewInitialize
ProcessID : 2020
ThreadCreationTime : 2005-07-26 15:17:09
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Kör en DLL-fil som ett program
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Med ensamrätt.
OriginalFilename : RUNDLL.EXE

#:23 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 124
ThreadCreationTime : 2005-07-26 15:17:09
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:24 [mdm.exe]
ModuleName : C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
Command Line : "C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe"
ProcessID : 196
ThreadCreationTime : 2005-07-26 15:17:09
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:25 [navapsvc.exe]
ModuleName : C:\Program\Norton AntiVirus\navapsvc.exe
Command Line : n/a
ProcessID : 232
ThreadCreationTime : 2005-07-26 15:17:10
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:26 [secretmaker.exe]
ModuleName : C:\Program\SECRETMAKER\secretmaker.exe
Command Line : "C:\Program\SECRETMAKER\secretmaker.exe" /Logon
ProcessID : 384
ThreadCreationTime : 2005-07-26 15:17:11
BasePriority : Normal
FileVersion : 3, 9, 8, 5
ProductVersion : 3, 9, 8, 5
ProductName : All-in-One secretmaker
CompanyName : secretmaker team
FileDescription : secretmaker
InternalName : secretmaker
LegalCopyright : Copyright © 2000-2004
LegalTrademarks : secretmaker
OriginalFilename : secretmaker.exe

#:27 [npfmntor.exe]
ModuleName : C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
Command Line : n/a
ProcessID : 360
ThreadCreationTime : 2005-07-26 15:17:11
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Firewall Install Monitor
InternalName : NPFMonitor
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NPFMonitor.EXE

#:28 [nvsvc32.exe]
ModuleName : C:\WINDOWS\System32\nvsvc32.exe
Command Line : C:\WINDOWS\System32\nvsvc32.exe
ProcessID : 476
ThreadCreationTime : 2005-07-26 15:17:12
BasePriority : Normal
FileVersion : 6.13.10.3190
ProductVersion : 6.13.10.3190
ProductName : NVIDIA Driver Helper Service, Version 31.90
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 31.90
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:29 [symlcsvc.exe]
ModuleName : C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
Command Line : n/a
ProcessID : 796
ThreadCreationTime : 2005-07-26 15:17:13
BasePriority : Normal
FileVersion : 1, 8, 54, 534
ProductVersion : 1, 8, 54, 534
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:30 [wuauclt.exe]
ModuleName : C:\WINDOWS\System32\wuauclt.exe
Command Line : "C:\WINDOWS\System32\wuauclt.exe"
ProcessID : 3692
ThreadCreationTime : 2005-07-26 15:19:14
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Automatiska uppdateringar
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Med ensamrätt.
OriginalFilename : wuauclt.exe

#:31 [iexplore.exe]
ModuleName : C:\Program\Internet Explorer\iexplore.exe
Command Line : "C:\Program\Internet Explorer\iexplore.exe"
ProcessID : 2456
ThreadCreationTime : 2005-07-26 15:20:55
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Med ensamrätt.
OriginalFilename : IEXPLORE.EXE

#:32 [ad-aware.exe]
ModuleName : C:\Program\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 320
ThreadCreationTime : 2005-07-26 15:31:16
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\Documents and Settings\Ägaren\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Ägaren\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\office\10.0\clip organizer\search\last query
Description : last query in microsoft clip organizer


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\office\10.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\office\10.0\common\search\last query
Description : last query in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\nvidia corporation\global\nview\windowmanagement
Description : nvidia nview cached application window positions


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ägaren@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:ä[email protected]/
Expires : 2008-07-25 17:28:36
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ägaren@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:ä[email protected]/cgi-bin
Expires : 2009-01-19 01:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ägaren@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:ä[email protected]/
Expires : 2005-08-25 17:24:26
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ägaren@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:ä[email protected]/
Expires : 2009-06-22 02:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 31



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 31


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 31


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
11 entries scanned.
New critical objects:0
Objects found so far: 31




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 31

17:49:29 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:08.281
Objects scanned:117564
Objects identified:4
Objects ignored:0
New critical objects:4
  • 0

Advertisements

#2
g2i2r4
Posted 27 July 2005 - 07:18 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Erik0726 to Geeks to Go!


Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


Download SmitRem to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\System32\hkqmopjn.dll
C:\WINDOWS\System32\Goolahpg.dll

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Use Windows Explorer to remove this folder:
C:\WINDOWS\System32\Services\
Close Windows Explorer when you are done.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{CFF7BFD6-8361-49D1-A786-ACFB146908C9}\SECURITY.EXE

O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Goolahpg.dll (file missing)

O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\hkqmopjn.dll (file missing)

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
  • 0

#3
Erik0726
Posted 01 August 2005 - 01:23 AM

Erik0726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi q2i2r4,

Unfortunaly I was taken ill before I managed to read your instructions. But now I am fit and well. I have begun to install the different links in your instructions. Bur I am unable to wright the lines C:\WINDOWS\etc.
in bold letters in Killbox. Is this important and if so, how do I get the letters to be bold? I have tride to cut and paste from word as well as CTRL+F but nothing seems to work.

Thanks/ Erik
  • 0

#4
g2i2r4
Posted 01 August 2005 - 03:12 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You don't have to use the bold in Killbox. Just put in the full filenames.
  • 0

#5
Erik0726
Posted 01 August 2005 - 06:32 AM

Erik0726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

I now think that I have done everything in a correct way. Below you will find the four logs you asked for.

Logfile of HijackThis v1.99.1
Scan saved at 12:26:14, on 2005-08-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ägaren\Skrivbord\Virus\hijackthis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{CFF7BFD6-8361-49D1-A786-ACFB146908C9}\SECURITY.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program\SECRETMAKER\secretmaker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe


----------------------------------

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 13:25:25, 2005-08-01
+ Report-Checksum: E8206AA

+ Scan result:

C:\WINDOWS\system32\pginpahp.exe -> TrojanDropper.Small.acz : Cleaned with backup


::Report End

----------------------------------------------

Incident Status Location

Adware:adware/psguard No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\SKRIVBORD\PSGuard spyware remover.lnk
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\1.hosts
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\2.hosts

------------------------------------- smitRem log file
version 2.2

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! ;)


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :tazz: Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~
  • 0

#6
g2i2r4
Posted 01 August 2005 - 02:26 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Download the Hoster Here
Please do not use program yet

Unzip Hoster to your desktop

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{CFF7BFD6-8361-49D1-A786-ACFB146908C9}\SECURITY.EXE

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

You did remove this folder?
C:\WINDOWS\System32\Services

Please reboot and show me a HijackThis log made in normal mode.
  • 0

#7
Erik0726
Posted 02 August 2005 - 04:56 AM

Erik0726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,
I have done as you said about host. However, I don't have the file
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{CFF7BFD6-8361-49D1-A786-ACFB146908C9}\SECURITY.EXE when I open hijackthis. I have looked all over the place but can not find it.

As you instructed earlier, I hav removed C:\WINDOWS\System32\Services

Erik
  • 0

#8
g2i2r4
Posted 02 August 2005 - 05:00 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you please post me a fresh HijackThis log to check?
  • 0

#9
Erik0726
Posted 03 August 2005 - 02:41 AM

Erik0726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

Certanly. Here it is. Overall the computer is running as before I got the "virus". It is a bit slower but I no longer have pop-ups from Norton telling mee I have a virus.

Logfile of HijackThis v1.99.1
Scan saved at 10:39:53, on 2005-08-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program\Real\RealPlayer\RealPlay.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\ewido\security suite\ewidoguard.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\SECRETMAKER\secretmaker.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ägaren\Skrivbord\Virus\hijackthis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/sd/init
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] C:\Program\COMPAQ\Coloreal\coloreal.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program\SECRETMAKER\secretmaker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
g2i2r4
Posted 03 August 2005 - 05:19 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You are running both Spysweeper and Norton.
I'd choose one to run actively and have the other one scan let's say once a week or so.
Now they are not only slowing down the machine, but they are also fighting each other instead of the outside world.

Can you rerun panda to see if nothing got left behind?
Post me that log again.

Edited by g2i2r4, 03 August 2005 - 05:20 AM.

  • 0

Advertisements

#11
Erik0726
Posted 03 August 2005 - 07:00 AM

Erik0726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, This is the new Panda logg.

