my computer catched something called Nimda, it appeard like an own administration account where i log in with my own account, so i scanned the computer adn your program found infections and told me to restart so it could remove the infections. Then when i was going to log in again my account had disappeared and there was only nimda. then i found a way to log in with my own account, i pressed ctrl+alt+del and could log in the other way. however, then i did a new scan and this time the scanner couldn't find any infections. But the nimda is obviously still in my computer.. i'm sending you anti malware and hijackthis log

this is the latest log from Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.33
Databasversion: 1674
Windows 5.1.2600 Service Pack 3

2009-01-21 19:37:14
mbam-log-2009-01-21 (19-37-14).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 60342
Förfluten tid: 8 minute(s), 7 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)







HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53:07, on 2009-01-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: 2f0a6d8c382 - C:\WINDOWS\system32\__c001CAA2.dat (file missing)
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9805 bytes

Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Please download Lop S&D
Double-click on Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt

i'm going to send 3 logs to you, one is the log where MBAM found infections (after that time no infections been found), and i'm also posting the logs you asked for, the one from combofix and Lop s&d. I've been getting help from a swedish forum also, i'll post the link to the thread so you can see what i've done so far if you like. http://eforum.idg.se/viewmsg.asp?EntriesId=1116881

Malwarebytes' Anti-Malware 1.33
Databasversion: 1674
Windows 5.1.2600 Service Pack 3

2009-01-21 16:58:27
mbam-log-2009-01-21 (16-58-27).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 60797
Förfluten tid: 9 minute(s), 36 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 3
Infekterade mappar: 1
Infekterade filer: 4

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\wsnpoema.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\wsnpoema.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wsnpoema.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Infekterade mappar:
C:\WINDOWS\system32\wsnpoema (Trojan.Agent) -> Delete on reboot.

Infekterade filer:
C:\WINDOWS\system32\wsnpoema\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoema\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoema.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



ComboFix 09-01-21.04 - Administrator 2009-01-22 20:37:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.503 [GMT 1:00]
Körs från: c:\documents and settings\Administrator\Skrivbord\ComboFix.exe
AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
* Skapade en ny återställningspunkt
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\02000000db2c0edfC.manifest
c:\documents and settings\Administrator\Application Data\02000000db2c0edfO.manifest
c:\documents and settings\Administrator\Application Data\02000000db2c0edfP.manifest
c:\documents and settings\Administrator\Application Data\02000000db2c0edfR.manifest
c:\documents and settings\Administrator\Application Data\02000000db2c0edfS.manifest
c:\windows\system32\TDSSosvd.dat
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


(((((((((((((((((((((((( Filer Skapade från 2008-12-22 till 2009-01-22 ))))))))))))))))))))))))))))))
.

2009-01-22 00:36 . 2009-01-22 00:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-21 18:59 . 2009-01-21 18:59 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 19:35 --------- d-----w c:\program files\Google
2009-01-21 23:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 15:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-18 13:30 --------- d-----w c:\program files\DC++
2009-01-14 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-11 19:27 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-01-11 16:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Canon
2008-12-15 19:40 --------- d-----w c:\program files\Java
2008-12-14 03:45 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-20 19:21 19,108 ----a-w c:\documents and settings\Administrator\Application Data\nonesono.com
2008-10-20 19:21 18,080 ----a-w c:\program files\Common Files\sytivyp.bat
2008-10-20 19:21 17,401 ----a-w c:\program files\Common Files\byquciqo.vbs
2008-10-20 19:21 15,072 ----a-w c:\program files\Common Files\dylikiwo.com
2008-10-20 19:21 13,921 ----a-w c:\documents and settings\Administrator\Application Data\vebaxe.dat
2008-10-20 19:21 12,224 ----a-w c:\program files\Common Files\melonyp.inf
2006-11-30 22:08 0 -c--a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2008-10-21 13:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102120081022\index.dat
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"nwiz"="nwiz.exe" [2006-08-18 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Photosmart Premier Snabbstart.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6081:TCP"= 6081:TCP:RPC

R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\Bin\Nsesvc.exe [2005-12-31 322616]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\npm\bin\nvcsched.exe [2008-06-04 154680]
R4 Ndiskio;Ndiskio;c:\norman\Nse\Bin\Ndiskio.sys [2007-01-30 20448]
R4 NVOY;Norman's Very Own supplY of resources;c:\norman\npm\bin\nvoy.exe [2008-06-04 121912]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-06-06 61952]
S3 nvcfsr;nvcfsr;c:\norman\NVC\Bin\Nvcfsr.sys [2007-01-30 6712]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2007-05-02 19512]
S3 nvcoafl51;nvcoafl51;c:\norman\NVC\Bin\Nvcoafl51.sys [2007-01-30 30264]
S3 nvcoaft51;nvcoaft51;c:\norman\NVC\Bin\Nvcoaft51.sys [2007-01-30 129848]
S3 nvcoarc51;nvcoarc51;c:\norman\NVC\Bin\Nvcoarc51.sys [2007-01-30 23224]
S3 nvcoas;Norman Virus Control on-access component;c:\norman\NVC\Bin\Nvcoas.exe [2008-01-14 191544]
S4 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]

--- Övriga tjänster/drivrutiner i minnet ---

*NewlyCreated* - GUSVC
*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60ea1032-a731-11db-a8b6-001636a7765c}]
\Shell\AutoRun\command - F:\SETUP.EXE
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

SafeBoot-TDSSmqlt.sys


.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 20:52:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ???H[??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Andra processer som körs ------------------------
.
c:\norman\npm\bin\elogsvc.exe
c:\norman\npm\bin\Zanda.exe
c:\windows\system32\msdtc.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\norman\npm\bin\Njeeves.exe
c:\windows\system32\dllhost.exe
c:\progra~1\HPQ\HPWIRE~1\HPWIRE~1.EXE
c:\progra~1\Java\jre6\bin\jusched.exe
c:\windows\system32\rundll32.exe
c:\progra~1\SYNAPT~1\SynTP\SynTPEnh.exe
c:\progra~1\HP\QUICKP~1\QPSERV~1.EXE
c:\progra~1\HP\HPSOFT~1\HPWUSC~1.EXE
c:\progra~1\HEWLET~1\HPQUIC~1\QLBCTRL.exe
c:\progra~1\ScanSoft\OMNIPA~1.0\OPWARE~1.EXE
c:\norman\NVC\Bin\Nip.exe
c:\progra~1\QUICKT~1\qttask.exe
c:\progra~1\MICROS~2\Office12\GROOVE~4.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Sluttid: 2009-01-22 20:55:44 - datorn startades om.
ComboFix-quarantined-files.txt 2009-01-22 19:55:35

Före genomsökningen: 7 859 605 504 bytes free
Efter genomsökningen: 7,858,880,512 byte ledigt

WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

199 --- E O F --- 2009-01-14 22:04:24




--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : AMD Turion™ 64 Mobile Technology MK-36 )
BIOS : PhoenixBIOS 4.0 Release 6.1
USER : Administrator ( Administrator )
BOOT : Normal boot
Antivirus : Norman Security Suite ver. 7.00 7.00 (Not Activated)
C:\ (Local Disk) - NTFS - Total:101 Go (Free:7 Go)
D:\ (Local Disk) - FAT32 - Total:9 Go (Free:1 Go)
E:\ (CD or DVD)
F:\ (CD or DVD) - UDF - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 2009-01-22|21:00 )

--------------------\\ Listing folders in APPLIC~1

[2008-01-28|02:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
[2006-12-03|15:04] C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
[2007-05-13|20:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
[2007-08-09|15:37] C:\DOCUME~1\ADMINI~1\APPLIC~1\ArcSoft
[2009-01-11|17:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\Canon
[2007-08-09|15:06] C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
[2007-01-31|22:38] C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
[2008-12-14|04:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss
[2007-04-21|22:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
[2006-12-07|16:40] C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
[2006-12-01|02:44] C:\DOCUME~1\ADMINI~1\APPLIC~1\HP
[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities
[2007-01-18|21:33] C:\DOCUME~1\ADMINI~1\APPLIC~1\Leadertech
[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Macromedia
[2008-09-18|13:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Malwarebytes
[2008-03-23|17:24] C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
[2008-11-21|23:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft
[2008-05-24|19:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Mozilla
[2007-02-05|17:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\ScanSoft
[2007-01-18|21:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
[2006-12-01|00:15] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun
[2009-01-11|20:27] C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
[2006-12-03|22:08] C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc
[0|fil(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte
[25|katalog(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[2007-03-07|22:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[2007-02-05|17:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
[2009-01-22|19:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
[2008-09-18|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[2008-09-28|12:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[2009-01-14|23:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[2009-01-22|00:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NortonInstaller
[2008-11-07|08:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[2007-02-05|17:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
[2008-10-21|11:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[2007-10-25|09:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Winamp Toolbar
[2007-10-24|10:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[2007-11-20|20:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[0|fil(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte
[21|katalog(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte
[3|katalog(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte ledigt

[2008-02-01|14:56] C:\DOCUME~1\Guest\APPLIC~1\Adobe
[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Google
[2008-02-01|14:29] C:\DOCUME~1\Guest\APPLIC~1\Identities
[2008-02-01|14:35] C:\DOCUME~1\Guest\APPLIC~1\Macromedia
[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\Guest\APPLIC~1\byte
[7|katalog(er)] C:\DOCUME~1\Guest\APPLIC~1\byte ledigt

[2008-08-22|08:26] C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe
[2008-08-21|07:38] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte
[4|katalog(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte
[3|katalog(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte ledigt

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[2009-01-18 17:48][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009-01-22 20:41][--ah-----] C:\WINDOWS\tasks\SA.DAT
[2006-03-16 05:00][-rah-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[2006-12-01|08:16] C:\Program Files\Adobe
[2007-03-07|22:06] C:\Program Files\Apple Software Update
[2007-08-09|14:58] C:\Program Files\ArcSoft
[2007-02-05|17:48] C:\Program Files\Canon
[2007-02-05|17:37] C:\Program Files\CanonBJ
[2009-01-22|20:38] C:\Program Files\Common Files
[2006-12-01|08:16] C:\Program Files\ComPlus Applications
[2006-12-01|08:16] C:\Program Files\CONEXANT
[2007-08-09|15:01] C:\Program Files\Creative
[2007-01-18|21:39] C:\Program Files\DAEMON Tools
[2009-01-18|14:30] C:\Program Files\DC++
[2009-01-22|20:35] C:\Program Files\Google
[2006-12-01|08:16] C:\Program Files\Hewlett-Packard
[2006-12-01|08:16] C:\Program Files\HP
[2006-11-30|23:42] C:\Program Files\HPQ
[2008-03-10|22:12] C:\Program Files\InstallShield Installation Information
[2008-12-12|15:56] C:\Program Files\Internet Explorer
[2008-12-15|20:40] C:\Program Files\Java
[2006-12-25|21:34] C:\Program Files\JoWood
[2008-06-07|18:06] C:\Program Files\K-Lite Codec Pack
[2009-01-21|16:48] C:\Program Files\Malwarebytes' Anti-Malware
[2008-03-01|00:21] C:\Program Files\Maxis
[2008-08-31|09:16] C:\Program Files\Messenger
[2007-05-11|23:46] C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2006-12-01|08:16] C:\Program Files\microsoft frontpage
[2008-09-28|12:35] C:\Program Files\Microsoft Office
[2008-09-28|12:35] C:\Program Files\Microsoft Visual Studio
[2008-09-28|12:35] C:\Program Files\Microsoft Works
[2008-09-28|12:34] C:\Program Files\Microsoft.NET
[2008-08-31|09:06] C:\Program Files\Movie Maker
[2008-02-06|20:06] C:\Program Files\Mozilla Firefox
[2008-09-28|12:35] C:\Program Files\MSBuild
[2006-12-01|08:16] C:\Program Files\MSN
[2006-12-01|08:16] C:\Program Files\MSN Gaming Zone
[2006-12-02|03:15] C:\Program Files\MSXML 4.0
[2008-08-31|08:59] C:\Program Files\NetMeeting
[2006-12-01|08:16] C:\Program Files\NetWaiting
[2008-10-31|10:48] C:\Program Files\Norton Security Scan
[2008-11-07|08:38] C:\Program Files\NOS
[2008-05-26|22:22] C:\Program Files\Octoshape Streaming Services
[2006-12-01|08:16] C:\Program Files\Online Services
[2008-08-31|08:59] C:\Program Files\Outlook Express
[2008-04-09|19:13] C:\Program Files\Paprikari
[2007-03-08|10:54] C:\Program Files\QuickTime
[2007-02-05|17:44] C:\Program Files\ScanSoft
[2006-12-01|08:16] C:\Program Files\Sonic
[2006-12-01|08:16] C:\Program Files\Synaptics
[2009-01-21|18:59] C:\Program Files\Trend Micro
[2006-12-01|08:16] C:\Program Files\Uninstall Information
[2006-12-03|21:31] C:\Program Files\uTorrent
[2006-12-03|21:27] C:\Program Files\VideoLAN
[2007-10-25|19:27] C:\Program Files\Winamp
[2007-11-20|20:36] C:\Program Files\Windows Live
[2006-12-01|08:16] C:\Program Files\Windows Media Connect 2
[2006-12-16|03:01] C:\Program Files\Windows Media Player
[2008-08-31|08:59] C:\Program Files\Windows NT
[2006-12-01|08:16] C:\Program Files\Windows Plus
[2006-12-01|08:16] C:\Program Files\Windows XP MUI Pack
[2006-12-01|08:16] C:\Program Files\WindowsUpdate
[2006-12-07|16:40] C:\Program Files\WinRAR
[2006-12-01|08:16] C:\Program Files\xerox
[2008-05-25|22:27] C:\Program Files\YouTube Downloader
[0|fil(er)] C:\Program Files\byte
[64|katalog(er)] C:\Program Files\byte ledigt

