Jump to content

Malwarebytes

YOOG infection log posting

- - - - -
Started by Cilieborg, Feb 24 2009 11:55 AM

9 replies to this topic

#1
Cilieborg
Posted 24 February 2009 - 11:55 AM

    New Member

  • Members
  • Pip
  • 5 posts
Hi,
I have a computer infected with YOOG, I hope somebody can help me get rid of this infection. Here are the logfiles:

Malwarebytes' Anti-Malware 1.34
Database version: 1798
Windows 5.1.2600 Service Pack 3

24-02-2009 12:04:56
mbam-log-2009-02-24 (12-04-56).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 135496
Tid tilbagelagt: 49 minute(s), 40 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 0

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
(Ingen mistænkelige filer fundet)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:33, on 24-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\Analog Devices\Core\smax4pnp.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmer\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\Programmer\Fælles filer\LightScribe\LightScribeControlPanel.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\WIDCOMM\Bluetooth-software\BTTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\PC Connectivity Solution\NclBTHandler.exe
C:\Programmer\Fælles filer\Nokia\MPAPI\MPAPI3s.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toender-gym.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F3 - REG:win.ini: load=C:\DOCUME~1\ADMINI~1\LOKALE~1\netdetect.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: addestination - {0b40a68f-b16f-1c00-a011-fab9bc06ba4d} - C:\WINDOWS\system32\nsbF.dll
O2 - BHO: addestination search enhancer - {1F809090-969C-29B7-CEBB-68B95CDD46D3} - C:\WINDOWS\system32\nclagdxexlhcym.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmer\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmer\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programmer\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmer\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programmer\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmer\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Programmer\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programmer\Fælles filer\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174974160968
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://212.64.161.21/activex/AMC.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Programmer\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmer\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11507 bytes

Best regards
Jonas Cilieborg

#2
AdvancedSetup
Posted 24 February 2009 - 12:00 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#3
Cilieborg
Posted 25 February 2009 - 09:38 AM

    New Member

  • Members
  • Pip
  • 5 posts
Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

This last part failed. The computer runs XP SP3, and I don't have a recovery console for this SP. But here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34, on 2009-02-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Programmer\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\Analog Devices\Core\smax4pnp.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmer\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmer\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Programmer\Fælles filer\Nokia\MPAPI\MPAPI3s.exe
C:\Programmer\Fælles filer\LightScribe\LightScribeControlPanel.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\PC Connectivity Solution\NclBTHandler.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\WIDCOMM\Bluetooth-software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Norman\nse\bin\NSESVC.EXE
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toender-gym.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: addestination - {0b40a68f-b16f-1c00-a011-fab9bc06ba4d} - C:\WINDOWS\system32\nsbF.dll
O2 - BHO: addestination search enhancer - {1F809090-969C-29B7-CEBB-68B95CDD46D3} - C:\WINDOWS\system32\nclagdxexlhcym.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmer\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmer\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programmer\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmer\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmer\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmer\Fælles filer\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Programmer\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programmer\Fælles filer\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174974160968
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://212.64.161.21/activex/AMC.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Programmer\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmer\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmer\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmer\Fælles filer\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11091 bytes

ComboFix 09-02-24.02 - Administrator 2009-02-25 10:20:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.1015.512 [GMT 1:00]
Kører fra: c:\documents and settings\Administrator\Skrivebord\ComboFix.exe
AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
* Dannede nyt systemgendannelsespunkt

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmer\INSTALL.LOG
c:\windows\system32\cont_addestination-remove.exe
c:\windows\system32\nclagdxexlhcym.dll
E:\Autorun.inf

.
((((((((((((((((((((((((((((( Filer skabt fra 2009-01-25 til 2009-02-25 )))))))))))))))))))))))))))))))))))
.

