40 replies to this topic

[yeka]

my computer catched something called Nimda, it appeard like an own administration account where i log in with my own account, so i scanned the computer adn your program found infections and told me to restart so it could remove the infections. Then when i was going to log in again my account had disappeared and there was only nimda. then i found a way to log in with my own account, i pressed ctrl+alt+del and could log in the other way. however, then i did a new scan and this time the scanner couldn't find any infections. But the nimda is obviously still in my computer.. i'm sending you anti malware and hijackthis log

this is the latest log from Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.33
Databasversion: 1674
Windows 5.1.2600 Service Pack 3

2009-01-21 19:37:14
mbam-log-2009-01-21 (19-37-14).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 60342
Förfluten tid: 8 minute(s), 7 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)







HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53:07, on 2009-01-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: 2f0a6d8c382 - C:\WINDOWS\system32\__c001CAA2.dat (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9805 bytes

[AdvancedSetup]

[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]




Please download Lop S&D
Double-click on Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt

[yeka]

i'm going to send 3 logs to you, one is the log where MBAM found infections (after that time no infections been found), and i'm also posting the logs you asked for, the one from combofix and Lop s&d. I've been getting help from a swedish forum also, i'll post the link to the thread so you can see what i've done so far if you like. http://eforum.idg.se...triesId=1116881

Malwarebytes' Anti-Malware 1.33
Databasversion: 1674
Windows 5.1.2600 Service Pack 3

2009-01-21 16:58:27
mbam-log-2009-01-21 (16-58-27).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 60797
Förfluten tid: 9 minute(s), 36 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 3
Infekterade mappar: 1
Infekterade filer: 4

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\wsnpoema.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\wsnpoema.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wsnpoema.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Infekterade mappar:
C:\WINDOWS\system32\wsnpoema (Trojan.Agent) -> Delete on reboot.

Infekterade filer:
C:\WINDOWS\system32\wsnpoema\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoema\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoema.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



ComboFix 09-01-21.04 - Administrator 2009-01-22 20:37:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.503 [GMT 1:00]
Körs från: c:\documents and settings\Administrator\Skrivbord\ComboFix.exe
AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
* Skapade en ny återställningspunkt
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\02000000db2c0edfC.manifest
c:\documents and settings\Administrator\Application Data\02000000db2c0edfO.manifest
c:\documents and settings\Administrator\Application Data\02000000db2c0edfP.manifest
c:\documents and settings\Administrator\Application Data\02000000db2c0edfR.manifest
c:\documents and settings\Administrator\Application Data\02000000db2c0edfS.manifest
c:\windows\system32\TDSSosvd.dat
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


(((((((((((((((((((((((( Filer Skapade från 2008-12-22 till 2009-01-22 ))))))))))))))))))))))))))))))
.

2009-01-22 00:36 . 2009-01-22 00:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-21 18:59 . 2009-01-21 18:59 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 19:35 --------- d-----w c:\program files\Google
2009-01-21 23:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 15:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-18 13:30 --------- d-----w c:\program files\DC++
2009-01-14 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-11 19:27 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-01-11 16:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Canon
2008-12-15 19:40 --------- d-----w c:\program files\Java
2008-12-14 03:45 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-20 19:21 19,108 ----a-w c:\documents and settings\Administrator\Application Data\nonesono.com
2008-10-20 19:21 18,080 ----a-w c:\program files\Common Files\sytivyp.bat
2008-10-20 19:21 17,401 ----a-w c:\program files\Common Files\byquciqo.vbs
2008-10-20 19:21 15,072 ----a-w c:\program files\Common Files\dylikiwo.com
2008-10-20 19:21 13,921 ----a-w c:\documents and settings\Administrator\Application Data\vebaxe.dat
2008-10-20 19:21 12,224 ----a-w c:\program files\Common Files\melonyp.inf
2006-11-30 22:08 0 -c--a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2008-10-21 13:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102120081022\index.dat
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"nwiz"="nwiz.exe" [2006-08-18 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Photosmart Premier Snabbstart.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6081:TCP"= 6081:TCP:RPC

