Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Winfixer (trojans)

Started by Vegard , Oct 16 2005 07:21 AM

Please log in to reply

#1
Vegard

Posted 16 October 2005 - 07:21 AM

New Member

Member
8 posts

I've had problems with popups for a while now. I think it's winfixer, because it tries to install now and then. But sure there could be lots of stuff inside here.

Did adaware, and it found about 40 threats, removed, spybot found several - removed, CWSShredder found 1 and removed it. Trend housecall found 6 trojans in my "lokale innstillinger/temp"-folder (local settings), but they were uncleanable, so I deleted the temp folder myself. cleanmgr couldn't delete the temp folders, at least nothing happened in about 30 minutes - I deleted them via IE and manually some.

I've done some reboots a long the way, one of the spyware progs demanded it, don't know if I was supposed to, but anyway I rebooted before the scan.

There's popups when running maxthon, and IE.

Logfile of HijackThis v1.99.1
Scan saved at 15:18:28, on 16.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
G:\WINDOWS\Explorer.EXE
G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\NVATray.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\system32\dla\tfswctrl.exe
G:\Programfiler\D-Tools\daemon.exe
G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
G:\Programfiler\QuickTime\qttask.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
g:\progra~1\maxthon\maxthon.exe
G:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
G:\Programfiler\Maxthon\maxthon.exe
G:\PROGRA~1\FELLES~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\AWS\WeatherBug\WeatherBug.exe
G:\Programfiler\MSN Messenger\msnmsgr.exe
G:\Programfiler\Skype\Phone\Skype.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programfiler\Trend Micro\Tmas\Tmas.exe
G:\Programfiler\Symantec AntiVirus\DefWatch.exe
G:\Programfiler\ewido\security suite\ewidoctrl.exe
G:\Programfiler\ewido\security suite\ewidoguard.exe
G:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\nvsvc32.exe
G:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\wincmd\WinCmd32.exe
G:\Programfiler\Maxthon\Maxthon.exe
G:\WINDOWS\system32\NOTEPAD.EXE
G:\HJT\HijackThis.exe
G:\Programfiler\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jmswnazpx...Gri3sKcRJh.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {1367BE57-527E-1788-AB82-FE3E140DCEF9} - (no file)
O2 - BHO: (no name) - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] G:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [ccApp] "G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "G:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SETTINGSSKIPDARTMP3] G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip\View proxy.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [Drive Body] G:\DOCUME~1\Vegardo\PROGRA~1\SETTIN~1\Cdrom Hide Play.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WeatherBug] C:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "G:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = G:\Programfiler\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - G:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - D:\Program Files\NordicBet\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - G:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - G:\Programfiler\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Programfiler\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\Rtvscan.exe

#2
Buckeye_Sam

Posted 21 October 2005 - 07:16 AM

Malware Expert

Member
10,019 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

#3
Vegard

Posted 21 October 2005 - 07:13 PM

New Member

Topic Starter
Member
8 posts

Thanks for replying, appreciate it, it's never too late :tazz:

Now over to business. I installed firefox, it works fine, no popups for days now - well one but that's probably got to do with me not blocking popups there or something. But - I'd like to use Maxthon because of the mouse gestures which I've grown dependant on. Trying maxthon again (this instant) - popups are still there - . The same goes for Internet Explorer - and they're the same popups (I guess IE and Maxthon is the same thing really so.. )

Here's the Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 03:11:46, on 22.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Programfiler\Symantec AntiVirus\DefWatch.exe
G:\Programfiler\ewido\security suite\ewidoctrl.exe
G:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\NVATray.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\system32\dla\tfswctrl.exe
G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
G:\PROGRA~1\FELLES~1\PCSuite\Services\SERVIC~1.EXE
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
G:\Programfiler\QuickTime\qttask.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Programfiler\MSN Messenger\msnmsgr.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programfiler\Messenger\msmsgs.exe
G:\DOCUME~1\ALLUSE~1\PROGRA~1\PARTRD~1\LITEDA~1.EXE
G:\DOCUME~1\Vegardo\PROGRA~1\SETTIN~1\CDROMH~1.EXE
G:\Programfiler\Mozilla Firefox\firefox.exe
G:\Programfiler\Internet Explorer\iexplore.exe
G:\HJT\HijackThis.exe
G:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\wincmd\WinCmd32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jmswnazpx...Gri3sKcRJh.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {1367BE57-527E-1788-AB82-FE3E140DCEF9} - (no file)
O2 - BHO: (no name) - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] G:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [ccApp] "G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "G:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SETTINGSSKIPDARTMP3] G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip\View proxy.exe
O4 - HKLM\..\Run: [WinPatrol] G:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [Drive Body] G:\DOCUME~1\Vegardo\PROGRA~1\SETTIN~1\Cdrom Hide Play.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WeatherBug] C:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "G:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = G:\Programfiler\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - G:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - D:\Program Files\NordicBet\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - G:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - G:\Programfiler\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Programfiler\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\Rtvscan.exe

#4
Buckeye_Sam

Posted 22 October 2005 - 04:43 PM

Malware Expert

Member
10,019 posts

Please follow these steps:

Please disable Spybot's Teatimer function before you proceed with this fix.
http://russelltexas....re/teatimer.htm
Please make sure that you can View Hidden Files
- Click Start -> My Computer
- Select Tools -> Folder options
- Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
- Also make sure that 'Display the contents of system folders' is checked.
- For more info on how to show hidden files click here.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jmswnazpx...Gri3sKcRJh.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {1367BE57-527E-1788-AB82-FE3E140DCEF9} - (no file)
O2 - BHO: (no name) - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - (no file)
O4 - HKLM\..\Run: [win32] winhost.exe
O4 - HKLM\..\Run: [SETTINGSSKIPDARTMP3] G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip\View proxy.exe
O4 - HKLM\..\Run: [WinPatrol] G:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\RunServices: [win32] winhost.exe
O4 - HKCU\..\Run: [Drive Body] G:\DOCUME~1\Vegardo\PROGRA~1\SETTIN~1\Cdrom Hide Play.exe
Please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- If you have trouble getting into Safe mode go here for more info.
Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):

winhost.exe
G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip <-- delete this folder
G:\DOCUME~1\Vegardo\PROGRA~1\SETTIN~1 <-- delete this folder

Reboot your computer to go back to normal mode.

Please run Panda Online Virus Scan

You must allow the active-x control to run when asked.
You may need to disable your antivirus program while this scan runs.
There may be files that this scan will not remove.
Please include that information in your next post.
Make sure to reenable your antivirus program if you disabled it.

Reboot and post a new hijackthis log and the info from your virus scan.

#5
Vegard

Posted 01 November 2005 - 02:18 PM

New Member

Topic Starter
Member
8 posts

Thanks for answering - sorry for the delay with the follow-up, at first I couldn't get your link working - later on some very easy manouvers fixed the link so I managed to disable Teatimer.

* Fixed Hijack-links - except for the-winpatrol-line - which was missing - anyway I think it's a legitimate anti-spyware program (but I might have too many of those installed right now - and for no good)

* When in safe mode I did all 3 steps except I didn't find the winhost.exe-file (no hits on search)

* Panda found several anti-spyware thingys and so forth, it produced this (messy) log:

Incident Status Location

Virus:W32/Bobax.C.worm Disinfected D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FUXAQYV5\83.31.100[1].gif
Virus:Eicar.Mod Renamed D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\eicar.html
Hacktool:DDoS/Boxed.A No disinfected D:\System Volume Information\_restore{4616DA65-D3DD-465E-AB93-84E3E282E3CB}\RP423\A0070206.exe
Spyware:Spyware/New.net No disinfected D:\System Volume Information\_restore{4616DA65-D3DD-465E-AB93-84E3E282E3CB}\RP425\A0070718.exe
Spyware:Spyware/New.net No disinfected D:\System Volume Information\_restore{4616DA65-D3DD-465E-AB93-84E3E282E3CB}\RP425\A0073701.exe
Spyware:Spyware/New.net No disinfected D:\System Volume Information\_restore{A0BA6F37-EC3D-46D1-838A-69EB99C32DE4}\RP241\A0026174.exe
Adware:Adware/Gator No disinfected D:\System Volume Information\_restore{A0BA6F37-EC3D-46D1-838A-69EB99C32DE4}\RP241\A0026175.exe
Virus:W32/Bagle.N.worm Disinfected Personal Folders\Inbox\Notify from e-mail technical support.\TextDocument.pif
Adware:Adware/Lop No disinfected G:\Programfiler\Microsoft AntiSpyware\Quarantine\4268A317-1B1C-49A3-9FD6-8CF808\BF5A46E8-BAF6-4DD9-AE3C-B68CEB
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg1.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg10.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg12.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg13.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg14.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg15.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg16.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg17.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg18.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg2.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg21.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg22.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg23.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg24.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg25.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg26.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg27.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg28.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg29.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg3.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg30.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg31.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg33.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg34.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg35.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg36.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg38.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg39.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg4.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg41.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg5.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg7.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg8.exe
Adware:Adware/Lop No disinfected G:\RECYCLER\S-1-5-21-746137067-308236825-725345543-1003\Dg9.exe

****************************************************************
****************************************************************
****************************************************************

Hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 21:06:54, on 01.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Programfiler\Symantec AntiVirus\DefWatch.exe
G:\Programfiler\ewido\security suite\ewidoctrl.exe
G:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\NVATray.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\system32\dla\tfswctrl.exe
G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe
G:\Programfiler\D-Tools\daemon.exe
G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
G:\Programfiler\QuickTime\qttask.exe
G:\PROGRA~1\FELLES~1\PCSuite\Services\SERVIC~1.EXE
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\AWS\WeatherBug\WeatherBug.exe
G:\Programfiler\MSN Messenger\msnmsgr.exe
G:\Programfiler\Skype\Phone\Skype.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
G:\WINDOWS\system32\wuauclt.exe
G:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] G:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [ccApp] "G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "G:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SETTINGSSKIPDARTMP3] G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip\View proxy.exe
O4 - HKLM\..\Run: [Anti-Blaxx Manager] G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKCU\..\Run: [WeatherBug] C:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "G:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - G:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - G:\Programfiler\nordicbetMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - G:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Programfiler\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\Rtvscan.exe

#6
Buckeye_Sam

Posted 01 November 2005 - 05:18 PM

Malware Expert

Member
10,019 posts

Your log is looking better. Most of what Panda found isn't much to worry about. You should empty your recycle bin to get rid of the malware that's still in there.

Are you familiar with these programs?

O4 - HKLM\..\Run: [SETTINGSSKIPDARTMP3] G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip\View proxy.exe
O4 - HKLM\..\Run: [Anti-Blaxx Manager] G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe

#7
Vegard

Posted 01 November 2005 - 05:36 PM

New Member

Topic Starter
Member
8 posts

Anti-blaxx is okay. I'm not familiar with the other one "View proxy.exe" - and it's disturbing that there's only 3 hits searching it on google - and all of them are spyware related. Ideas?

#8
Buckeye_Sam

Posted 01 November 2005 - 05:40 PM

Malware Expert

Member
10,019 posts

Let's see if we can find a little more information.

Download FindLop. Unzip the file. It will create a folder. From the extracted files, locate findlop.bat and double click on it. It will generate a log file - C:\findlop.txt

Find that file and copy the content into your next post along with a new HijackThis log.

#9
Vegard

Posted 01 November 2005 - 06:02 PM

New Member

Topic Starter
Member
8 posts

findlop.txt

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '9790FF6C942B8F08.job'
[TRACE] Printing all job properties

ApplicationName: 'g:\docume~1\vegardo\progra~1\settin~1\proxy blue keep.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Vegardo'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/01/2005 18:00:00
NextRun: 11/02/2005 1:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/06/2001
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

*******************************************************************
*******************************************************************
*******************************************************************
*******************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 01:00:19, on 02.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Programfiler\Symantec AntiVirus\DefWatch.exe
G:\Programfiler\ewido\security suite\ewidoctrl.exe
G:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\NVATray.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\system32\dla\tfswctrl.exe
G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
G:\Programfiler\QuickTime\qttask.exe
G:\PROGRA~1\FELLES~1\PCSuite\Services\SERVIC~1.EXE
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Programfiler\MSN Messenger\msnmsgr.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
G:\Programfiler\Messenger\msmsgs.exe
G:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] G:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [ccApp] "G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "G:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SETTINGSSKIPDARTMP3] G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip\View proxy.exe
O4 - HKLM\..\Run: [Anti-Blaxx Manager] G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKCU\..\Run: [WeatherBug] C:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "G:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - G:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - G:\Programfiler\nordicbetMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - G:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Programfiler\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\Rtvscan.exe

#10
Buckeye_Sam

Posted 01 November 2005 - 06:05 PM

Malware Expert

Member
10,019 posts

Open notepad and copy and paste this text in it:

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h 9790FF6C942B8F08.job
del 9790FF6C942B8F08.job
deltree /y g:\docume~1\vegardo\progra~1\settin~1

Save this as remjob.bat , choose to save it as *all files and place it on your desktop.

Doubleclick on remjob.bat. A doswindow will open and close again, this is normal.

Reboot and post a new FindLop log and a new hijackthis log.

#11
Vegard

Posted 01 November 2005 - 06:22 PM

New Member

Topic Starter
Member
8 posts

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '9790FF6C942B8F08.job'
[TRACE] Printing all job properties

ApplicationName: 'g:\docume~1\vegardo\progra~1\settin~1\proxy blue keep.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Vegardo'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 11/01/2005 18:00:00
NextRun: 11/02/2005 2:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/06/2001
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

************************************************************
************************************************************
************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 01:21:31, on 02.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Programfiler\Symantec AntiVirus\DefWatch.exe
G:\Programfiler\ewido\security suite\ewidoctrl.exe
G:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\NVATray.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\system32\dla\tfswctrl.exe
G:\Programfiler\D-Tools\daemon.exe
G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
G:\Programfiler\QuickTime\qttask.exe
G:\PROGRA~1\FELLES~1\PCSuite\Services\SERVIC~1.EXE
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\AWS\WeatherBug\WeatherBug.exe
G:\Programfiler\MSN Messenger\msnmsgr.exe
G:\Programfiler\Skype\Phone\Skype.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
G:\Programfiler\Mozilla Firefox\firefox.exe
G:\Programfiler\Messenger\msmsgs.exe
D:\Program Files\wincmd\WinCmd32.exe
G:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] G:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [ccApp] "G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "G:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SETTINGSSKIPDARTMP3] G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip\View proxy.exe
O4 - HKLM\..\Run: [Anti-Blaxx Manager] G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKCU\..\Run: [WeatherBug] C:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "G:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - G:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - G:\Programfiler\nordicbetMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - G:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Programfiler\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\Rtvscan.exe

#12
Buckeye_Sam

Posted 02 November 2005 - 07:42 PM

Malware Expert

Member
10,019 posts

Please delete this folder.

G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip

Fix this line with hijackthis.

O4 - HKLM\..\Run: [SETTINGSSKIPDARTMP3] G:\Documents and Settings\All Users\Programdata\Partrdrsettingsskip\View proxy.exe

Now I need to see a different log from Hijackthis.

Open Hijackthis, click "Open the Misc Tools section"
Next to "Generate StartupList log", place a check next to "List also minor sections" (full) and "List empty sections (complete).
Then click "Generate StartupList log"
Click "Yes" to the box that pops-up.
Then copy and paste the notepad text that appears to this topic.

#13
Vegard

Posted 03 November 2005 - 10:13 AM

New Member

Topic Starter
Member
8 posts

The folder was gone - amazingly enough (and yes I have on show hidden files and so forth). But the line showed up in HijackThis - and I "fixed" it.

Log:

StartupList version: 1.52.2
Started from : G:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
G:\WINDOWS\Explorer.EXE
G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Programfiler\Symantec AntiVirus\DefWatch.exe
G:\Programfiler\ewido\security suite\ewidoctrl.exe
G:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\NVATray.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\system32\dla\tfswctrl.exe
G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe
G:\Programfiler\D-Tools\daemon.exe
G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
G:\Programfiler\QuickTime\qttask.exe
G:\PROGRA~1\FELLES~1\PCSuite\Services\SERVIC~1.EXE
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\AWS\WeatherBug\WeatherBug.exe
G:\Programfiler\MSN Messenger\msnmsgr.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
G:\HJT\HijackThis.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Programfiler\Messenger\msmsgs.exe
G:\Programfiler\Mozilla Firefox\firefox.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[G:\Documents and Settings\Vegardo\Start-meny\Programmer\Oppstart]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[G:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart]
Trend Micro Anti-Spyware.lnk.disabled

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = G:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NVIDIA nForce APU1 Utilities = NVATray.exe
SoundMan = SOUNDMAN.EXE
NvCplDaemon = RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
dla = G:\WINDOWS\system32\dla\tfswctrl.exe
StorageGuard = "G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r
DAEMON Tools-1033 = "G:\Programfiler\D-Tools\daemon.exe" -lang 1033
SunJavaUpdateSched = G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
DataLayer = G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
PCSuiteTrayApplication = G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
ccApp = "G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
EPSON Stylus C46 Series = G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
QuickTime Task = "G:\Programfiler\QuickTime\qttask.exe" -atboottime
vptray = G:\PROGRA~1\SYMANT~1\VPTray.exe
gcasServ = "G:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
iTunesHelper = "G:\Programfiler\iTunes\iTunesHelper.exe"
Anti-Blaxx Manager = G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe
(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WeatherBug = C:\Program Files\AWS\WeatherBug\WeatherBug.exe
msnmsgr = "G:\Programfiler\MSN Messenger\msnmsgr.exe" /background
ctfmon.exe = G:\WINDOWS\system32\ctfmon.exe
Skype = "G:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = G:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = G:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection G:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection G:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection G:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from G:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from G:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=G:\WINDOWS\System32\MYNEIG~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

G:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
G:\WINDOWS\Explorer\Explorer.exe: not present
G:\WINDOWS\System\Explorer.exe: not present
G:\WINDOWS\System32\Explorer.exe: not present
G:\WINDOWS\Command\Explorer.exe: not present
G:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in G:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registerredigering'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - G:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

9790FF6C942B8F08.job

--------------------------------------------------

Enumerating Download Program Files:

[{00000055-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...cs/i386/fhg.CAB

[{00000161-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/msaudio.cab

[QuickTime Object]
InProcServer32 = G:\Programfiler\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = G:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=39204

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

[HouseCall Control]
InProcServer32 = G:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = G:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[ActiveScan Installer Class]
InProcServer32 = G:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...8143.3284837963

[Java Plug-in 1.4.2_05]
InProcServer32 = G:\Programfiler\Java\j2re1.4.2_05\bin\npjpi142_05.dll

[Java Plug-in 1.4.2_06]
InProcServer32 = G:\Programfiler\Java\j2re1.4.2_06\bin\npjpi142_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = G:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_04]
InProcServer32 = G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = G:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[Solitaire Showdown Class]
InProcServer32 = G:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zon...wn.cab31267.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: G:\WINDOWS\System32\mswsock.dll
NameSpace #2: G:\WINDOWS\System32\winrnr.dll
NameSpace #3: G:\WINDOWS\System32\mswsock.dll
NameSpace #4: G:\WINDOWS\system32\wshbth.dll
Protocol #1: G:\WINDOWS\system32\mswsock.dll
Protocol #2: G:\WINDOWS\system32\mswsock.dll
Protocol #3: G:\WINDOWS\system32\mswsock.dll
Protocol #4: G:\WINDOWS\system32\rsvpsp.dll
Protocol #5: G:\WINDOWS\system32\rsvpsp.dll
Protocol #6: G:\WINDOWS\system32\mswsock.dll
Protocol #7: G:\WINDOWS\system32\mswsock.dll
Protocol #8: G:\WINDOWS\system32\mswsock.dll
Protocol #9: G:\WINDOWS\system32\mswsock.dll
Protocol #10: G:\WINDOWS\system32\mswsock.dll
Protocol #11: G:\WINDOWS\system32\mswsock.dll
Protocol #12: G:\WINDOWS\system32\mswsock.dll
Protocol #13: G:\WINDOWS\system32\mswsock.dll
Protocol #14: G:\WINDOWS\system32\mswsock.dll
Protocol #15: G:\WINDOWS\system32\mswsock.dll
Protocol #16: G:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI-driver: System32\DRIVERS\ACPI.sys (system)
Fjerning av akustisk ekko for Microsoft Kernel: system32\drivers\aec.sys (manual start)
AFD-nettverksstøttemiljø: \SystemRoot\System32\drivers\afd.sys (system)
Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7-prosessordriver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP-klientprotokoll: System32\DRIVERS\arp1394.sys (manual start)
RAS asynkron mediedriver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI-harddiskkontroller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Lydstubbedriver: System32\DRIVERS\audstub.sys (manual start)
Broadcom NetXtreme Fast Ethernet: System32\DRIVERS\b57xp32.sys (manual start)
Driver for BCM 10/100 Ethernet-nettverkskort: System32\DRIVERS\BCM4E5.SYS (manual start)
ASUSTeK/Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
Tjenesten Background Intelligent Transfer: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Bluetooth-enumeratortjeneste: System32\DRIVERS\BthEnum.sys (manual start)
Bluetooth Device (Personal Area Network): system32\DRIVERS\bthpan.sys (manual start)
Driver for Bluetooth-port: System32\Drivers\BTHport.sys (manual start)
Bluetooth Support Service: %SystemRoot%\system32\svchost.exe -k bthsvcs (disabled)
USB-driver for Bluetooth-radio: System32\Drivers\BTHUSB.sys (manual start)
Symantec Event Manager: "G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "G:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM-driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: G:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+-systemapplikasjon: G:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CWShredder Service: G:\Documents and Settings\Vegardo\Mine dokumenter\programmer\cwshredder.exe service (disabled)
d346bus: System32\DRIVERS\d346bus.sys (system)
d346prt: System32\Drivers\d346prt.sys (system)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Symantec AntiVirus Definition Watcher: "G:\Programfiler\Symantec AntiVirus\DefWatch.exe" (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Diskdriver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Driver for Behandling av logiske disker: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS-synthesizer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
DRM-lyddekoder for Microsoft Kernel: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+-hendelsessystem: G:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: G:\Programfiler\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\G:\Programfiler\ewido\security suite\guard.sys (system)
ewido security suite guard: G:\Programfiler\ewido\security suite\ewidoguard.exe (disabled)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Driver for Volumbehandling: System32\DRIVERS\ftdisk.sys (system)
Generisk pakkeklassifiserer: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID-klassedriver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
hwpsgt: System32\DRIVERS\hwpsgt.sys (autostart)
i8042-tastatur og PS/2-museportsdriver: System32\DRIVERS\i8042prt.sys (system)
Driver for CD-brenningsfilter: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: G:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
Driver for IP-trafikkfilter: System32\DRIVERS\ipfltdrv.sys (manual start)
Driver for IP i IP-tunnel: System32\DRIVERS\ipinip.sys (manual start)
IP-nettverksadresseoversetter: System32\DRIVERS\ipnat.sys (manual start)
IPSEC-driver: System32\DRIVERS\ipsec.sys (system)
IR-nummereringstjeneste: System32\DRIVERS\irenum.sys (manual start)
Driver for PnP ISA/EISA Bus: System32\DRIVERS\isapnp.sys (system)
Driver for tastaturklasse: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave lydmikser: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
lemsgt: System32\DRIVERS\lemsgt.sys (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "G:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: G:\WINDOWS\System32\mnmsrvc.exe (manual start)
Driver for musklasse: System32\DRIVERS\mouclass.sys (system)
HID-driver for mus: System32\DRIVERS\mouhid.sys (manual start)
Enhetsomadresserer for WebDav-klient: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: G:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: G:\WINDOWS\system32\msiexec.exe /V (manual start)
Tjenesteproxy for Microsoft Streaming: system32\drivers\MSKSSRV.sys (manual start)
Klokkeproxy for Microsoft Streaming: system32\drivers\MSPCLOCK.sys (manual start)
Kvalitetsbehandlingsproxy for Microsoft Streaming: system32\drivers\MSPQM.sys (manual start)
BIOS-driver for Microsoft System Management: System32\DRIVERS\mssmbios.sys (manual start)
NAVENG: \??\G:\PROGRA~1\FELLES~1\SYMANT~1\VIRUSD~1\20051012.017\naveng.sys (manual start)
NAVEX15: \??\G:\PROGRA~1\FELLES~1\SYMANT~1\VIRUSD~1\20051012.017\navex15.sys (manual start)
NDIS TAPI-driver for ekstern pålogging: System32\DRIVERS\ndistapi.sys (manual start)
I/T-protokoll for NDIS-brukermodus: System32\DRIVERS\ndisuio.sys (manual start)
NDIS WAN-driver for ekstern pålogging: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS-grensesnitt: System32\DRIVERS\netbios.sys (system)
NetBios over TCP/IP: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394-nettverksdriver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NetLimiter: "G:\Programfiler\NetLimiter 2\nlsvc.exe" (disabled)
nltdi: system32\drivers\nltdi.sys (system)
Nokia USB Generic: system32\drivers\nmwcdc.sys (manual start)
Nokia USB Modem: system32\drivers\nmwcdcm.sys (manual start)
Nokia USB Phone Parent: system32\drivers\nmwcd.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
Driver for IPX-trafikkfilter: System32\DRIVERS\nwlnkflt.sys (manual start)
Driver for videresending av IPX-trafikk: System32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394-vertskontroller: System32\DRIVERS\ohci1394.sys (system)
Office Source Engine: G:\Programfiler\Fellesfiler\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Driver for parallell port: System32\DRIVERS\parport.sys (manual start)
Driver for PCI-buss: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN-miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Prosessordriver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS-pakkeplanlegger: System32\DRIVERS\psched.sys (manual start)
Direkte parallell koblingsdriver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Driver for automatisk ekstern påloggingstilkobling: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN-miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
PPPOE-driver for ekstern tilgang: System32\DRIVERS\raspppoe.sys (manual start)
Direkte parallell: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Driver for enhetsomadresserer for Terminal Server: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: G:\WINDOWS\system32\sessmgr.exe (manual start)
Filterdriver for digital CD-lydavspilling: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Bluetooth-enhet (TDI for RFCOMM-protokoll): system32\DRIVERS\rfcomm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRoam: "G:\Programfiler\Symantec AntiVirus\SavRoam.exe" (manual start)
SAVRT: \??\G:\Programfiler\Symantec AntiVirus\savrt.sys (system)
SAVRTPEL: \??\G:\Programfiler\Symantec AntiVirus\Savrtpel.sys (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum-filterdriver: System32\DRIVERS\serenum.sys (manual start)
Seriellportdriver: System32\DRIVERS\serial.sys (system)
Windows Firewall / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Network Drivers Service: "G:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe" (manual start)
Lydsplitter for Microsoft Kernel: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Filterdriver for systemgjenoppretting: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
ssrtln: system32\drivers\ssrtln.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Driver for programvarebuss: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: G:\WINDOWS\System32\dllhost.exe /Processid:{31555883-6E46-477E-B4AB-CCEFFAFEA817} (manual start)
Symantec AntiVirus: "G:\Programfiler\Symantec AntiVirus\Rtvscan.exe" (manual start)
SymEvent: \??\G:\Programfiler\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System-lydenhet: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Driver for TCP/IP-protokoll: System32\DRIVERS\tcpip.sys (system)
Driver for terminalenhet: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: G:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: G:\WINDOWS\system32\wdfmgr.exe (autostart)
Oppdateringsdriver for mikrokode: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB2 aktivert hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER-klasse: system32\DRIVERS\usbprint.sys (manual start)
USB-masselagringsenhet: System32\DRIVERS\USBSTOR.SYS (manual start)
Miniportdriver for Microsoft USB universell vertskontroller: System32\DRIVERS\usbuhci.sys (manual start)
VGA-skjermkort.: \SystemRoot\System32\drivers\vga.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IP ARP-driver for ekstern pålogging: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility-driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Tjenesten Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: G:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0-støttemiljø for ikke-IFS-tjenesteleverandør: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatiske oppdateringer: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: G:\WINDOWS\system32\SHELL32.dll
CDBurn: G:\WINDOWS\system32\SHELL32.dll
WebCheck: G:\WINDOWS\System32\webcheck.dll
SysTray: G:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 36 843 bytes
Report generated in 0,125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#14
Buckeye_Sam

Posted 03 November 2005 - 02:54 PM

Malware Expert

Member
10,019 posts

Open notepad and copy and paste this text in it:

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h 9790FF6C942B8F08.job
del 9790FF6C942B8F08.job

Save this as remjob.bat , choose to save it as *all files and place it on your desktop.
This should replace the file you created earlier.

Doubleclick on remjob.bat. A doswindow will open and close again, this is normal.

Reboot and post a new hijackthis log(original log).

#15
Vegard

Posted 06 November 2005 - 12:41 PM

New Member

Topic Starter
Member
8 posts

Done

Logfile of HijackThis v1.99.1
Scan saved at 19:40:54, on 06.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\NVATray.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\dla\tfswctrl.exe
G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe
G:\Programfiler\D-Tools\daemon.exe
G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
G:\Programfiler\QuickTime\qttask.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AWS\WeatherBug\WeatherBug.exe
G:\Programfiler\Symantec AntiVirus\DefWatch.exe
G:\Programfiler\ewido\security suite\ewidoctrl.exe
G:\PROGRA~1\FELLES~1\PCSuite\Services\SERVIC~1.EXE
G:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\nvsvc32.exe
G:\Programfiler\MSN Messenger\msnmsgr.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programfiler\Skype\Phone\Skype.exe
G:\WINDOWS\system32\wuauclt.exe
G:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] G:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "G:\Programfiler\Fellesfiler\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programfiler\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] G:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] G:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [ccApp] "G:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "G:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "G:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Anti-Blaxx Manager] G:\Programfiler\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [WeatherBug] C:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "G:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Trend Micro Anti-Spyware.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - G:\Programfiler\expektMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - G:\Programfiler\nordicbetMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - G:\Programfiler\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Programfiler\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Programfiler\Symantec AntiVirus\Rtvscan.exe