2009-02-24 12:40 . 2009-02-24 12:40 <DIR> d-------- c:\programmer\Trend Micro
2009-02-24 11:03 . 2009-02-24 11:03 <DIR> d-------- c:\programmer\Malwarebytes' Anti-Malware
2009-02-24 11:03 . 2009-02-24 11:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 11:03 . 2009-02-24 11:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-24 11:03 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 11:03 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-18 17:36 . 2009-02-19 17:27 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-09 18:21 . 2009-02-24 12:39 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-09 18:21 . 2009-02-09 18:21 1,409 --a------ c:\windows\QTFont.for
2009-02-06 15:18 . 2009-02-06 15:18 85,577 --a------ c:\windows\system32\6d87527a-c600-2449-136e-83cb34a10861.exe
2009-02-05 14:42 . 2009-02-05 14:42 674,816 --a------ c:\windows\system32\nsbF.dll
2009-02-04 19:45 . 2009-02-04 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 09:35 62,015 ----a-w c:\windows\system32\nclagdxexlhcym.dll-uninst.exe
2009-02-16 18:15 48,284 ----a-w c:\windows\system32\igztgajzseqw.exe
2009-02-11 15:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-22 19:04 --------- d-----w c:\programmer\Axis Communications
2009-01-22 11:41 19,512 ----a-w c:\windows\system32\drivers\nvcw32mf.sys
2009-01-19 17:03 --------- d-----w c:\programmer\Google
2009-01-16 20:19 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-16 11:40 --------- d-----w c:\programmer\Fælles filer\Adobe
2009-01-05 11:31 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-05 11:31 --------- d-----w c:\programmer\Java
2008-12-31 16:04 691,560 ----a-w c:\windows\system32\OGACheckControl.dll
2008-12-31 16:04 528,744 ----a-w c:\windows\system32\OGAVerify.exe
2008-12-31 16:04 502,120 ----a-w c:\windows\system32\OGAAddin.dll
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 09:09 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2007-04-30 17:06 3,151 ----a-w c:\programmer\fcc32.RPT
2007-01-19 22:13 1,084,315 ----a-w c:\programmer\Lang830.rez
2006-10-13 10:00 1,138 ----a-w c:\programmer\Readme.txt
2006-09-29 13:06 11,205,817 ----a-w c:\programmer\fcc32.exe
2005-08-03 09:50 393,216 ----a-w c:\programmer\fcsmapi.dll
2001-08-23 03:00 486,400 ----a-w c:\programmer\dbghelp.dll
2006-09-01 09:53 56 --sha-w c:\windows\SMINST\hpboot.sys
2008-05-20 18:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\MSHist012008052020080521\index.dat
.

((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0b40a68f-b16f-1c00-a011-fab9bc06ba4d}]
2009-02-05 14:42 674816 --a------ c:\windows\system32\nsbF.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PcSync"="c:\programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
"OM2_Monitor"="c:\programmer\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-05-28 95800]
"swg"="c:\programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-12 68856]
"LightScribe Control Panel"="c:\programmer\Fælles filer\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\programmer\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SynTPEnh"="c:\programmer\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"QlbCtrl"="c:\programmer\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072]
"Cpqset"="c:\programmer\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
"PCSuiteTrayApplication"="c:\programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 222720]
"QuickTime Task"="c:\programmer\QuickTime\qttask.exe" [2006-09-01 282624]
"HP Component Manager"="c:\programmer\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-05-06 172032]
"HP Software Update"="c:\programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-05-06 49152]
"NeroFilterCheck"="c:\programmer\Fælles filer\Ahead\Lib\NeroCheck.exe" [2007-05-04 161328]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"Adobe Reader Speed Launcher"="c:\programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"PcSync"="c:\programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
BTTray.lnk - c:\programmer\WIDCOMM\Bluetooth-software\BTTray.exe [2006-01-18 581693]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-11-30 6144]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\Lokale indstillinger\\netdetect.exe"=

R2 Ndiskio;Ndiskio;c:\norman\Nse\Bin\Ndiskio.sys [2006-09-06 20448]
R2 NVOY;Norman's Very Own supplY of resources;c:\norman\npm\bin\nvoy.exe [2008-10-24 121912]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\Bin\Nsesvc.exe [2009-01-28 183352]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2007-05-04 19512]
R3 nvcoas;Norman Virus Control on-access component;c:\norman\NVC\Bin\Nvcoas.exe [2009-02-19 195640]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\npm\bin\nvcsched.exe [2008-10-24 154680]
S3 ElgTaDrv;elmeg USB Device Driver;c:\windows\system32\drivers\ElgTaDrv.sys [2007-05-08 73660]
S3 nvcfsr;nvcfsr;c:\norman\NVC\Bin\Nvcfsr.sys [2006-09-06 6712]
S3 nvcoafl51;nvcoafl51;c:\norman\NVC\Bin\Nvcoafl51.sys [2006-09-06 30264]
S3 nvcoaft51;nvcoaft51;c:\norman\NVC\Bin\Nvcoaft51.sys [2006-09-06 129848]
S3 nvcoarc51;nvcoarc51;c:\norman\NVC\Bin\Nvcoarc51.sys [2006-09-06 23224]
S3 TSClient;Tatara Protocol Driver;c:\windows\system32\drivers\tsclient.sys --> c:\windows\system32\drivers\tsclient.sys [?]

--- Andre Services/Drivers i Hukommelsen ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26578d9c-a5d3-11dd-a1db-001560cc62e2}]
\Shell\AutoRun\command - F:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26578d9d-a5d3-11dd-a1db-001560cc62e2}]
\Shell\AutoRun\command - F:\VMC_PBStarter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\programmer\Fælles filer\LightScribe\LSRunOnce.exe"
.
Indhold af mappen 'Planlagte Opgaver'

2009-02-11 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-02-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
- - - - TOMME GENVEJE FJERNET - - - -

BHO-{1F809090-969C-29B7-CEBB-68B95CDD46D3} - c:\windows\system32\nclagdxexlhcym.dll
MSConfigStartUp-oveabscswvn - c:\windows\system32\pxvoafnodwpokqkee.dll


.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.toender-gym.dk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://212.64.161.21/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 10:24:19
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ...

c:\docume~1\ADMINI~1\LOKALE~1\NETDET~1.EXE [2520] 0x853C74B0

scanner skjulte autostarter ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\programmer\HPQ\Default Settings\cpqset.exe????????P??????P??|?????? ??4B????????? ????hB??????P?

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
Gennemført tid: 2009-02-25 10:25:36
ComboFix-quarantined-files.txt 2009-02-25 09:25:33

Pre-Kørsel: 56.746.491.904 byte ledig
Post-Kørsel: 57,297,985,536 byte ledig

160 --- E O F --- 2009-02-11 16:00:45

#4
AdvancedSetup
Posted 25 February 2009 - 10:40 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
KILLALL::

File::
c:\windows\QTFont.qfn
c:\windows\QTFont.for
c:\windows\system32\6d87527a-c600-2449-136e-83cb34a10861.exe
c:\windows\system32\nsbF.dll
c:\windows\system32\nclagdxexlhcym.dll-uninst.exe
c:\windows\system32\igztgajzseqw.exe
c:\windows\system32\nclagdxexlhcym.dll
c:\windows\system32\pxvoafnodwpokqkee.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
Posted Image
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.



    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts







To remove the Yoog Search issue, first scan your system with an UP TO DATE version of MBAM and fix any issues found.
    Remove Yoog Search from FireFox
  • Look in your Firefox profile folder for a file with a name like Yoog search.XML and delete it.
  • Typical path is like: C:\Documents and Settings\your name\Application Data\Mozilla\Firefox\Profiles\random name.default
  • On the address bar of Firefox you type: about:config and press the Enter key
  • Click on the "I will be careful, I promise" button.
  • Type in Yoog for the filter and a list of items that have Yoog in them should appear
  • For each entry that has been modified and now has Yoog in it you can RIGHT CLICK and choose RESET
    Unless there is some active infection replacing it, or a new method, then you should no longer have the Yoog Search
    Remove Yoog Search from Internet Explorer
  • For IE6
  • Launch IE and click on the SEARCH button
  • Click the CUSTOMIZE button
  • Click on the RESET button
  • For IE7
  • Click on Tools/Internet Options
  • In the middle under Search section click the Settings button
  • Highlight Yoog and click the Remove button.
    Unless there is some active infection replacing it, or a new method, then you should no longer have the Yoog Search

Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#5
Cilieborg
Posted 25 February 2009 - 11:44 AM

    New Member

  • Members
  • Pip
  • 5 posts
Okay, the lastest log from ComboFix is this:
ComboFix 09-02-24.02 - Administrator 2009-02-25 12:29:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1030.18.1015.475 [GMT 1:00]
Kører fra: c:\documents and settings\Administrator\Skrivebord\ComboFix.exe
Kommandoer benyttet :: c:\documents and settings\Administrator\Skrivebord\CFscript.txt
AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
* Dannede nyt systemgendannelsespunkt

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!

FILE ::
c:\windows\QTFont.for
c:\windows\QTFont.qfn
c:\windows\system32\6d87527a-c600-2449-136e-83cb34a10861.exe
c:\windows\system32\igztgajzseqw.exe
c:\windows\system32\nclagdxexlhcym.dll
c:\windows\system32\nclagdxexlhcym.dll-uninst.exe
c:\windows\system32\nsbF.dll
c:\windows\system32\pxvoafnodwpokqkee.dll
.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\QTFont.for
c:\windows\QTFont.qfn
c:\windows\system32\6d87527a-c600-2449-136e-83cb34a10861.exe
c:\windows\system32\igztgajzseqw.exe
c:\windows\system32\nclagdxexlhcym.dll-uninst.exe
c:\windows\system32\nsbF.dll
.
---- Forrige Kørsel -------
.
c:\programmer\INSTALL.LOG
c:\windows\system32\cont_addestination-remove.exe
c:\windows\system32\nclagdxexlhcym.dll
E:\Autorun.inf

.
((((((((((((((((((((((((((((( Filer skabt fra 2009-01-25 til 2009-02-25 )))))))))))))))))))))))))))))))))))
.

2009-02-24 12:40 . 2009-02-24 12:40 <DIR> d-------- c:\programmer\Trend Micro
2009-02-24 11:03 . 2009-02-24 11:03 <DIR> d-------- c:\programmer\Malwarebytes' Anti-Malware
2009-02-24 11:03 . 2009-02-24 11:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 11:03 . 2009-02-24 11:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-24 11:03 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 11:03 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-18 17:36 . 2009-02-19 17:27 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-04 19:45 . 2009-02-04 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 15:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-22 19:04 --------- d-----w c:\programmer\Axis Communications
2009-01-22 11:41 19,512 ----a-w c:\windows\system32\drivers\nvcw32mf.sys
2009-01-19 17:03 --------- d-----w c:\programmer\Google
2009-01-16 11:40 --------- d-----w c:\programmer\Fælles filer\Adobe
2009-01-05 11:31 --------- d-----w c:\programmer\Java
2007-04-30 17:06 3,151 ----a-w c:\programmer\fcc32.RPT
2007-01-19 22:13 1,084,315 ----a-w c:\programmer\Lang830.rez
2006-10-13 10:00 1,138 ----a-w c:\programmer\Readme.txt
2006-09-29 13:06 11,205,817 ----a-w c:\programmer\fcc32.exe
2005-08-03 09:50 393,216 ----a-w c:\programmer\fcsmapi.dll
2001-08-23 03:00 486,400 ----a-w c:\programmer\dbghelp.dll
2006-09-01 09:53 56 --sha-w c:\windows\SMINST\hpboot.sys
2008-05-20 18:51 32,768 --sha-w c:\windows\system32\config\systemprofile\Lokale indstillinger\Oversigt\History.IE5\MSHist012008052020080521\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-25_10.24.45,67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-25 11:32:27 16,384 ----atw c:\windows\temp\Perflib_Perfdata_468.dat
.
((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F809090-969C-29B7-CEBB-68B95CDD46D3}]
c:\windows\system32\nclagdxexlhcym.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PcSync"="c:\programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
"OM2_Monitor"="c:\programmer\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-05-28 95800]
"swg"="c:\programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-12 68856]
"LightScribe Control Panel"="c:\programmer\Fælles filer\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\programmer\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SynTPEnh"="c:\programmer\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"QlbCtrl"="c:\programmer\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-05-08 131072]
"Cpqset"="c:\programmer\HPQ\Default Settings\cpqset.exe" [2006-01-26 172094]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
"PCSuiteTrayApplication"="c:\programmer\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 222720]
"QuickTime Task"="c:\programmer\QuickTime\qttask.exe" [2006-09-01 282624]
"HP Component Manager"="c:\programmer\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-05-06 172032]
"HP Software Update"="c:\programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-05-06 49152]
"NeroFilterCheck"="c:\programmer\Fælles filer\Ahead\Lib\NeroCheck.exe" [2007-05-04 161328]
"SunJavaUpdateSched"="c:\programmer\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"Adobe Reader Speed Launcher"="c:\programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]
"AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"PcSync"="c:\programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

c:\documents and settings\All Users\Menuen Start\Programmer\Start\
BTTray.lnk - c:\programmer\WIDCOMM\Bluetooth-software\BTTray.exe [2006-01-18 581693]
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-11-30 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oveabscswvn]
c:\windows\system32\pxvoafnodwpokqkee.dll [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\Lokale indstillinger\\netdetect.exe"=

R2 Ndiskio;Ndiskio;c:\norman\Nse\Bin\Ndiskio.sys [2006-09-06 20448]
R2 NVOY;Norman's Very Own supplY of resources;c:\norman\npm\bin\nvoy.exe [2008-10-24 121912]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-10-21 36352]
R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\Bin\Nsesvc.exe [2009-01-28 183352]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2007-05-04 19512]
R3 nvcoas;Norman Virus Control on-access component;c:\norman\NVC\Bin\Nvcoas.exe [2009-02-19 195640]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\npm\bin\nvcsched.exe [2008-10-24 154680]
S3 ElgTaDrv;elmeg USB Device Driver;c:\windows\system32\drivers\ElgTaDrv.sys [2007-05-08 73660]
S3 nvcfsr;nvcfsr;c:\norman\NVC\Bin\Nvcfsr.sys [2006-09-06 6712]
S3 nvcoafl51;nvcoafl51;c:\norman\NVC\Bin\Nvcoafl51.sys [2006-09-06 30264]
S3 nvcoaft51;nvcoaft51;c:\norman\NVC\Bin\Nvcoaft51.sys [2006-09-06 129848]
S3 nvcoarc51;nvcoarc51;c:\norman\NVC\Bin\Nvcoarc51.sys [2006-09-06 23224]
S3 TSClient;Tatara Protocol Driver;c:\windows\system32\drivers\tsclient.sys --> c:\windows\system32\drivers\tsclient.sys [?]

--- Andre Services/Drivers i Hukommelsen ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26578d9c-a5d3-11dd-a1db-001560cc62e2}]
\Shell\AutoRun\command - F:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26578d9d-a5d3-11dd-a1db-001560cc62e2}]
\Shell\AutoRun\command - F:\VMC_PBStarter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\programmer\Fælles filer\LightScribe\LSRunOnce.exe"
.
Indhold af mappen 'Planlagte Opgaver'

2009-02-11 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-02-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
- - - - TOMME GENVEJE FJERNET - - - -

BHO-{0b40a68f-b16f-1c00-a011-fab9bc06ba4d} - c:\windows\system32\nsbF.dll


.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.toender-gym.dk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://212.64.161.21/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 12:32:43
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ...

scanner skjulte autostarter ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\programmer\HPQ\Default Settings\cpqset.exe????????P??????P??|?????? ??4B????????? ????hB??????P?

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
------------------------ Andre kørende processer ------------------------
.
c:\norman\npm\bin\elogsvc.exe
c:\norman\npm\bin\Zanda.exe
c:\windows\system32\msdtc.exe
c:\programmer\WIDCOMM\Bluetooth-software\bin\btwdins.exe
c:\programmer\Cisco Systems\VPN Client\cvpnd.exe
c:\programmer\Java\jre6\bin\jqs.exe
c:\programmer\Fælles filer\LightScribe\LSSrvc.exe
c:\programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\mqsvc.exe
c:\programmer\Hewlett-Packard\Shared\hpqwmiex.exe
c:\progra~1\ANALOG~1\Core\smax4pnp.exe
c:\progra~1\SYNAPT~1\SynTP\SynTPEnh.exe
c:\progra~1\HEWLET~1\HPQUIC~1\QLBCTRL.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\SMINST\SCHEDU~1.EXE
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\progra~1\QUICKT~1\qttask.exe
c:\progra~1\HP\HPCORE~1\hpcmpmgr.exe
c:\progra~1\HEWLET~1\HPSOFT~1\HPWUSC~1.EXE
c:\progra~1\Adobe\READER~1.0\Reader\READER~1.EXE
c:\progra~1\Nokia\NOKIAP~1\PcSync2.exe
c:\progra~1\OLYMPUS\OLYMPU~1\MMonitor.exe
c:\progra~1\FLLESF~1\LIGHTS~1\LIGHTS~1.EXE
c:\programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\mqtgsvc.exe
c:\norman\npm\bin\Njeeves.exe
c:\programmer\PC Connectivity Solution\ServiceLayer.exe
c:\programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
c:\programmer\PC Connectivity Solution\NclBTHandler.exe
c:\programmer\Fælles filer\Nokia\MPAPI\MPAPI3s.exe
c:\norman\NVC\Bin\Nip.exe
c:\norman\NVC\Bin\CClaw.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Gennemført tid: 2009-02-25 12:35:53 - maskinen blev genstartet [Administrator]
ComboFix-quarantined-files.txt 2009-02-25 11:35:49
ComboFix2.txt 2009-02-25 09:25:38

Pre-Kørsel: 57,271,320,576 byte ledig
Post-Kørsel: 57,264,869,376 byte ledig

206 --- E O F --- 2009-02-11 16:00:45

Regards
Jonas Cilieborg

#6
AdvancedSetup
Posted 25 February 2009 - 12:08 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Did you run the other portions of the recommendations?

What are those results?
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#7
Cilieborg
Posted 25 February 2009 - 12:52 PM

    New Member

  • Members
  • Pip
  • 5 posts
Did you run the other portions of the recommendations?

What are those results?

Yes I did. There wasn't any logs that I could see. CCleaner removed a lot of cookies and other files, and after I removed Yoog from the search options from IE7 it hasn't come back after a restart of IE7 which it usually (but not always) did. I haven't tried doing a search, as I wanted to see what you would say to the last ComboFix log. After the infestation a search always restores Yoog to the seach field. But I hope this behavior is gone now.

Should I try a search now or is there anything else that needs to be done first?

regards
Jonas Cilieborg

#8
AdvancedSetup
Posted 25 February 2009 - 08:05 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Yes please, try searching and using IE to see if it's really gone or not.
These IE/FF redirects can be difficult to track down because the method they use to do it changes almost daily.

The CF log doesn't seem to show anything obvious.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#9
Cilieborg
Posted 26 February 2009 - 07:29 AM

    New Member

  • Members
  • Pip
  • 5 posts
Okay, now Google behaves normally. I thank you very much. This will make my user very happy.
best regards
Jonas Cilieborg

#10
AdvancedSetup
Posted 26 February 2009 - 07:33 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA
When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java




Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.
  • Go to http://java.sun.com/...loads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer






Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?


[indent]At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.
Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us