R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\Bin\Nsesvc.exe [2005-12-31 322616]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\npm\bin\nvcsched.exe [2008-06-04 154680]
R4 Ndiskio;Ndiskio;c:\norman\Nse\Bin\Ndiskio.sys [2007-01-30 20448]
R4 NVOY;Norman's Very Own supplY of resources;c:\norman\npm\bin\nvoy.exe [2008-06-04 121912]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-06-06 61952]
S3 nvcfsr;nvcfsr;c:\norman\NVC\Bin\Nvcfsr.sys [2007-01-30 6712]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2007-05-02 19512]
S3 nvcoafl51;nvcoafl51;c:\norman\NVC\Bin\Nvcoafl51.sys [2007-01-30 30264]
S3 nvcoaft51;nvcoaft51;c:\norman\NVC\Bin\Nvcoaft51.sys [2007-01-30 129848]
S3 nvcoarc51;nvcoarc51;c:\norman\NVC\Bin\Nvcoarc51.sys [2007-01-30 23224]
S3 nvcoas;Norman Virus Control on-access component;c:\norman\NVC\Bin\Nvcoas.exe [2008-01-14 191544]
S4 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]

--- Övriga tjänster/drivrutiner i minnet ---

*NewlyCreated* - GUSVC
*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60ea1032-a731-11db-a8b6-001636a7765c}]
\Shell\AutoRun\command - F:\SETUP.EXE
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

SafeBoot-TDSSmqlt.sys


.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 20:52:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ???H[??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Andra processer som körs ------------------------
.
c:\norman\npm\bin\elogsvc.exe
c:\norman\npm\bin\Zanda.exe
c:\windows\system32\msdtc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\norman\npm\bin\Njeeves.exe
c:\windows\system32\dllhost.exe
c:\progra~1\HPQ\HPWIRE~1\HPWIRE~1.EXE
c:\progra~1\Java\jre6\bin\jusched.exe
c:\windows\system32\rundll32.exe
c:\progra~1\SYNAPT~1\SynTP\SynTPEnh.exe
c:\progra~1\HP\QUICKP~1\QPSERV~1.EXE
c:\progra~1\HP\HPSOFT~1\HPWUSC~1.EXE
c:\progra~1\HEWLET~1\HPQUIC~1\QLBCTRL.exe
c:\progra~1\ScanSoft\OMNIPA~1.0\OPWARE~1.EXE
c:\norman\NVC\Bin\Nip.exe
c:\progra~1\QUICKT~1\qttask.exe
c:\progra~1\MICROS~2\Office12\GROOVE~4.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Sluttid: 2009-01-22 20:55:44 - datorn startades om.
ComboFix-quarantined-files.txt 2009-01-22 19:55:35

Före genomsökningen: 7 859 605 504 bytes free
Efter genomsökningen: 7,858,880,512 byte ledigt

WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

199 --- E O F --- 2009-01-14 22:04:24




--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : AMD Turion™ 64 Mobile Technology MK-36 )
BIOS : PhoenixBIOS 4.0 Release 6.1
USER : Administrator ( Administrator )
BOOT : Normal boot
Antivirus : Norman Security Suite ver. 7.00 7.00 (Not Activated)
C:\ (Local Disk) - NTFS - Total:101 Go (Free:7 Go)
D:\ (Local Disk) - FAT32 - Total:9 Go (Free:1 Go)
E:\ (CD or DVD)
F:\ (CD or DVD) - UDF - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 2009-01-22|21:00 )

--------------------\\ Listing folders in APPLIC~1

[2008-01-28|02:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
[2006-12-03|15:04] C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
[2007-05-13|20:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
[2007-08-09|15:37] C:\DOCUME~1\ADMINI~1\APPLIC~1\ArcSoft
[2009-01-11|17:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\Canon
[2007-08-09|15:06] C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
[2007-01-31|22:38] C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
[2008-12-14|04:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss
[2007-04-21|22:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
[2006-12-07|16:40] C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
[2006-12-01|02:44] C:\DOCUME~1\ADMINI~1\APPLIC~1\HP
[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities
[2007-01-18|21:33] C:\DOCUME~1\ADMINI~1\APPLIC~1\Leadertech
[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Macromedia
[2008-09-18|13:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Malwarebytes
[2008-03-23|17:24] C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
[2008-11-21|23:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft
[2008-05-24|19:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Mozilla
[2007-02-05|17:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\ScanSoft
[2007-01-18|21:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
[2006-12-01|00:15] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun
[2009-01-11|20:27] C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
[2006-12-03|22:08] C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc
[0|fil(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte
[25|katalog(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[2007-03-07|22:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[2007-02-05|17:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
[2009-01-22|19:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
[2008-09-18|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[2008-09-28|12:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[2009-01-14|23:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[2009-01-22|00:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NortonInstaller
[2008-11-07|08:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[2007-02-05|17:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
[2008-10-21|11:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[2007-10-25|09:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Winamp Toolbar
[2007-10-24|10:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[2007-11-20|20:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[0|fil(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte
[21|katalog(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte
[3|katalog(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte ledigt

[2008-02-01|14:56] C:\DOCUME~1\Guest\APPLIC~1\Adobe
[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Google
[2008-02-01|14:29] C:\DOCUME~1\Guest\APPLIC~1\Identities
[2008-02-01|14:35] C:\DOCUME~1\Guest\APPLIC~1\Macromedia
[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\Guest\APPLIC~1\byte
[7|katalog(er)] C:\DOCUME~1\Guest\APPLIC~1\byte ledigt

[2008-08-22|08:26] C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe
[2008-08-21|07:38] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte
[4|katalog(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte
[3|katalog(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte ledigt

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[2009-01-18 17:48][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009-01-22 20:41][--ah-----] C:\WINDOWS\tasks\SA.DAT
[2006-03-16 05:00][-rah-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[2006-12-01|08:16] C:\Program Files\Adobe
[2007-03-07|22:06] C:\Program Files\Apple Software Update
[2007-08-09|14:58] C:\Program Files\ArcSoft
[2007-02-05|17:48] C:\Program Files\Canon
[2007-02-05|17:37] C:\Program Files\CanonBJ
[2009-01-22|20:38] C:\Program Files\Common Files
[2006-12-01|08:16] C:\Program Files\ComPlus Applications
[2006-12-01|08:16] C:\Program Files\CONEXANT
[2007-08-09|15:01] C:\Program Files\Creative
[2007-01-18|21:39] C:\Program Files\DAEMON Tools
[2009-01-18|14:30] C:\Program Files\DC++
[2009-01-22|20:35] C:\Program Files\Google
[2006-12-01|08:16] C:\Program Files\Hewlett-Packard
[2006-12-01|08:16] C:\Program Files\HP
[2006-11-30|23:42] C:\Program Files\HPQ
[2008-03-10|22:12] C:\Program Files\InstallShield Installation Information
[2008-12-12|15:56] C:\Program Files\Internet Explorer
[2008-12-15|20:40] C:\Program Files\Java
[2006-12-25|21:34] C:\Program Files\JoWood
[2008-06-07|18:06] C:\Program Files\K-Lite Codec Pack
[2009-01-21|16:48] C:\Program Files\Malwarebytes' Anti-Malware
[2008-03-01|00:21] C:\Program Files\Maxis
[2008-08-31|09:16] C:\Program Files\Messenger
[2007-05-11|23:46] C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2006-12-01|08:16] C:\Program Files\microsoft frontpage
[2008-09-28|12:35] C:\Program Files\Microsoft Office
[2008-09-28|12:35] C:\Program Files\Microsoft Visual Studio
[2008-09-28|12:35] C:\Program Files\Microsoft Works
[2008-09-28|12:34] C:\Program Files\Microsoft.NET
[2008-08-31|09:06] C:\Program Files\Movie Maker
[2008-02-06|20:06] C:\Program Files\Mozilla Firefox
[2008-09-28|12:35] C:\Program Files\MSBuild
[2006-12-01|08:16] C:\Program Files\MSN
[2006-12-01|08:16] C:\Program Files\MSN Gaming Zone
[2006-12-02|03:15] C:\Program Files\MSXML 4.0
[2008-08-31|08:59] C:\Program Files\NetMeeting
[2006-12-01|08:16] C:\Program Files\NetWaiting
[2008-10-31|10:48] C:\Program Files\Norton Security Scan
[2008-11-07|08:38] C:\Program Files\NOS
[2008-05-26|22:22] C:\Program Files\Octoshape Streaming Services
[2006-12-01|08:16] C:\Program Files\Online Services
[2008-08-31|08:59] C:\Program Files\Outlook Express
[2008-04-09|19:13] C:\Program Files\Paprikari
[2007-03-08|10:54] C:\Program Files\QuickTime
[2007-02-05|17:44] C:\Program Files\ScanSoft
[2006-12-01|08:16] C:\Program Files\Sonic
[2006-12-01|08:16] C:\Program Files\Synaptics
[2009-01-21|18:59] C:\Program Files\Trend Micro
[2006-12-01|08:16] C:\Program Files\Uninstall Information
[2006-12-03|21:31] C:\Program Files\uTorrent
[2006-12-03|21:27] C:\Program Files\VideoLAN
[2007-10-25|19:27] C:\Program Files\Winamp
[2007-11-20|20:36] C:\Program Files\Windows Live
[2006-12-01|08:16] C:\Program Files\Windows Media Connect 2
[2006-12-16|03:01] C:\Program Files\Windows Media Player
[2008-08-31|08:59] C:\Program Files\Windows NT
[2006-12-01|08:16] C:\Program Files\Windows Plus
[2006-12-01|08:16] C:\Program Files\Windows XP MUI Pack
[2006-12-01|08:16] C:\Program Files\WindowsUpdate
[2006-12-07|16:40] C:\Program Files\WinRAR
[2006-12-01|08:16] C:\Program Files\xerox
[2008-05-25|22:27] C:\Program Files\YouTube Downloader
[0|fil(er)] C:\Program Files\byte
[64|katalog(er)] C:\Program Files\byte ledigt

--------------------\\ Listing Folders in C:\Program Files\Common Files

[2006-12-01|08:16] C:\Program Files\Common Files\Adobe
[2008-01-20|12:53] C:\Program Files\Common Files\DESIGNER
[2006-12-01|08:16] C:\Program Files\Common Files\HP
[2006-12-01|08:16] C:\Program Files\Common Files\InstallShield
[2006-12-01|08:16] C:\Program Files\Common Files\Java
[2006-12-01|08:16] C:\Program Files\Common Files\LightScribe
[2008-09-28|12:35] C:\Program Files\Common Files\Microsoft Shared
[2006-12-01|08:16] C:\Program Files\Common Files\MSSoap
[2006-12-01|08:16] C:\Program Files\Common Files\ODBC
[2007-02-05|17:45] C:\Program Files\Common Files\ScanSoft Shared
[2006-12-01|08:16] C:\Program Files\Common Files\Services
[2006-12-01|08:16] C:\Program Files\Common Files\Sonic Shared
[2006-12-01|08:16] C:\Program Files\Common Files\SpeechEngines
[2006-12-01|08:16] C:\Program Files\Common Files\SureThing Shared
[2009-01-22|00:38] C:\Program Files\Common Files\Symantec Shared
[2008-09-28|12:31] C:\Program Files\Common Files\System
[2006-12-01|08:16] C:\Program Files\Common Files\TiVo Shared
[2007-11-20|20:36] C:\Program Files\Common Files\WindowsLiveInstaller
[0|fil(er)] C:\Program Files\Common Files\byte
[20|katalog(er)] C:\Program Files\Common Files\byte ledigt

--------------------\\ Process

( 60 Processes )

iexplore.exe ~ [PID:488]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\ADMINI~1\Cookies\administrator@advertising[1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 21:01:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack
C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack\DDDPool.exe


[F:1][D:1]-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
[F:77][D:0]-> C:\DOCUME~1\ADMINI~1\Cookies
[F:173][D:4]-> C:\DOCUME~1\ADMINI~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 2009-01-22|21:02 - Option : [1]

--------------------\\ Scan completed at 21:02:54

[AdvancedSetup]

Hi Yeka,

We're sorry but since you have evidence of cracked or pirated software you're using on the system we have to close this thread now.
If you feel this is inaccurate information please send any Moderator a private message explaining in detail and they will review your information in private.
HiJack This! Forum Policy
[indent]

Quote

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

[/indent]


This file is from a Torrernt download of a pirated game
C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack
C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack\DDDPool.exe

For future reference you should also only post and seek assistance form one forum at a time as it wastes the helpers time and causes issues by duplicating work

[AdvancedSetup]

I have opened this post again at the request of a Helper at another forum to assist you.

You must delete this folder and any and all other similar illegal files C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\

If ANY other illegal files are found during this scanning and cleaning then the post will be permanently closed.
You must also remove ALL Peer 2 Peer sharing software while I'm assisting you with cleaning the system.

Thank you.

[yeka]

Thak you for giving me another try. I think the log should be ok now, i hope so.. i did my best, i'm not an expert in this area ..


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : AMD Turion™ 64 Mobile Technology MK-36 )
BIOS : PhoenixBIOS 4.0 Release 6.1
USER : Administrator ( Administrator )
BOOT : Normal boot
Antivirus : Norman Security Suite ver. 7.00 7.00 (Activated)
C:\ (Local Disk) - NTFS - Total:101 Go (Free:9 Go)
D:\ (Local Disk) - FAT32 - Total:9 Go (Free:1 Go)
E:\ (CD or DVD)
F:\ (CD or DVD) - UDF - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 2009-01-23|19:50 )

--------------------\\ Listing folders in APPLIC~1

[2008-01-28|02:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
[2006-12-03|15:04] C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
[2007-05-13|20:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
[2007-08-09|15:37] C:\DOCUME~1\ADMINI~1\APPLIC~1\ArcSoft
[2009-01-11|17:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\Canon
[2007-08-09|15:06] C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
[2007-01-31|22:38] C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
[2008-12-14|04:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss
[2007-04-21|22:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
[2006-12-07|16:40] C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
[2006-12-01|02:44] C:\DOCUME~1\ADMINI~1\APPLIC~1\HP
[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities
[2007-01-18|21:33] C:\DOCUME~1\ADMINI~1\APPLIC~1\Leadertech
[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Macromedia
[2008-09-18|13:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Malwarebytes
[2008-03-23|17:24] C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
[2008-11-21|23:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft
[2008-05-24|19:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Mozilla
[2007-02-05|17:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\ScanSoft
[2007-01-18|21:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
[2006-12-01|00:15] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun
[2006-12-03|22:08] C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc
[0|fil(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte
[24|katalog(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[2007-03-07|22:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[2007-02-05|17:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
[2009-01-22|19:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
[2008-09-18|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[2008-09-28|12:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[2009-01-23|12:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[2009-01-22|00:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NortonInstaller
[2008-11-07|08:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[2007-02-05|17:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
[2008-10-21|11:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[2007-10-25|09:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Winamp Toolbar
[2007-10-24|10:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[2007-11-20|20:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[0|fil(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte
[21|katalog(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte
[3|katalog(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte ledigt

[2008-02-01|14:56] C:\DOCUME~1\Guest\APPLIC~1\Adobe
[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Google
[2008-02-01|14:29] C:\DOCUME~1\Guest\APPLIC~1\Identities
[2008-02-01|14:35] C:\DOCUME~1\Guest\APPLIC~1\Macromedia
[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\Guest\APPLIC~1\byte
[7|katalog(er)] C:\DOCUME~1\Guest\APPLIC~1\byte ledigt

[2008-08-22|08:26] C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe
[2008-08-21|07:38] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte
[4|katalog(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte
[3|katalog(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte ledigt

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[2009-01-18 17:48][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009-01-23 13:15][--ah-----] C:\WINDOWS\tasks\SA.DAT
[2006-03-16 05:00][-rah-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[2006-12-01|08:16] C:\Program Files\Adobe
[2007-03-07|22:06] C:\Program Files\Apple Software Update
[2007-08-09|14:58] C:\Program Files\ArcSoft
[2007-02-05|17:48] C:\Program Files\Canon
[2007-02-05|17:37] C:\Program Files\CanonBJ
[2009-01-22|20:38] C:\Program Files\Common Files
[2006-12-01|08:16] C:\Program Files\ComPlus Applications
[2006-12-01|08:16] C:\Program Files\CONEXANT
[2007-08-09|15:01] C:\Program Files\Creative
[2007-01-18|21:39] C:\Program Files\DAEMON Tools
[2009-01-22|20:35] C:\Program Files\Google
[2006-12-01|08:16] C:\Program Files\Hewlett-Packard
[2006-12-01|08:16] C:\Program Files\HP
[2006-11-30|23:42] C:\Program Files\HPQ
[2008-03-10|22:12] C:\Program Files\InstallShield Installation Information
[2008-12-12|15:56] C:\Program Files\Internet Explorer
[2008-12-15|20:40] C:\Program Files\Java
[2006-12-25|21:34] C:\Program Files\JoWood
[2008-06-07|18:06] C:\Program Files\K-Lite Codec Pack
[2009-01-21|16:48] C:\Program Files\Malwarebytes' Anti-Malware
[2008-03-01|00:21] C:\Program Files\Maxis
[2008-08-31|09:16] C:\Program Files\Messenger
[2007-05-11|23:46] C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2006-12-01|08:16] C:\Program Files\microsoft frontpage
[2009-01-23|12:59] C:\Program Files\Microsoft Office
[2009-01-23|12:59] C:\Program Files\Microsoft Works
[2008-08-31|09:06] C:\Program Files\Movie Maker
[2008-02-06|20:06] C:\Program Files\Mozilla Firefox
[2006-12-01|08:16] C:\Program Files\MSN
[2006-12-01|08:16] C:\Program Files\MSN Gaming Zone
[2006-12-02|03:15] C:\Program Files\MSXML 4.0
[2008-08-31|08:59] C:\Program Files\NetMeeting
[2006-12-01|08:16] C:\Program Files\NetWaiting
[2008-10-31|10:48] C:\Program Files\Norton Security Scan
[2008-11-07|08:38] C:\Program Files\NOS
[2008-05-26|22:22] C:\Program Files\Octoshape Streaming Services
[2006-12-01|08:16] C:\Program Files\Online Services
[2008-08-31|08:59] C:\Program Files\Outlook Express
[2007-03-08|10:54] C:\Program Files\QuickTime
[2007-02-05|17:44] C:\Program Files\ScanSoft
[2006-12-01|08:16] C:\Program Files\Sonic
[2006-12-01|08:16] C:\Program Files\Synaptics
[2009-01-21|18:59] C:\Program Files\Trend Micro
[2006-12-01|08:16] C:\Program Files\Uninstall Information
[2006-12-03|21:27] C:\Program Files\VideoLAN
[2007-10-25|19:27] C:\Program Files\Winamp
[2007-11-20|20:36] C:\Program Files\Windows Live
[2006-12-01|08:16] C:\Program Files\Windows Media Connect 2
[2006-12-16|03:01] C:\Program Files\Windows Media Player
[2008-08-31|08:59] C:\Program Files\Windows NT
[2006-12-01|08:16] C:\Program Files\Windows Plus
[2006-12-01|08:16] C:\Program Files\Windows XP MUI Pack
[2006-12-01|08:16] C:\Program Files\WindowsUpdate
[2006-12-01|08:16] C:\Program Files\xerox
[0|fil(er)] C:\Program Files\byte
[56|katalog(er)] C:\Program Files\byte ledigt

--------------------\\ Listing Folders in C:\Program Files\Common Files

[2006-12-01|08:16] C:\Program Files\Common Files\Adobe
[2006-12-01|08:16] C:\Program Files\Common Files\HP
[2006-12-01|08:16] C:\Program Files\Common Files\InstallShield
[2006-12-01|08:16] C:\Program Files\Common Files\Java
[2006-12-01|08:16] C:\Program Files\Common Files\LightScribe
[2009-01-23|12:59] C:\Program Files\Common Files\Microsoft Shared
[2006-12-01|08:16] C:\Program Files\Common Files\MSSoap
[2006-12-01|08:16] C:\Program Files\Common Files\ODBC
[2007-02-05|17:45] C:\Program Files\Common Files\ScanSoft Shared
[2006-12-01|08:16] C:\Program Files\Common Files\Services
[2006-12-01|08:16] C:\Program Files\Common Files\Sonic Shared
[2006-12-01|08:16] C:\Program Files\Common Files\SpeechEngines
[2006-12-01|08:16] C:\Program Files\Common Files\SureThing Shared
[2009-01-22|00:38] C:\Program Files\Common Files\Symantec Shared
[2009-01-23|12:55] C:\Program Files\Common Files\System
[2006-12-01|08:16] C:\Program Files\Common Files\TiVo Shared
[2007-11-20|20:36] C:\Program Files\Common Files\WindowsLiveInstaller
[0|fil(er)] C:\Program Files\Common Files\byte
[19|katalog(er)] C:\Program Files\Common Files\byte ledigt

--------------------\\ Process

( 62 Processes )

iexplore.exe ~ [PID:860]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\ADMINI~1\Cookies\administrator@advertising[2].txt
C:\DOCUME~1\ADMINI~1\Cookies\administrator@adopt.euroclick[1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 19:52:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections


No other infections found !

[F:10][D:2]-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
[F:67][D:0]-> C:\DOCUME~1\ADMINI~1\Cookies
[F:1479][D:6]-> C:\DOCUME~1\ADMINI~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 2009-01-22|21:02 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - 2009-01-23|13:46 - Option : [1]
3 - "C:\Lop SD\LopR_3.txt" - 2009-01-23|19:53 - Option : [1]

--------------------\\ Scan completed at 19:53:25

[AdvancedSetup]

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.


Please download the following scanning tool. GMER
[indent]

• Open the zip file and copy the file gmer.exe to your Desktop.
  
• Double click on gmer.exe and run it.
  
• It may take a minute to load and become available.
  
• Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button.
  
• DO NOT Click on the SCAN button.
  
• This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.
  
• Click OK and quit the GMER program.

[/indent]

[yeka]

I'm not sure how to send the logs, do you want me to put them in a codebox or something else..?

MBAM didn't find anything..
Malwarebytes' Anti-Malware 1.33
Databasversion: 1688
Windows 5.1.2600 Service Pack 3

2009-01-24 13:38:51
mbam-log-2009-01-24 (13-38-51).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 53795
Förfluten tid: 4 minute(s), 58 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:45:01, on 2009-01-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9521 bytes






GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-24 13:47:37
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwEnumerateKey [0xF72B2A92]
SSDT sptd.sys ZwEnumerateValueKey [0xF72B2E20]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 868F11E8
Device \FileSystem\Fastfat \Fat 859FD980

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

---- EOF - GMER 1.0.14 ----

[yeka]

any further help?

[AdvancedSetup]

Sorry for the delay but I've been quite busy at work.

Please delete your current copy of Combofix and download a new version and run it. You still show something on the box.
Also, remove ALL versions of JAVA from Control Panel, Add/Remove until we're done cleaning the system.



[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[yeka]

ComboFix 09-01-21.04 - Administrator 2009-01-27 16:55:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.489 [GMT 1:00]
Körs från: c:\documents and settings\Administrator\Skrivbord\ComboFix.exe
AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((( Filer Skapade från 2008-12-27 till 2009-01-27 ))))))))))))))))))))))))))))))
.

2009-01-26 14:58 . 2009-01-26 14:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2009-01-26 14:54 . 2009-01-26 14:54 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-26 14:54 . 2009-01-26 14:54 <DIR> d-------- c:\program files\JRE
2009-01-24 13:47 . 2009-01-24 13:47 250 --a------ c:\windows\gmer.ini
2009-01-22 20:59 . 2009-01-23 19:53 <DIR> d-------- C:\Lop SD
2009-01-22 00:36 . 2009-01-22 00:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-21 18:59 . 2009-01-21 18:59 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 15:49 --------- d-----w c:\program files\Java
2009-01-23 11:59 --------- d-----w c:\program files\Microsoft Works
2009-01-23 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-22 19:35 --------- d-----w c:\program files\Google
2009-01-21 23:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 15:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-11 16:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Canon
2008-12-15 19:40 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-14 03:45 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-10-20 19:21 19,108 ----a-w c:\documents and settings\Administrator\Application Data\nonesono.com
2008-10-20 19:21 18,080 ----a-w c:\program files\Common Files\sytivyp.bat
2008-10-20 19:21 17,401 ----a-w c:\program files\Common Files\byquciqo.vbs
2008-10-20 19:21 15,072 ----a-w c:\program files\Common Files\dylikiwo.com
2008-10-20 19:21 13,921 ----a-w c:\documents and settings\Administrator\Application Data\vebaxe.dat
2008-10-20 19:21 12,224 ----a-w c:\program files\Common Files\melonyp.inf
2006-11-30 22:08 0 -c--a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2008-10-21 13:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102120081022\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-22_20.54.43.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-24 12:47:10 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 20:13:02 811,008 ----a-r c:\windows\gmer.exe
+ 2009-01-26 13:56:03 7,424,000 ----a-r c:\windows\Installer\{161B3AC6-593F-4AC7-BBBF-88B72012A94E}\soffice.exe
+ 2009-01-24 12:47:10 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-10-15 18:08:05 305,216 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-27 11:46:24 319,544 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-09-30 17:43:36 224,768 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2008-09-30 17:43:36 568,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2008-09-30 17:43:36 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"nwiz"="nwiz.exe" [2006-08-18 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Photosmart Premier Snabbstart.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6081:TCP"= 6081:TCP:RPC

R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\Bin\Nsesvc.exe [2005-12-31 322616]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\npm\bin\nvcsched.exe [2008-06-04 154680]
R4 Ndiskio;Ndiskio;c:\norman\Nse\Bin\Ndiskio.sys [2007-01-30 20448]
R4 NVOY;Norman's Very Own supplY of resources;c:\norman\npm\bin\nvoy.exe [2008-06-04 121912]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-06-06 61952]
S3 nvcfsr;nvcfsr;c:\norman\NVC\Bin\Nvcfsr.sys [2007-01-30 6712]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2007-05-02 19512]
S3 nvcoafl51;nvcoafl51;c:\norman\NVC\Bin\Nvcoafl51.sys [2007-01-30 30264]
S3 nvcoaft51;nvcoaft51;c:\norman\NVC\Bin\Nvcoaft51.sys [2007-01-30 129848]
S3 nvcoarc51;nvcoarc51;c:\norman\NVC\Bin\Nvcoarc51.sys [2007-01-30 23224]
S3 nvcoas;Norman Virus Control on-access component;c:\norman\NVC\Bin\Nvcoas.exe [2008-01-14 191544]
S4 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]

--- Övriga tjänster/drivrutiner i minnet ---

*Deregistered* - mchInjDrv
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 16:58:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ???H[??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Sluttid: 2009-01-27 17:00:26
ComboFix-quarantined-files.txt 2009-01-27 16:00:02
ComboFix2.txt 2009-01-22 19:55:46

Före genomsökningen: 9 311 895 552 bytes free
Efter genomsökningen: 9,325,510,656 byte ledigt

151 --- E O F --- 2009-01-14 22:04:24







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03:08, on 2009-01-27
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9054 bytes

[AdvancedSetup]

I'll be out of town tonight and will look at this for you tomorrow.

Thanks

[AdvancedSetup]

You need to uninstall Adobe Acrobat Reader 7 and upgrade to version 9 if you want the Reader.

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat


Please download the following scanning tool. GMER
[indent]

• Open the zip file and copy the file gmer.exe to your Desktop.
  
• Double click on gmer.exe and run it.
  
• It may take a minute to load and become available.
  
• Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
  
• Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
  
• Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
  
• DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
  
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
[/indent]

[yeka]

i'm not sure what i'm doing.. hope it's right..

Attached Files

•  gmerlog.zip.zip   3.25K   118 downloads

[AdvancedSetup]

Okay that looks okay. That hidden driver appears to be from the copy of Daemon Tools you have running on the system.

Please run the following one more time.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.

Then let me know if you're still having any signs of an infection or not.

[yeka]

The problem is still there, there's only "nimda" as a user account on the welcome-screen.. And about a day ago Norman catched A0066131.sys W32/Agent.HHSF and put it in quarantine, but i think MBAM couldn't see it. Here is the logs:

Malwarebytes' Anti-Malware 1.33
Databasversion: 1705
Windows 5.1.2600 Service Pack 3

2009-01-29 15:57:00
mbam-log-2009-01-29 (15-57-00).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 54592
Förfluten tid: 6 minute(s), 39 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02:52, on 2009-01-29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9190 bytes

[AdvancedSetup]

Please do not use the Quote or CODE tags when posting. Just post directly, thank you.


Please try the following. Download it, double-click on it with a blank CD-R in the CD Burner and it will automatically burn a bootable CD for you to boot with and run and scan.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.
[indent]Avira AntiVir Rescue System - download[/indent]

Avira AntiVir Rescue System
Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:
[indent]

• repair a damaged system,
  
  
• rescue data,
  
  
• scan the system for virus infections.[/indent]
  Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
  The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

[yeka]

i have to get a cd-r, i'll be back when i have one.

[AdvancedSetup]

Okay, let me know when you're ready please.

[AdvancedSetup]

Please post a status update on this