Incident Status Location

Adware:adware/psguard No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\SKRIVBORD\PSGuard spyware remover.lnk
Possible Virus. No disinfected C:\Program\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Virus:W32/Smitfraud.D Disinfected C:\System Volume Information\_restore{2F5B585F-B03B-4384-8459-902B331677EC}\RP4\A0000099.old
  • 0

#12
g2i2r4
Posted 03 August 2005 - 02:33 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I'm definitly not happy yet.

The smitrem has been updated to version 2.3

Please remove the one you have now.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

reboot to safe mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

Also rerun AdAware in safe mode

Reboot to normal mode and rerun Panda.

The tool should have removed that item. Let me see the smitfiles and the Panda.
  • 0

#13
Erik0726
Posted 04 August 2005 - 03:10 AM

Erik0726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

Here are the logfiles from smit, Panda and AdAwere.

Ad-Aware SE Build 1.06r1
Logfile Created on:den 4 augusti 2005 10:00:39
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R56 21.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):28 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R56 21.07.2005
Internal build : 65
File location : C:\Program\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 501264 Bytes
Total size : 1511688 Bytes
Signature data size : 1479157 Bytes
Reference data size : 32019 Bytes
Signatures total : 42142
CSI Fingerprints total : 979
CSI data size : 34474 Bytes
Target categories : 15
Target families : 718


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:54 %
Total physical memory:261612 kb
Available physical memory:141096 kb
Total page file size:633456 kb
Available on page file:569376 kb
Total virtual memory:2097024 kb
Available virtual memory:2044844 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2005-08-04 10:00:39 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 132
ThreadCreationTime : 2005-08-04 07:53:30
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 184
ThreadCreationTime : 2005-08-04 07:53:41
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 208
ThreadCreationTime : 2005-08-04 07:53:43
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 252
ThreadCreationTime : 2005-08-04 07:53:48
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Tjänst- och styrenhetsprogram
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Med ensamrätt.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 264
ThreadCreationTime : 2005-08-04 07:53:48
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 428
ThreadCreationTime : 2005-08-04 07:53:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k netsvcs
ProcessID : 452
ThreadCreationTime : 2005-08-04 07:53:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [explorer.exe]
ModuleName : C:\WINDOWS\explorer.exe
Command Line : explorer.exe
ProcessID : 996
ThreadCreationTime : 2005-08-04 07:56:17
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Utforskaren
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Med ensamrätt.
OriginalFilename : EXPLORER.EXE

#:9 [ad-aware.exe]
ModuleName : C:\Program\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1200
ThreadCreationTime : 2005-08-04 07:59:57
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\Documents and Settings\Ägaren\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Ägaren\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\office\10.0\clip organizer\search\last query
Description : last query in microsoft clip organizer


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\office\10.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\office\10.0\common\search\last query
Description : last query in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\nvidia corporation\global\nview\windowmanagement
Description : nvidia nview cached application window positions


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-3081108657-1743859184-4230999402-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 28




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28

10:08:36 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:07:57.562
Objects scanned:97256
Objects identified:0
Objects ignored:0
New critical objects:0

Incident Status Location

Adware:adware/psguard No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\SKRIVBORD\PSGuard spyware remover.lnk
Possible Virus. No disinfected C:\Program\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:
  • 0

#14
g2i2r4
Posted 04 August 2005 - 04:18 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Much be because of the language setting then. Let's kill it.

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in the box in the "Full Path of File to Delete" box in Killbox:
C:\DOCUMENTS AND SETTINGS\ALL USERS\SKRIVBORD\PSGuard spyware remover.lnk
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

Now it's gone. Panda will only find Trojan Hunter and we want to keep that.


Is the computer running ok now?
Shall I post you some tips for the future and close this topic?
  • 0

#15
Erik0726
Posted 04 August 2005 - 04:50 AM

Erik0726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi,

I have don as you instructed and as far as can tell the computer is functioning ok. It's a bit slow but I am going to kill spysweeper in favor of Norton. Is it safe for me to download Microsoft servicepack 2 now?

And please, all tips on how to operate my computer safer and more efficient are wellcomed.

I am going away on business for a few days but will comeback and read your reply. Many thanks and I have noticed that I am able to make a donation to this web-site, whitch I am going to do.

Have a nice weekend/ Erik
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP