Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Winfixer, E404 Helper, DNSChanger, Vundo Variant [RESOLVED]

Started by heir , Feb 20 2008 06:47 AM

This topic is locked

#1
heir

Posted 20 February 2008 - 06:47 AM

Trusted Helper

Malware Removal
5,427 posts

I´m having problem to get rid of these.

I´ve followed the steps in the guide http://www.geekstogo...-Log-t2852.html
before posting.

Here is what I've noticed so far.

I normally use automatic windows update and Norton Internet security 2008.
But to test a software that conflicted with NIS 2008 I had to remove NIS 2008 temporarily.
Unfortunatelly I got infected during this

Any way here is the result from following the guide

Preparation
I removed the temporary files.
I used IE7 and Firefox. so I ran it twice, (Main and Firefox)

Step one
I found
and it was put in quarantine BUT there were no log generated.
Here is whats quarantined ( that I can read when I check the quarantine in the program)

Origin: C:\Documents and Settings\Leif\Lokala inställningar\Temp\removeafile.bat
Infected with: Not-A-Virus.Adware.Virtumonde
Risk: Low

Here is the log from SUPERAntiSpyware

SUPERAntiSpyware Scan Log
Generated 02/20/2008 at 04:03 AM

Application Version : 3.6.1000

Core Rules Database Version : 3405
Trace Rules Database Version: 1397

Scan type	   : Complete Scan
Total Scan Time : 03:05:09

Memory items scanned	  : 788
Memory threats detected   : 1
Registry items scanned	: 8824
Registry threats detected : 34
File items scanned		: 180954
File threats detected	 : 5

Trojan.WinFixer
	C:\WINDOWS\SYSTEM32\PMNLK.DLL
	C:\WINDOWS\SYSTEM32\PMNLK.DLL
	HKLM\Software\Classes\CLSID\{A79B56E4-47DE-4069-BF75-A7773B66A05F}
	HKCR\CLSID\{A79B56E4-47DE-4069-BF75-A7773B66A05F}
	HKCR\CLSID\{A79B56E4-47DE-4069-BF75-A7773B66A05F}\InprocServer32
	HKCR\CLSID\{A79B56E4-47DE-4069-BF75-A7773B66A05F}\InprocServer32#ThreadingModel
	HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A79B56E4-47DE-4069-BF75-A7773B66A05F}

Adware.E404 Helper/Variant-A
	HKLM\Software\Classes\CLSID\{C03FD59D-9104-44B7-929A-9EAA0BA05211}
	HKCR\CLSID\{C03FD59D-9104-44B7-929A-9EAA0BA05211}
	HKCR\CLSID\{C03FD59D-9104-44B7-929A-9EAA0BA05211}
	HKCR\CLSID\{C03FD59D-9104-44B7-929A-9EAA0BA05211}\InprocServer32
	HKCR\CLSID\{C03FD59D-9104-44B7-929A-9EAA0BA05211}\InprocServer32#ThreadingModel
	HKCR\CLSID\{C03FD59D-9104-44B7-929A-9EAA0BA05211}\ProgID
	HKCR\CLSID\{C03FD59D-9104-44B7-929A-9EAA0BA05211}\Programmable
	HKCR\CLSID\{C03FD59D-9104-44B7-929A-9EAA0BA05211}\TypeLib
	HKCR\CLSID\{C03FD59D-9104-44B7-929A-9EAA0BA05211}\VersionIndependentProgID
	C:\PROGRAM\HELPER\1203150162.DLL
	HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C03FD59D-9104-44B7-929A-9EAA0BA05211}

Unclassified.Unknown Origin
	HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}
	D:\DOWNLOAD\VMWARE\V5.5.4\KEYGEN.NFO

Trojan.DNSChanger-Codec
	HKCR\CLSID\E404.e404mgr
	HKCR\CLSID\E404.e404mgr#UserId

Adware.E404 Helper/Hij
	HKCR\E404.e404mgr
	HKCR\E404.e404mgr\CLSID
	HKCR\E404.e404mgr\CurVer
	HKCR\E404.e404mgr.1
	HKCR\E404.e404mgr.1\CLSID
	HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
	HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
	HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
	HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
	HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
	HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
	HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
	HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
	HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
	HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
	HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version

Adware.Vundo Variant/Rel
	C:\WINDOWS\SYSTEM32\KLNMP.INI
	C:\WINDOWS\SYSTEM32\KLNMP.INI2

Step two
Here is the log from Pandasoftware Activescan

Incident																		Status						Location																																																														

Virus:Generic Trojan															Disinfected				   Operating system																																																												
Virus:trj/torpig.a															  Disinfected				   Operating system																																																												
Hacktool:Rootkit/Spammer.AFN													Not disinfected			   C:\WPOHL.EXE																																																													
Potentially unwanted tool:Application/Processor								 Not disinfected			   D:\DOWNLOAD\Antispion Verktyg\SmitfraudFix\Process.exe																																																		  
Virus:Trj/Rebooter.J															Disinfected				   D:\DOWNLOAD\Antispion Verktyg\SmitfraudFix\Reboot.exe																																																		   
Potentially unwanted tool:Application/SuperFast								 Not disinfected			   D:\DOWNLOAD\Antispion Verktyg\SmitfraudFix\restart.exe																																																		  
Virus:Generic Malware														   Disinfected				   D:\DOWNLOAD\AOE\CRACK\RORCRACK10A\rorcrack10a.exe																																																			   
Potentially unwanted tool:Application/Processor								 Not disinfected			   D:\GUIDE\SmitfraudFix.zip[SmitfraudFix/Process.exe]																																																			 
Virus:Trj/Rebooter.J															Disinfected				   D:\GUIDE\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]																																																			  
Potentially unwanted tool:Application/SuperFast								 Not disinfected			   D:\GUIDE\SmitfraudFix.zip[SmitfraudFix/restart.exe]																																																			 
Possible Virus.																 Not disinfected			   D:\Studier\KURSER\Examensarbete\NSR\Setup\OemExts\ANG\Setup.exe

step three
Windows update
No update needed to be done.

step four reboot

step five
Here is the log from Hijackthis 2.0.2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:10, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\AE2309FF.exe
C:\acer\epm\epm-dm.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Launch Manager\QtZgAcer.EXE
C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Google\Google Talk\googletalk.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\VMware\VMware Workstation\vmware-tray.exe
C:\Program\VMware\VMware Workstation\hqtray.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\TEMP\AE2309FF.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\HPZinw12.exe
D:\DOWNLOAD\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy1.telia.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program\DELADE~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {3898f401-1162-406b-ff24-07e218c74308} - {80347c81-2e70-42ff-b604-2611104f8983} - C:\WINDOWS\system32\verfygye.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A79B56E4-47DE-4069-BF75-A7773B66A05F} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Visa Norton-verktygsfältet - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Genväg till egenskapssida för High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\Program\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [googletalk] C:\Program\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\AE2309FF.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Genväg till Bginfo.lnk = D:\DOWNLOAD\Sysinternals\BgInfo\Bginfo.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.03.21&unknown&unknown&http://vbb.timantti.com/regal20/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126514623906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://e-learning.nil.si/tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: MySQL - Unknown owner - C:\Program\MySQL\MySQL.exe (file missing)
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program\DELADE~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program\Delade filer\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 14165 bytes

After this I ran Vundofix

Here is th log

VundoFix V6.7.8

Checking Java version...

Sun Java not detected
Scan started at 13:35:14 2008-02-19

Listing files found while scanning....

C:\WINDOWS\system32\bnacxmui.ini
C:\windows\system32\bodxisjv.dllbox
C:\WINDOWS\system32\iumxcanb.dll
C:\WINDOWS\system32\lxylfuna.dll
C:\WINDOWS\system32\uevyxyor.dll

Beginning removal...

 Attempting to delete C:\WINDOWS\system32\bnacxmui.ini
C:\WINDOWS\system32\bnacxmui.ini Has been deleted!

 Attempting to delete C:\windows\system32\bodxisjv.dllbox
C:\windows\system32\bodxisjv.dllbox Has been deleted!

 Attempting to delete C:\WINDOWS\system32\iumxcanb.dll
C:\WINDOWS\system32\iumxcanb.dll Could not be deleted.

 Attempting to delete C:\WINDOWS\system32\lxylfuna.dll
C:\WINDOWS\system32\lxylfuna.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\uevyxyor.dll
C:\WINDOWS\system32\uevyxyor.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

 Attempting to delete C:\WINDOWS\system32\iumxcanb.dll
C:\WINDOWS\system32\iumxcanb.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Sun Java not detected
Scan started at 14:10:32 2008-02-19

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.8

Checking Java version...

Sun Java not detected
Scan started at 12:20:42 2008-02-20

Listing files found while scanning....

C:\WINDOWS\system32\htkuuyxl.dll
C:\WINDOWS\system32\lxyuukth.ini
C:\WINDOWS\system32\skaboxtd.dll
C:\WINDOWS\system32\verfygye.dll

Beginning removal...

 Attempting to delete C:\WINDOWS\system32\htkuuyxl.dll
C:\WINDOWS\system32\htkuuyxl.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\lxyuukth.ini
C:\WINDOWS\system32\lxyuukth.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\skaboxtd.dll
C:\WINDOWS\system32\skaboxtd.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\verfygye.dll
C:\WINDOWS\system32\verfygye.dll Has been deleted!

Performing Repairs to the registry.
Done!

As you see I´ve run it before also.

After that I ran HiJackthis again

Here is the log

[code=auto:0]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:09, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\acer\epm\epm-dm.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Launch Manager\QtZgAcer.EXE
C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\Google\Google Talk\googletalk.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\VMware\VMware Workstation\vmware-tray.exe
C:\Program\VMware\VMware Workstation\hqtray.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\TEMP\AE2309FF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\DOWNLOAD\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy1.telia.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program\DELADE~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {3898f401-1162-406b-ff24-07e218c74308} - {80347c81-2e70-42ff-b604-2611104f8983} - C:\WINDOWS\system32\verfygye.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A79B56E4-47DE-4069-BF75-A7773B66A05F} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Visa Norton-verktygsfältet - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Genväg till egenskapssida för High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\Program\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [googletalk] C:\Program\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\AE2309FF.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Genväg till Bginfo.lnk = D:\DOWNLOAD\Sysinternals\BgInfo\Bginfo.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.03.21&unknown&unknown&http://vbb.timantti.com/regal20/
O16 - DPF: {17492023-C

#2
kahdah

Posted 20 February 2008 - 06:56 AM

GeekU Teacher

Retired Staff
15,822 posts

Hello LeifG

Welcome to G2Go.

================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#3
heir

Posted 20 February 2008 - 07:42 AM

Trusted Helper

Topic Starter
Malware Removal
5,427 posts

Thanks for the fast reply!

Here comes the logs

Main.txt

Deckard's System Scanner v20071014.68
Run by Leif on 2008-02-20 14:23:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-02-20 13:23:27 UTC - RP4 - Deckard's System Scanner Restore Point
2: 2008-02-19 23:50:14 UTC - RP3 - Installed SUPERAntiSpyware Free Edition
1: 2008-02-19 19:31:39 UTC - RP2 - Före Rensning 20080219


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Leif.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:05, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PGPserv.exe
c:\Program\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\acer\epm\epm-dm.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Launch Manager\QtZgAcer.EXE
C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\Google\Google Talk\googletalk.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\VMware\VMware Workstation\vmware-tray.exe
C:\Program\VMware\VMware Workstation\hqtray.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\TEMP\AE2309FF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Leif\Skrivbord\dss.exe
D:\DOWNLOAD\HIJACK~1\Leif.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy1.telia.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program\DELADE~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {3898f401-1162-406b-ff24-07e218c74308} - {80347c81-2e70-42ff-b604-2611104f8983} - C:\WINDOWS\system32\verfygye.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A79B56E4-47DE-4069-BF75-A7773B66A05F} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Visa Norton-verktygsfältet - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Genväg till egenskapssida för High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\Program\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [googletalk] C:\Program\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\AE2309FF.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Genväg till Bginfo.lnk = D:\DOWNLOAD\Sysinternals\BgInfo\Bginfo.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.03.21&unknown&unknown&http://vbb.timantti.com/regal20/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126514623906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://e-learning.nil.si/tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: MySQL - Unknown owner - C:\Program\MySQL\MySQL.exe (file missing)
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program\DELADE~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program\Delade filer\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 13954 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program\superantispyware\saskutil.sys
R1 UBHelper (MRW remapping) - c:\windows\system32\drivers\ubhelper.sys
R2 EpmPsd (Acer EPM Power Scheme Driver) - c:\windows\system32\drivers\epm-psd.sys <Not Verified; Acer Value Labs, USA; Acer EPM Power Scheme Driver>
R2 EpmShd (Acer EPM System Hardware Driver) - c:\windows\system32\drivers\epm-shd.sys <Not Verified; Acer Value Labs, USA; Acer EPM System Hardware Driver>
R2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; Windows (R) 2000 DDK provider; OSA I/O Port Driver>
R2 osanbm - c:\windows\system32\drivers\osanbm.sys <Not Verified; Windows (R) 2000 DDK provider; OSA int15 Driver Version 2.0.2>
R2 PGPdisk - c:\windows\system32\drivers\pgpdisk.sys <Not Verified; PGP Corporation; PGP>
R2 PGPsdkDriver - c:\windows\system32\drivers\pgpsdk.sys <Not Verified; PGP Corporation; PGPsdk>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 SASENUM - c:\program\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 vsdatant - c:\windows\system32\vsdatant.sys (file missing)
S2 HDUSB (HDUSB_XP.Sys HDUSB Bulk IO test driver) - c:\windows\system32\drivers\hdusb_xp.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(TM) Operating System>
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 int15.sys - c:\program\acer\erecovery\int15.sys
S3 LHidUsbK (Logitech SetPoint USB Receiver device driver) - c:\windows\system32\drivers\lhidusbk.sys (file missing)
S3 LMouKE (Logitech SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)
S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); NetStumbler>
S3 PCTINDIS5 (PCTINDIS5 NDIS Protocol Driver) - c:\windows\system32\pctindis5.sys (file missing)
S3 SE26bus (Sony Ericsson Device 038 Driver driver (WDM)) - c:\windows\system32\drivers\se26bus.sys <Not Verified; MCCI; Sony Ericsson Device 038 Driver>
S3 SE26mdfl (Sony Ericsson Device 038 USB WMC Modem Filter) - c:\windows\system32\drivers\se26mdfl.sys <Not Verified; MCCI; Sony Ericsson Device 038 USB WMC Modem Filter Driver>
S3 SE26mdm (Sony Ericsson Device 038 USB WMC Modem Driver) - c:\windows\system32\drivers\se26mdm.sys <Not Verified; MCCI; Sony Ericsson Device 038 USB WMC Data Modem>
S3 SE26mgmt (Sony Ericsson Device 038 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se26mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 038 USB WMC Device Management>
S3 se26nd5 (Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (NDIS)) - c:\windows\system32\drivers\se26nd5.sys <Not Verified; MCCI; Sony Ericsson Device 038 USB Ethernet Emulation>
S3 SE26obex (Sony Ericsson Device 038 USB WMC OBEX Interface) - c:\windows\system32\drivers\se26obex.sys <Not Verified; MCCI; Sony Ericsson Device 038 USB WMC OBEX Interface>
S3 se26unic (Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (WDM)) - c:\windows\system32\drivers\se26unic.sys <Not Verified; MCCI; Sony Ericsson Device 038 USB Ethernet Emulation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 anbmService (Notebook Manager Service) - c:\acer\emanager\anbmserv.exe <Not Verified; OSA Technologies Inc.; Acer eManager for Notebook>
R2 PGPserv - c:\windows\system32\pgpserv.exe <Not Verified; PGP Corporation; PGPsdk>

S2 MySQL - "c:\program\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program\mysql\mysql server 5.0\my.ini" mysql (file missing)
S3 Apache2.2 - "c:\program\apache software foundation\apache2.2\bin\httpd.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 2915ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4223&SUBSYS_10018086&REV_05\4&1D3F0FBB&0&18F0
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 2915ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4223&SUBSYS_10018086&REV_05\4&1D3F0FBB&0&18F0
Service: w29n51

Class GUID: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
Description: Texas Instruments OHCI-kompatibel IEEE 1394-värdstyrenhet
Device ID: PCI\VEN_104C&DEV_8026&SUBSYS_00701025&REV_00\4&1D3F0FBB&0&38F0
Manufacturer: Texas Instruments
Name: Texas Instruments OHCI-kompatibel IEEE 1394-värdstyrenhet
PNP Device ID: PCI\VEN_104C&DEV_8026&SUBSYS_00701025&REV_00\4&1D3F0FBB&0&38F0
Service: ohci1394


-- Scheduled Tasks -------------------------------------------------------------

2008-02-20 14:08:02	   240 --a------ C:\WINDOWS\Tasks\Kontrollera uppdateringar för Windows Live Toolbar.job
2008-02-18 20:00:22	   620 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Kör fullständig systemsökning - Leif.job


-- Files created between 2008-01-20 and 2008-02-20 -----------------------------

2008-02-20 07:31:19		 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-20 00:50:35		 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-20 00:50:18		 0 d-------- C:\Program\SUPERAntiSpyware
2008-02-20 00:50:17		 0 d-------- C:\Documents and Settings\Leif\Application Data\SUPERAntiSpyware.com
2008-02-19 20:35:11		 0 d-------- C:\Documents and Settings\Leif\Application Data\Grisoft
2008-02-19 20:34:37		 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-19 07:54:32		 0 d-------- C:\Documents and Settings\mrx\Application Data\VMware
2008-02-17 16:15:50		 0 d-------- C:\Program\Delade filer\VMware
2008-02-17 16:15:47		 0 d-------- C:\Program\VMware
2008-02-17 15:21:22		 0 d-------- C:\Program\Lavasoft
2008-02-17 15:21:20		 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-17 01:01:43		 0 d-------- C:\Program\Windows Sidebar
2008-02-17 00:58:55		 0 d-------- C:\Program\Norton Internet Security
2008-02-16 22:27:10	 92736 --a------ C:\WINDOWS\system32\koxhtnau.dll
2008-02-16 09:22:42		 0 d-------- C:\Program\Helper
2008-02-16 09:19:06		 2 --a------ C:\839718926
2008-02-16 09:19:04	 54762 --a------ C:\WINDOWS\system32\jkghje.dll
2008-02-16 09:19:02	 58368 --a------ C:\wpohl.exe
2008-01-31 20:22:20		 0 d-------- C:\Documents and Settings\Leif\Application Data\OutlookAddin
2008-01-31 20:22:02		 0 d-------- C:\Program\Sms och mms i datorn Outlook
2008-01-27 20:51:24		 0 d-------- C:\Program\MySQL
2008-01-27 10:49:08		 0 d-------- C:\Documents and Settings\Leif\workspace
2008-01-27 09:26:25		 0 d-------- C:\Program\Notepad++
2008-01-27 09:26:25		 0 d-------- C:\Documents and Settings\Leif\Application Data\Notepad++
2008-01-26 15:57:25		 0 d-------- C:\Program\PHP
2008-01-26 09:36:46		 0 d-------- C:\Program\Apache Software Foundation
2008-01-24 10:43:47		 0 d-------- C:\Documents and Settings\Leif\Application Data\pdf995
2008-01-24 10:41:23	249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-01-24 10:41:23	 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-24 10:41:23		 0 d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-24 10:41:22		 0 d-------- C:\Program\pdf995


-- Find3M Report ---------------------------------------------------------------

2008-02-20 11:55:42		12 --a------ C:\WINDOWS\bthservsdp.dat
2008-02-17 16:19:48	495868 --a------ C:\WINDOWS\system32\perfh01D.dat
2008-02-17 16:19:48	103834 --a------ C:\WINDOWS\system32\perfc01D.dat
2008-02-07 12:41:48	 64936 --a------ C:\Documents and Settings\Leif\Application Data\GDIPFONTCACHEV1.DAT
2008-01-18 23:54:12		 0 d-------- C:\Program\Microsoft Silverlight
2008-01-18 23:41:58		 0 d-------- C:\Program\Microsoft SQL Server
2008-01-18 23:35:30		 0 d-------- C:\Program\Microsoft Synchronization Services
2008-01-18 23:32:20		 0 d-------- C:\Program\Microsoft.NET
2008-01-18 23:32:20		 0 d-------- C:\Program\Microsoft Visual Studio 9.0
2008-01-18 23:30:52		 0 d-------- C:\Program\Microsoft SDKs
2008-01-16 23:40:48		 0 d-------- C:\Program\winMd5Sum
2008-01-14 21:01:20		 0 d-------- C:\Program\Windows Live Toolbar
2008-01-14 20:58:38		 0 d-------- C:\Program\Microsoft SQL Server Compact Edition
2008-01-14 20:46:12		 0 d--hs---- C:\Program\Delade filer\WindowsLiveInstaller
2008-01-14 20:45:52		 0 d-------- C:\Program\Windows Live
2008-01-11 01:21:02	 82350 --a------ C:\Documents and Settings\Leif\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
2008-01-10 22:31:36	195511 --a------ C:\Documents and Settings\Leif\Application Data\Update_HP_RedboxHprblog_HPSU.log
2008-01-10 14:11:08		 0 d-------- C:\Program\Symantec
2008-01-10 14:10:38		 0 d-------- C:\Program\Delade filer\Symantec Shared
2007-12-20 08:50:24		 0 d-------- C:\Documents and Settings\Leif\Application Data\Talkback
2007-12-20 08:49:28		 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-20 08:49:24		 0 d-------- C:\Documents and Settings\Leif\Application Data\Mozilla


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23D44BCF-AA7A-41D6-8905-E808F16322EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51	316784	--a------	C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-17 09:26	116088	--a------	C:\Program\DELADE~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80347c81-2e70-42ff-b604-2611104f8983}]
			C:\WINDOWS\system32\verfygye.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A79B56E4-47DE-4069-BF75-A7773B66A05F}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"epm-dm"="c:\acer\epm\epm-dm.exe" [2005-01-25 14:02]
"SynTPLpr"="C:\Program\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 22:44]
"SynTPEnh"="C:\Program\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 22:43]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 14:53 C:\WINDOWS\SoundMan.exe]
"RemoteControl"="C:\Program\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"Genväg till egenskapssida för High Definition Audio"="HDAudPropShortcut.exe" [2004-08-12 17:45 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-01-21 15:21]
"DAEMON Tools-1033"="C:\Program\D-Tools\daemon.exe" [2004-08-22 17:05]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"ATIPTA"="C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-07 21:10]
"AlcWzrd"="ALCWZRD.EXE" [2004-12-10 15:38 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2005-08-24 16:24 C:\WINDOWS\AGRSMMSG.exe]
"LManager"="C:\Program\Launch Manager\QtZgAcer.EXE" [2005-06-15 10:34]
"Sony Ericsson PC Suite"="C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"LaunchApp"="Alaunch" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"@"="" []
"googletalk"="C:\Program\Google\Google Talk\googletalk.exe" [2007-01-01 23:22]
"HP Software Update"="C:\Program\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"ccApp"="C:\Program\Delade filer\Symantec Shared\ccApp.exe" [2007-08-24 22:07]
"osCheck"="C:\Program\Norton Internet Security\osCheck.exe" [2007-08-24 21:53]
"vmware-tray"="C:\Program\VMware\VMware Workstation\vmware-tray.exe" [2007-10-08 09:27]
"VMware hqtray"="C:\Program\VMware\VMware Workstation\hqtray.exe" [2007-10-08 09:26]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"!AVG Anti-Spyware"="C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"2gb4i3hn"="C:\WINDOWS\TEMP\AE2309FF.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"SUPERAntiSpyware"="C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
HP Image Zone Snabbstarta.lnk - C:\Program\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]
Monitor Apache Servers.lnk - C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-01-18 00:38:50]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]
Genv„g till Bginfo.lnk - D:\DOWNLOAD\Sysinternals\BgInfo\Bginfo.exe [2008-02-11 19:32:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4350c78-7dbb-11dc-bc7e-00c09f961a04}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST



-- Hosts -----------------------------------------------------------------------

192.168.0.100	homeserver
10.10.10.10	LeifsHP0014388625E8 HP0014388625E8


-- End of Deckard's System Scanner: finished at 2008-02-20 14:33:50 ------------

Extra.txt

[code=auto:0]Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Swedish

CPU 0: Intel(R) Pentium(R) M processor 2.00GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 1022.05 MiB / 423.19 MiB
Pagefile Memory (total/avail): 2459.44 MiB / 1844.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.63 MiB

C: is Fixed (FAT32) - 44.99 GiB total, 10.6 GiB free.
D: is Fixed (NTFS) - 45.22 GiB total, 4.43 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - ST9100823A - 93.16 GiB - 3 partitions
\PARTITION0 - Unknown - 2.93 GiB
\PARTITION1 (bootable) - Unknown - 45 GiB - C:
\PARTITION2 - Utökat med XInt 13 - 45.22 GiB - D:

\\.\PHYSICALDRIVE1 - SanDisk U3 Cruzer Micro USB Device - 3.81 GiB - 1 partition
\PARTITION0 - Unknown - 3.81 GiB - G:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Security v15.0.0.60 (Symantec Corporation)
AV: Norton Internet Security v15.0.0.60 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program\\Juniper\\NetScreen-Remote\\Vpn.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\Vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program\\Java\\jdk1.5.0_05\\jre\\bin\\java.exe"="C:\\Program\\Java\\jdk1.5.0_05\\jre\\bin\\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program\\Xfire\\Xfire.exe"="C:\\Program\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program\\Skype\\Phone\\Skype.exe"="C:\\Program\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program\\Google\\Google Talk\\googletalk.exe"="C:\\Program\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease_\\setup\\HPZnet01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease_\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease_\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease_\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease__\\setup\\HPZnet01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease__\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease__\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease__\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease____\\setup\\HPZnet01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease____\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease____\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease____\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"E:\\setup\\HPZNET01.EXE"="E:\\setup\\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"E:\\setup\\HPONICIFS01.EXE"="E:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program\\Juniper\\NetScreen-Remote\\Vpn.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\Vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Leif\Application Data
CommonProgramFiles=C:\Program\Delade filer
COMPUTERNAME=LEIFS
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Leif
LANG=C
LOGONSERVER=\\LEIFS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program\ATI Technologies\ATI Control Panel;C:\Program\Java\jdk1.5.0_07\bin;C:\Program\Delade filer\Teleca Shared;C:\Program\Delade filer\GTK\2.0\bin;C:\Program\ZipGenius 6\;c:\Program\Microsoft SQL Server\90\Tools\binn\;c:\Program\PHP;C:\Program\MySQL\MySQL Server 5.0\bin;C:\Program\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Leif\LOKALA~1\Temp
TMP=C:\DOCUME~1\Leif\LOKALA~1\Temp
USERDOMAIN=LEIFS
USERNAME=Leif
USERPROFILE=C:\Documents and Settings\Leif
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI

-- User Profiles ---------------------------------------------------------------

Leif [I](admin)[/I]
mrx
Administratör [I](admin)[/I]

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\WINDOWS\IsUninst.exe -f"C:\Program\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer eManager for Notebook --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{827289F5-B44F-4E49-9993-840741585A62}
Acer ePowerManagement --> RunDll32 C:\Program\DELADE~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x1d
Acer GridVista --> MsiExec.exe /I{18FF8DB9-922C-41C9-AA29-6DA648D6B071}
Active@ Boot Disk 3.0 Demo --> "C:\Program\LSoft Technologies\Active Boot Disk Demo\UNWISE.EXE" "C:\Program\LSoft Technologies\Active Boot Disk Demo\INSTALL.LOG"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Advanced IP Address Calculator v1.1 --> C:\Program\Advanced IP Address Calculator\uninstal.exe
Agere Systems HDA Modem --> agrsmdel
Apache HTTP Server 2.2.8 --> MsiExec.exe /I{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ArcSoft Camera Suite 1.3 --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}\setup.exe" -l0x9
Ashampoo Photo Illuminator 2 --> "C:\Program\ashampoo\Ashampoo Photo Illuminator 2\Uninstall\Illuminator_Uninstall.EXE"
ATI Control Panel --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
AutoStreamer --> MsiExec.exe /X{4218F0E1-CBAF-4D68-B6FE-B3504770829F}
AVG Anti-Spyware 7.5 --> C:\Program\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bonus --> MsiExec.exe /I{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}
Broadcom Gigabit Integrated Controller --> C:\Program\DELADE~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9}
Canon Camera Support Core Library --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon Internet Library for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F81FBFC-9A37-431F-9050-14B55485DF5A}
Canon MovieE

Edited by LeifG, 20 February 2008 - 07:52 AM.

#4
heir

Posted 20 February 2008 - 07:56 AM

Trusted Helper

Topic Starter
Malware Removal
5,427 posts

Seems like my extra.text is cut when posted.

Here comes Extra.txt again

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Swedish

CPU 0: Intel(R) Pentium(R) M processor 2.00GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 1022.05 MiB / 423.19 MiB
Pagefile Memory (total/avail): 2459.44 MiB / 1844.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.63 MiB

C: is Fixed (FAT32) - 44.99 GiB total, 10.6 GiB free. 
D: is Fixed (NTFS) - 45.22 GiB total, 4.43 GiB free. 
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - ST9100823A - 93.16 GiB - 3 partitions
  \PARTITION0 - Unknown - 2.93 GiB
  \PARTITION1 (bootable) - Unknown - 45 GiB - C:
  \PARTITION2 - Utökat med XInt 13 - 45.22 GiB - D:

\\.\PHYSICALDRIVE1 - SanDisk U3 Cruzer Micro USB Device - 3.81 GiB - 1 partition
  \PARTITION0 - Unknown - 3.81 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Security v15.0.0.60 (Symantec Corporation)
AV: Norton Internet Security v15.0.0.60 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program\\Juniper\\NetScreen-Remote\\Vpn.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\Vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program\\Java\\jdk1.5.0_05\\jre\\bin\\java.exe"="C:\\Program\\Java\\jdk1.5.0_05\\jre\\bin\\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program\\Xfire\\Xfire.exe"="C:\\Program\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program\\Skype\\Phone\\Skype.exe"="C:\\Program\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program\\Google\\Google Talk\\googletalk.exe"="C:\\Program\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease_\\setup\\HPZnet01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease_\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease_\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease_\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease__\\setup\\HPZnet01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease__\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease__\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease__\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease____\\setup\\HPZnet01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease____\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease____\\setup\\hponicifs01.exe"="C:\\Documents and Settings\\Leif\\Lokala inställningar\\Temp\\hp_webrelease____\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"E:\\setup\\HPZNET01.EXE"="E:\\setup\\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"E:\\setup\\HPONICIFS01.EXE"="E:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program\\Windows Live\\Messenger\\livecall.exe"="C:\\Program\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program\\Juniper\\NetScreen-Remote\\IreIKE.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program\\Juniper\\NetScreen-Remote\\ViewLog.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program\\Juniper\\NetScreen-Remote\\CmonApp.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program\\Juniper\\NetScreen-Remote\\Vpn.exe"="C:\\Program\\Juniper\\NetScreen-Remote\\Vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Leif\Application Data
CommonProgramFiles=C:\Program\Delade filer
COMPUTERNAME=LEIFS
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Leif
LANG=C
LOGONSERVER=\\LEIFS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program\ATI Technologies\ATI Control Panel;C:\Program\Java\jdk1.5.0_07\bin;C:\Program\Delade filer\Teleca Shared;C:\Program\Delade filer\GTK\2.0\bin;C:\Program\ZipGenius 6\;c:\Program\Microsoft SQL Server\90\Tools\binn\;c:\Program\PHP;C:\Program\MySQL\MySQL Server 5.0\bin;C:\Program\SSH Communications Security\SSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Leif\LOKALA~1\Temp
TMP=C:\DOCUME~1\Leif\LOKALA~1\Temp
USERDOMAIN=LEIFS
USERNAME=Leif
USERPROFILE=C:\Documents and Settings\Leif
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI 


-- User Profiles ---------------------------------------------------------------

Leif [I](admin)[/I]
mrx
Administratör [I](admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

 --> "C:\Program\Symantec\LiveUpdate\LSETUP.EXE" /U
 --> C:\WINDOWS\IsUninst.exe -f"C:\Program\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acer eManager for Notebook --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{827289F5-B44F-4E49-9993-840741585A62} 
Acer ePowerManagement --> RunDll32 C:\Program\DELADE~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x1d 
Acer GridVista --> MsiExec.exe /I{18FF8DB9-922C-41C9-AA29-6DA648D6B071}
Active@ Boot Disk 3.0 Demo --> "C:\Program\LSoft Technologies\Active Boot Disk Demo\UNWISE.EXE" "C:\Program\LSoft Technologies\Active Boot Disk Demo\INSTALL.LOG"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Advanced IP Address Calculator v1.1 --> C:\Program\Advanced IP Address Calculator\uninstal.exe
Agere Systems HDA Modem --> agrsmdel
Apache HTTP Server 2.2.8 --> MsiExec.exe /I{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ArcSoft Camera Suite 1.3 --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}\setup.exe" -l0x9 
Ashampoo Photo Illuminator 2 --> "C:\Program\ashampoo\Ashampoo Photo Illuminator 2\Uninstall\Illuminator_Uninstall.EXE"
ATI Control Panel --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe" 
AutoStreamer --> MsiExec.exe /X{4218F0E1-CBAF-4D68-B6FE-B3504770829F}
AVG Anti-Spyware 7.5 --> C:\Program\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bonus --> MsiExec.exe /I{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}
Broadcom Gigabit Integrated Controller --> C:\Program\DELADE~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} 
Canon Camera Support Core Library --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033 
Canon Camera Window DS for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010} 
Canon Camera Window DVC for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734} 
Canon Camera Window for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635} 
Canon Internet Library for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F81FBFC-9A37-431F-9050-14B55485DF5A} 
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED} 
Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7} 
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA} 
Canon Utilities PhotoStitch 3.1 --> C:\Program\Delade filer\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA} 
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CC_ccProxyExt --> MsiExec.exe /I{779F426C-A8F3-414B-B7AF-B6BDC9B8E040}
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
CCleaner (remove only) --> "C:\Program\CCleaner\uninst.exe"
ccPxyCore --> MsiExec.exe /I{AB70ABEC-771B-47CB-9E41-DF77DE4FFC5C}
CIB --> MsiExec.exe /I{E8176C35-0C2D-4142-9ED4-81861ECAB403}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
Disc2Phone --> MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
Drivrutiner till Logitech® Camera --> "C:\Program\Delade filer\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
DVD Decrypter (Remove Only) --> "C:\Program\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program\DVD Shrink\unins000.exe"
Fx Image Manger --> C:\PROGRAM\FXIMAG~1\UNWISE.EXE C:\PROGRAM\FXIMAG~1\INSTALL.LOG
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Talk (remove only) --> "C:\Program\Google\Google Talk\uninstall.exe"
GTK+ 2.10.6-1 runtime environment --> "C:\Program\Delade filer\GTK\2.0\setup\unins000.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "D:\DOWNLOAD\HiJackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Document Viewer 5.3 --> C:\Program\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Extended Capabilities 5.3 --> C:\Program\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 5.3 --> C:\Program\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 5.3 --> C:\Program\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.A --> "C:\Program\HP\Digital Imaging\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\setup\hpzscr01.exe" -datfile hposcr06.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HTML-Kit --> C:\Program\Chami\HTML-Kit\unins000.exe
Introduction to Visual Basic 2008 Express Edition --> MsiExec.exe /I{3308288C-00DE-46D9-8E65-16AB6AD7805B}
J2SE Development Kit 5.0 Update 7 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150070}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Launch Manager --> C:\WINDOWS\UnInst32.exe QtZgAcer.UNI
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Macromedia Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\INSTALL.LOG
MAGIX Photostory on CD & DVD 4.0 (FL) --> C:\MAGIX\Photostory_on_CD_DVD_40_silver\instslct.exe
Microsoft Baseline Security Analyzer 2.0 --> MsiExec.exe /I{8A8F4EF8-160C-4E0F-B32D-92E2313E039B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft interaktiv träning --> C:\Program\MSPress\Träning\lunins32_s.exe
Microsoft Office XP Media Content --> MsiExec.exe /I{9030041D-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Standard --> MsiExec.exe /I{9112041D-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 --> "c:\Program\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition --> MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Compact 3.5 Design Tools ENU --> MsiExec.exe /X{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}
Microsoft SQL Server Compact 3.5 ENU --> MsiExec.exe /I{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework --> MsiExec.exe /X{B4C0A315-07FB-39F9-85CD-8CE20C019350}
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32 --> MsiExec.exe /X{07FCBED5-94C3-4F94-B9D3-360FA27C7B06}
Microsoft Visual Basic 2008 Express Edition - ENU --> C:\Program\Microsoft Visual Studio 9.0\Microsoft Visual Basic 2008 Express Edition - ENU\setup.exe
Microsoft Visual Basic 2008 Express Edition - ENU --> MsiExec.exe /X{9C2DC81B-8114-37D9-A922-95E460A1FAFB}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mirage Driver 1.1 --> "C:\Program\DemoForge\Mirage Driver\uninst\unins000.exe"
Mozilla Firefox (2.0.0.12) --> C:\Program\Mozilla Firefox\uninstall\helper.exe
MSDN Library for Microsoft Visual Studio 2008 Express Editions --> C:\Program\Microsoft Visual Studio 9.0\MSDN Library for Microsoft Visual Studio 2008 Express Editions\install.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Multimedia Conversion Library 4.5.1 --> C:\Program\MCL-4.5.1\uninstall.exe
Multimediautgåvan av Nationalencyklopedin --> C:\PROGRAM\NE\INSTALL\UNWISE.EXE C:\PROGRAM\NE\INSTALL\INSTALL.LOG
MySQL Server 5.0 --> MsiExec.exe /I{8AA037A8-E104-493A-A962-8D58535A0198}
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero Media Player --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Nero OEM --> C:\Program\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetBeans IDE 5.0 --> C:\Program\netbeans-5.0\_uninst\uninstaller.exe
Network Stumbler 0.4.0 (remove only) --> "C:\Program\Network Stumbler\uninst.exe"
Norton Add-on Pack (Symantec Corporation) --> "C:\Program\Delade filer\Symantec Shared\SymSetup\{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}_2_0_0_61\Setup.exe" /X
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485F-9E18-C5025306BB3F}
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus Help --> MsiExec.exe /I{D4BB907A-623E-4F07-8787-041ABAE088E4}
Norton AntiVirus Help --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
Norton Internet Security --> MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D}
Norton Internet Security (Symantec Corporation) --> "C:\Program\Delade filer\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_0_0_60\Setup.exe" /X
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
Notepad++ --> C:\Program\Notepad++\uninstall.exe
NTI Backup NOW! 3 --> C:\Program\DELADE~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4E68EAA3-775A-4542-A08A-47DB8E8E74A6} /l1033 BUNText
NTI CD & DVD-Maker Gold --> C:\Program\DELADE~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} /l1033 AnyText
O2Micro MemoryCardBus & Smart Card Reader Windows Driver --> C:\Program\DELADE~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3418EAAB-58BA-481A-A9F5-77BCCEBF9B39} /l1033 
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Parental Control --> MsiExec.exe /I{66B9BD1F-4189-4f35-BD82-9948720A04CF}
Pdf995 --> C:\Program\pdf995\setup.exe uninstall
PdfEdit995 --> C:\Program\pdf995\res\utilities\thinsetup.exe - uninstall
PGP 8.1 --> C:\Program\PGPCOR~1\PGPFOR~1\PGPUNI~1\setup.exe PGP
PowerDVD --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\SETUP.EXE"  -uninstall
ProjectX 0.90.4.00 --> C:\Program\ProjectX_0.90.4.00\Uninstall.exe
Realtek High Definition Audio Driver --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Registry Mechanic 6.0 --> "C:\Program\Registry Mechanic\unins000.exe"
Sökmarkeringsfönstret (Windows Live Toolbar) --> MsiExec.exe /X{D052C16B-1290-41CF-8EFB-79337027B2F7}
SecExMD5+ --> C:\Program Files\SecExMD5\bfsetup.exe /u /f "C:\Program Files\SecExMD5\setup.cfg"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Signature995 --> C:\Program\pdf995\res\utilities\Signature995\thinsetup.exe - uninstall
Smarta menyer (Windows Live Toolbar) --> MsiExec.exe /X{2770CB13-5093-4C94-A318-F103857E18B1}
Sms och mms i datorn Outlook --> C:\Program\Sms och mms i datorn Outlook\Uninstall.exe
Snabbkorrigering för Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Snabbkorrigering för Windows XP (KB935448) --> "C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Step by Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB893066) --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB896422) --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB896688) --> "C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB899588) --> "C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB899589) --> "C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB901190) --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB905915) --> "C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB912812) --> "C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB913446) --> "C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB916281) --> "C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB917159) --> "C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB918899) --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB928090) --> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Säkerhetsuppdatering för Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Sony Ericsson PC Suite --> MsiExec.exe /I{26B5D684-75D6-44B9-BBFF-D4100F43092A}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SSH Secure Shell --> RunDll32 C:\Program\DELADE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program\InstallShield Installation Information\{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}\Setup.exe" 
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec Technical Support Web Controls --> MsiExec.exe /X{9743AF47-B746-4324-B4C4-512E67D04370}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The GIMP 2.2.13 --> "C:\Program\GIMP-2.0\unins000.exe"
Trillian --> C:\Program\Trillian\trillian.exe /uninstall
TUGZip 3.4 --> "C:\Program\TUGZip\unins000.exe"
Update Service --> C:\Program\Sony Ericsson\Update Service\uninst.exe
Uppdatering för Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB896727) --> "C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB900930) --> "C:\WINDOWS\$NtUninstallKB900930$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB920342) --> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB925720) --> "C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Uppdatering för Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
USB downloader --> C:\WINDOWS\IsUninst.exe -f"C:\Program\FINEPASS\USB downloader\Uninst.isu"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{E17F76BE-50E9-4E7C-ADF6-6D8F44A9C6F3}
Windows Live Mail --> MsiExec.exe /I{7664A2EF-34F5-42D2-8FD8-4FEF0047A929}
Windows Live Messenger --> MsiExec.exe /X{20503DFE-E5B2-491E-B2C5-8BCB5BF5B9E9}
Windows Live Photo Gallery --> MsiExec.exe /X{47B89F03-A287-4CE2-B323-30913D3523B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
Windows Live Toolbar --> "C:\Program\Windows Live Toolbar\UnInstall.exe" {45EA1531-5226-4FC4-9341-8D0C8CEC502F}
Windows Live Toolbar --> MsiExec.exe /X{45EA1531-5226-4FC4-9341-8D0C8CEC502F}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{64E09E82-610D-4FB9-8722-1D2D1CD65A6B}
Windows Live Writer --> MsiExec.exe /X{8A16A4FC-B43F-46A6-8DB5-C42B145EBFBD}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Presentation Foundation Language Pack (SVE) --> MsiExec.exe /X{0691B876-15B2-451B-AEA4-5653E40899C4}
Windows Server 2003 Service Pack 1 Administration Tools Pack --> MsiExec.exe /I{27B3563C-561C-4924-8C0E-EA102264873F}
Windows Workflow Foundation SV Language Pack --> MsiExec.exe /I{793C456F-EB0A-4164-BE77-B6D901F2C7E3}
WinPcap 4.0 --> C:\Program\WinPcap\uninstall.exe
Wireshark 0.99.5 --> "C:\Program\Wireshark\uninstall.exe"
Visio 2000 (IE) --> C:\Program\Delade filer\Visio Shared\6.0\IE\Vim.exe
VMware Workstation --> MsiExec.exe /I{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}
VNC Free Edition 4.1.2 --> "C:\Program\RealVNC\VNC4\unins000.exe"
XML Paper Specification Shared Components Language Pack 1.0 --> "C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 --> 


-- Application Event Log -------------------------------------------------------

Event Record #/Type99138 / Error
Event Submitted/Written: 02/19/2008 03:25:33 PM
Event ID/Source: 1000 / Application Error
Event Description:
Felaktigt program explorer.exe, version 6.0.2900.3156, felaktig modul unknown, version 0.0.0.0, felaktig adress 0x000ccb50.
Mediespecifik händelse behandlas för [explorer.exe!ws!]

Event Record #/Type98998 / Error
Event Submitted/Written: 02/19/2008 00:57:07 PM
Event ID/Source: 1000 / Application Error
Event Description:
Felaktigt program iexplore.exe, version 7.0.6000.16608, felaktig modul unknown, version 0.0.0.0, felaktig adress 0x00211984.
Mediespecifik händelse behandlas för [iexplore.exe!ws!]

Event Record #/Type98658 / Error
Event Submitted/Written: 02/18/2008 03:02:13 PM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Leif\Mina dokument\My Virtual Machines\Windows 2000 Professional\Windows 2000 Professional.vmx

Event Record #/Type98657 / Error
Event Submitted/Written: 02/18/2008 03:01:52 PM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Leif\Mina dokument\My Virtual Machines\Windows XP Professional\Windows XP Professional.vmx

Event Record #/Type98468 / Error
Event Submitted/Written: 02/17/2008 11:38:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Felaktigt program iexplore.exe, version 7.0.6000.16608, felaktig modul lxylfuna.dll, version 0.0.0.0, felaktig adress 0x00002c1b.
Mediespecifik händelse behandlas för [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type134440 / Error
Event Submitted/Written: 02/20/2008 00:43:30 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Tjänsten Application Layer Gateway Service kunde inte startas på grund av följande fel: 
%%1053

Event Record #/Type134439 / Error
Event Submitted/Written: 02/20/2008 00:43:30 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
En timeout (30000 ms) inträffade vid väntan på att tjänsten Application Layer Gateway Service ska ansluta.

Event Record #/Type134430 / Error
Event Submitted/Written: 02/20/2008 00:42:33 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
Följande start- eller systemstartdrivrutin(er) avbröts på grund av fel under start: 
vsdatant

Event Record #/Type134429 / Error
Event Submitted/Written: 02/20/2008 00:42:33 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Tjänsten VMware Authorization Service kunde inte startas på grund av följande fel: 
%%1053

Event Record #/Type134428 / Error
Event Submitted/Written: 02/20/2008 00:42:33 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
En timeout (30000 ms) inträffade vid väntan på att tjänsten VMware Authorization Service ska ansluta.



-- End of Deckard's System Scanner: finished at 2008-02-20 14:33:50 ------------

Now what?

Extra Info
Remeber that my infected computer is disconnected from Internet.
Files and information is transfered with a memorystick
It will be disconnected until this is solved

#5
kahdah

Posted 20 February 2008 - 07:58 AM

GeekU Teacher

Retired Staff
15,822 posts

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\koxhtnau.dll
C:\Program\Helper
C:\839718926
C:\WINDOWS\system32\jkghje.dll
C:\wpohl.exe
C:\WINDOWS\TEMP\AE2309FF.exe
C:\WINDOWS\system32\pmnlk.dll

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
====================================
Please post the log and a new Hijackthis log plese.

#6
heir

Posted 20 February 2008 - 08:23 AM

Trusted Helper

Topic Starter
Malware Removal
5,427 posts

Here are the results

From OTMoveIt2
DllUnregisterServer procedure not found in C:\WINDOWS\system32\koxhtnau.dll
C:\WINDOWS\system32\koxhtnau.dll NOT unregistered.
C:\WINDOWS\system32\koxhtnau.dll moved successfully.
C:\Program\Helper moved successfully.
C:\839718926 moved successfully.
File/Folder C:\WINDOWS\system32\jkghje.dll not found.
C:\wpohl.exe moved successfully.
File/Folder C:\WINDOWS\TEMP\AE2309FF.exe not found.
File/Folder C:\WINDOWS\system32\pmnlk.dll not found.

OTMoveIt2 v1.0.20 log created on 02202008_151350

From HiJackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:18:43, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PGPserv.exe
c:\Program\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\acer\epm\epm-dm.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Launch Manager\QtZgAcer.EXE
C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\Google\Google Talk\googletalk.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\VMware\VMware Workstation\vmware-tray.exe
C:\Program\VMware\VMware Workstation\hqtray.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\TEMP\AE2309FF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
D:\DOWNLOAD\HiJackThis\Leif.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy1.telia.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program\DELADE~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {3898f401-1162-406b-ff24-07e218c74308} - {80347c81-2e70-42ff-b604-2611104f8983} - C:\WINDOWS\system32\verfygye.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A79B56E4-47DE-4069-BF75-A7773B66A05F} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Visa Norton-verktygsfältet - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Genväg till egenskapssida för High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\Program\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [googletalk] C:\Program\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\AE2309FF.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Genväg till Bginfo.lnk = D:\DOWNLOAD\Sysinternals\BgInfo\Bginfo.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...ti.com/regal20/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126514623906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://e-learning.ni...tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: MySQL - Unknown owner - C:\Program\MySQL\MySQL.exe (file missing)
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program\DELADE~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program\Delade filer\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 13906 bytes

Now what?

Edited by kahdah, 20 February 2008 - 08:28 AM.

#7
kahdah

Posted 20 February 2008 - 08:32 AM

GeekU Teacher

Retired Staff
15,822 posts

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {3898f401-1162-406b-ff24-07e218c74308} - {80347c81-2e70-42ff-b604-2611104f8983} - C:\WINDOWS\system32\verfygye.dll (file missing)
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\AE2309FF.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...ti.com/regal20/

Now click on Fix Checked and then close Hijackthis.

====================================
Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#8
heir

Posted 20 February 2008 - 02:19 PM

Trusted Helper

Topic Starter
Malware Removal
5,427 posts

Well then I'll connect the computer to Internat again and scan it.

Still infected

Here is the log from Kaspersky webscanner scan

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Wednesday, February 20, 2008 9:15:01 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 20/02/2008
 Kaspersky Anti-Virus database records: 573587
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	C:\
	D:\
	E:\
	F:\
	G:\
	Z:\

Scan Statistics:
	Total number of scanned objects: 186078
	Number of viruses found: 5
	Number of infected objects: 44
	Number of suspicious objects: 0
	Duration of the scan process: 04:56:49

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\DEFAULT	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SOFTWARE	Object is locked	skipped
C:\WINDOWS\system32\config\SYSTEM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\Temp\JETB0E1.tmp	Object is locked	skipped
C:\WINDOWS\Temp\vmware-vmount.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\VMware\vmnetdhcp.leases	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-20_Log.ALUSchedulerSvc.LiveUpdate	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{77611E6A-BB28-435B-96F9-99E9624AF4EA}.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{6E018D72-1C51-41FF-BBB8-8156D030996D}.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{C5519F69-83F3-48DA-937F-D79B2A9E82B6}.DAT	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\77E74BBC.TMP	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\BA27DD43.TMP	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{E4B53E67-997B-4443-A971-0FBFE5854511}.sds	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{E4B53E67-997B-4443-A971-0FBFE5854511}.ldb	Object is locked	skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Tidigare\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Temp\Perflib_Perfdata_c1c.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\Leif\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Temp\Perflib_Perfdata_c78.dat	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Temp\~DF695B.tmp	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Temp\vmware-Leif\vmware-vix-Leif-3760.log	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Tidigare\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Tidigare\History.IE5\MSHist012008022020080221\index.dat	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Temporary Internet Files\Content.IE5\RC44RY9D\ptch[1]	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Temporary Internet Files\Content.IE5\H61I2QDS\hctp[1]	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\ApplicationHistory\hpqimzone.exe.75ff6225.ini.inuse	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\pathnameTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\pathnameTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\imageTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\imageTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\albumTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\albumTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\keywordTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\keywordTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\EXIFTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\EXIFTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\ROFTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\ROFTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\propertiesTable.dbf	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\propertiesTable.cdx	Object is locked	skipped
C:\Documents and Settings\Leif\Lokala inställningar\Application Data\HP\Digital Imaging\db\imageTable.fpt	Object is locked	skipped
C:\Documents and Settings\Leif\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Leif\Application Data\Symantec\NPMDataStore\CIMStore.xml	Object is locked	skipped
C:\Documents and Settings\Leif\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt	Object is locked	skipped
C:\Documents and Settings\Leif\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG	Object is locked	skipped
C:\Documents and Settings\Leif\ntuser.dat	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\VirusDefs\lulock.dat	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\EENGINE\EPERSIST.DAT	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcrst.dll	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\NFWEVT.LOG	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\SNDSYS.log	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\SNDFW.log	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\SNDCON.log	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\SNDALRT.log	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\SNDIDS.log	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\SNDDBG.log	Object is locked	skipped
C:\Program\Delade filer\Symantec Shared\AntiSpam\Log\Spam.log	Object is locked	skipped
C:\Program\Norton Internet Security\Norton AntiVirus\AVVirus.log	Object is locked	skipped
C:\Program\Norton Internet Security\Norton AntiVirus\AVApp.log	Object is locked	skipped
C:\Program\Norton Internet Security\Norton AntiVirus\AVError.log	Object is locked	skipped
C:\Program\RealVNC\VNC4\winvnc4.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
C:\Program\RealVNC\VNC4\vncconfig.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
C:\Program\RealVNC\VNC4\wm_hooks.dll	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
C:\Program\RealVNC\VNC4\vncviewer.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG	Object is locked	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_73.trc	Object is locked	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf	Object is locked	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf	Object is locked	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf	Object is locked	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf	Object is locked	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf	Object is locked	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf	Object is locked	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf	Object is locked	skipped
C:\Program\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf	Object is locked	skipped
C:\System Volume Information\_restore{A763B439-B4AF-4608-B441-E9D5A087246F}\RP3\A0000058.dll	Infected: not-a-virus:AdWare.Win32.E404.f	skipped
C:\System Volume Information\_restore{A763B439-B4AF-4608-B441-E9D5A087246F}\RP3\A0000062.DLL	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\System Volume Information\_restore{A763B439-B4AF-4608-B441-E9D5A087246F}\RP3\A0000064.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\System Volume Information\_restore{A763B439-B4AF-4608-B441-E9D5A087246F}\RP3\A0000119.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\System Volume Information\_restore{A763B439-B4AF-4608-B441-E9D5A087246F}\RP3\A0000121.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\System Volume Information\_restore{A763B439-B4AF-4608-B441-E9D5A087246F}\RP3\A0000122.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\System Volume Information\_restore{A763B439-B4AF-4608-B441-E9D5A087246F}\RP4\change.log	Object is locked	skipped
C:\VundoFix Backups\iumxcanb.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\VundoFix Backups\lxylfuna.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\VundoFix Backups\uevyxyor.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\VundoFix Backups\htkuuyxl.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\VundoFix Backups\skaboxtd.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\VundoFix Backups\verfygye.dll.bad	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\_OTMoveIt\MovedFiles\02202008_151350\WINDOWS\system32\koxhtnau.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.gen	skipped
C:\_OTMoveIt\MovedFiles\02202008_151350\wpohl.exe	Infected: Trojan.Win32.Inject.wc	skipped
D:\DOWNLOAD\DMZ\2006-12\networking_all.zip/networking/vnc412x86win32.exe/file1	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\DOWNLOAD\DMZ\2006-12\networking_all.zip/networking/vnc412x86win32.exe/file2	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\DOWNLOAD\DMZ\2006-12\networking_all.zip/networking/vnc412x86win32.exe/file3	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\DOWNLOAD\DMZ\2006-12\networking_all.zip/networking/vnc412x86win32.exe/file5	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\DOWNLOAD\DMZ\2006-12\networking_all.zip/networking/vnc412x86win32.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\DOWNLOAD\DMZ\2006-12\networking_all.zip	ZIP: infected - 5	skipped
D:\DOWNLOAD\VNC\vnc-4_1_2-x86_win32.exe/file1	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\DOWNLOAD\VNC\vnc-4_1_2-x86_win32.exe/file2	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\DOWNLOAD\VNC\vnc-4_1_2-x86_win32.exe/file3	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\DOWNLOAD\VNC\vnc-4_1_2-x86_win32.exe/file5	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\DOWNLOAD\VNC\vnc-4_1_2-x86_win32.exe	Inno: infected - 4	skipped
D:\DOWNLOAD\VNC\vnc-4_1_2-x86_win32_viewer.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
D:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
D:\System Volume Information\_restore{A763B439-B4AF-4608-B441-E9D5A087246F}\RP3\A0000087.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
D:\System Volume Information\_restore{A763B439-B4AF-4608-B441-E9D5A087246F}\RP4\change.log	Object is locked	skipped
G:\VNC\vnc-4_1_2-x86_win32.exe/file1	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
G:\VNC\vnc-4_1_2-x86_win32.exe/file2	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
G:\VNC\vnc-4_1_2-x86_win32.exe/file3	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
G:\VNC\vnc-4_1_2-x86_win32.exe/file5	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
G:\VNC\vnc-4_1_2-x86_win32.exe	Inno: infected - 4	skipped
G:\VNC\vnc-4_1_2-x86_win32_viewer.exe	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
G:\vnc-4_1_2-x86_win32.exe/file1	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
G:\vnc-4_1_2-x86_win32.exe/file2	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
G:\vnc-4_1_2-x86_win32.exe/file3	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
G:\vnc-4_1_2-x86_win32.exe/file5	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4	skipped
G:\vnc-4_1_2-x86_win32.exe	Inno: infected - 4	skipped

Scan process completed.

Now what?

#9
kahdah

Posted 20 February 2008 - 05:23 PM

GeekU Teacher

Retired Staff
15,822 posts

All of these entries are not malware>C:\Program\RealVNC\VNC4\winvnc4.exe Infected:
ANything having to do with VNC is not malware.
These are false positives.

THe rest is in your system restore points that we will clean in a bit.
ANd some in your temporary files.
=========================
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
================================================================
After that delete this folder >D:\GUIDE\SmitfraudFix.zip

==========================
Cleanup::

Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to begin the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

=============================
Then I will need you to reset your System Restore points, please note that you will need to log into your computer with an account which has full administrator access.
You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
Click the *System Restore tab
Check *Turn off System Restore
Click *Apply, and then click *OK.

2. Reboot.

3. Turn ON System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
*UN-Check *Turn off System Restore*
Check *Turn on System Restore
Click *Apply, and then click *OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405
=========================================
After that Your log is clean.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here

#10
heir

Posted 21 February 2008 - 01:57 AM

Trusted Helper

Topic Starter
Malware Removal
5,427 posts

Thanks!

So my computer is clean now?

I almost understood every step but could you give me a short explanation to these steps.

Why was the following enries from HiJackThis fixed?

O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {3898f401-1162-406b-ff24-07e218c74308} - {80347c81-2e70-42ff-b604-2611104f8983} - C:\WINDOWS\system32\verfygye.dll (file missing)
O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\AE2309FF.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...ti.com/regal20/

And why for example not this one

O2 - BHO: (no name) - {A79B56E4-47DE-4069-BF75-A7773B66A05F} - (no file)

Why the following change in the registry?

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Here comes a new log from HiJackThis.
Can you check it and verify that my computer is clean now?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:45:35, on 2008-02-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Acer\eManager\anbmServ.exe
C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\acer\epm\epm-dm.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\Launch Manager\QtZgAcer.EXE
C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program\Google\Google Talk\googletalk.exe
C:\Program\HP\HP Software Update\HPWuSchd2.exe
C:\Program\VMware\VMware Workstation\vmware-tray.exe
C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
C:\Program\VMware\VMware Workstation\hqtray.exe
C:\Program\Java\jre1.6.0_03\bin\jusched.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program\Delade filer\Teleca Shared\CapabilityManager.exe
C:\Program\Delade filer\Teleca Shared\Generic.exe
C:\Program\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program\Symantec\LiveUpdate\ALuNotify.exe
D:\DOWNLOAD\HiJackThis\Leif.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy1.telia.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = login1.telia.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program\DELADE~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A79B56E4-47DE-4069-BF75-A7773B66A05F} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Visa Norton-verktygsfältet - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program\Delade filer\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Genväg till egenskapssida för High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\Program\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [googletalk] C:\Program\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ALUAlert] C:\Program\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Snabbstarta.lnk = C:\Program\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Genväg till Bginfo.lnk = D:\DOWNLOAD\Sysinternals\BgInfo\Bginfo.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blogga detta - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogga detta i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126514623906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://e-learning.nil.si/tsweb/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe
O23 - Service: MySQL - Unknown owner - C:\Program\MySQL\MySQL.exe (file missing)
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program\DELADE~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program\Delade filer\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 13748 bytes

Even though it might not show I konw a lot about computers and networks.
It's just that when it comes to cleaning an infected computer i'm not so confident that I dare to do it without help from some one like you.
But I always tries to learn.

With that knowledge can you please give me some answers that I hopefuly can understand?

And many thanhs again

Leif

#11
kahdah

Posted 21 February 2008 - 03:25 AM

GeekU Teacher

Retired Staff
15,822 posts

Why was the following enries from HiJackThis fixed?

O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - (no file)

Empty entry

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Empty entry

O2 - BHO: {3898f401-1162-406b-ff24-07e218c74308} - {80347c81-2e70-42ff-b604-2611104f8983} - C:\WINDOWS\system32\verfygye.dll (file missing)

Empty malware strtup registry key

O4 - HKLM\..\Run: [2gb4i3hn] C:\WINDOWS\TEMP\AE2309FF.exe

Empty malware strtup registry key

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...ti.com/regal20/

Viewpoint is adware

And why for example not this one

O2 - BHO: (no name) - {A79B56E4-47DE-4069-BF75-A7773B66A05F} - (no file)

this one I missed and can be fixed

Why the following change in the registry?
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

This is a common Hijacking point used by Vundo.
It overwrites a legit value there fore it needs to be set to defualt in the registry.
Improper setting of this value can cause the computer to ask for a password even though there is none set.

Hope that helps and yes you are still clean.

#12
heir

Posted 22 February 2008 - 01:45 AM

Trusted Helper

Topic Starter
Malware Removal
5,427 posts

Thanks for the answers. Perfectly understandable

What a relief that my comp is clean.

I don't like to give out my credit card information on the Internet not even Paypal.
So I'm sorry there won't be any donation from me.

I will instead warmly recommend my friends to use your service and maybe they will donate to the fight.

In fact I´ve already given a recommendation to my neighbor, and he has a lot of unwanted stuff in his computer.
I´ve promised to help him get started with the pre-post guide.

He will be known as AndersB here.

Many thanks again

PS
In my oppinion this topic is RESOLVED and can be CLOSED but I don't know how to mark my topic.
DS

Edited by LeifG, 22 February 2008 - 01:48 AM.

#13
kahdah

Posted 22 February 2008 - 03:38 AM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

#14
kahdah

Posted 22 February 2008 - 03:39 AM

GeekU Teacher

Retired Staff
15,822 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.