--------------------\\ Listing Folders in C:\Program Files\Common Files

[2006-12-01|08:16] C:\Program Files\Common Files\Adobe
[2008-01-20|12:53] C:\Program Files\Common Files\DESIGNER
[2006-12-01|08:16] C:\Program Files\Common Files\HP
[2006-12-01|08:16] C:\Program Files\Common Files\InstallShield
[2006-12-01|08:16] C:\Program Files\Common Files\Java
[2006-12-01|08:16] C:\Program Files\Common Files\LightScribe
[2008-09-28|12:35] C:\Program Files\Common Files\Microsoft Shared
[2006-12-01|08:16] C:\Program Files\Common Files\MSSoap
[2006-12-01|08:16] C:\Program Files\Common Files\ODBC
[2007-02-05|17:45] C:\Program Files\Common Files\ScanSoft Shared
[2006-12-01|08:16] C:\Program Files\Common Files\Services
[2006-12-01|08:16] C:\Program Files\Common Files\Sonic Shared
[2006-12-01|08:16] C:\Program Files\Common Files\SpeechEngines
[2006-12-01|08:16] C:\Program Files\Common Files\SureThing Shared
[2009-01-22|00:38] C:\Program Files\Common Files\Symantec Shared
[2008-09-28|12:31] C:\Program Files\Common Files\System
[2006-12-01|08:16] C:\Program Files\Common Files\TiVo Shared
[2007-11-20|20:36] C:\Program Files\Common Files\WindowsLiveInstaller
[0|fil(er)] C:\Program Files\Common Files\byte
[20|katalog(er)] C:\Program Files\Common Files\byte ledigt

--------------------\\ Process

( 60 Processes )

iexplore.exe ~ [PID:488]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\ADMINI~1\Cookies\administrator@advertising[1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 21:01:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack
C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack\DDDPool.exe


[F:1][D:1]-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
[F:77][D:0]-> C:\DOCUME~1\ADMINI~1\Cookies
[F:173][D:4]-> C:\DOCUME~1\ADMINI~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 2009-01-22|21:02 - Option : [1]

--------------------\\ Scan completed at 21:02:54

Hi Yeka,

We're sorry but since you have evidence of cracked or pirated software you're using on the system we have to close this thread now.
If you feel this is inaccurate information please send any Moderator a private message explaining in detail and they will review your information in private.
HiJack This! Forum Policy

QUOTE

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This file is from a Torrernt download of a pirated game
C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack
C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\ddd pool\crack\DDDPool.exe

For future reference you should also only post and seek assistance form one forum at a time as it wastes the helpers time and causes issues by duplicating work

I have opened this post again at the request of a Helper at another forum to assist you.

You must delete this folder and any and all other similar illegal files C:\DOCUME~1\ADMINI~1\Mina dokument\Mina mottagna filer\ddd pool\

If ANY other illegal files are found during this scanning and cleaning then the post will be permanently closed.
You must also remove ALL Peer 2 Peer sharing software while I'm assisting you with cleaning the system.

Thank you.

Thak you for giving me another try. I think the log should be ok now, i hope so.. i did my best, i'm not an expert in this area ..


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : AMD Turion™ 64 Mobile Technology MK-36 )
BIOS : PhoenixBIOS 4.0 Release 6.1
USER : Administrator ( Administrator )
BOOT : Normal boot
Antivirus : Norman Security Suite ver. 7.00 7.00 (Activated)
C:\ (Local Disk) - NTFS - Total:101 Go (Free:9 Go)
D:\ (Local Disk) - FAT32 - Total:9 Go (Free:1 Go)
E:\ (CD or DVD)
F:\ (CD or DVD) - UDF - Total:0 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 2009-01-23|19:50 )

--------------------\\ Listing folders in APPLIC~1

[2008-01-28|02:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
[2006-12-03|15:04] C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
[2007-05-13|20:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
[2007-08-09|15:37] C:\DOCUME~1\ADMINI~1\APPLIC~1\ArcSoft
[2009-01-11|17:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\Canon
[2007-08-09|15:06] C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
[2007-01-31|22:38] C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
[2008-12-14|04:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss
[2007-04-21|22:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
[2006-12-07|16:40] C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
[2006-12-01|02:44] C:\DOCUME~1\ADMINI~1\APPLIC~1\HP
[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Identities
[2007-01-18|21:33] C:\DOCUME~1\ADMINI~1\APPLIC~1\Leadertech
[2006-12-01|08:16] C:\DOCUME~1\ADMINI~1\APPLIC~1\Macromedia
[2008-09-18|13:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\Malwarebytes
[2008-03-23|17:24] C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
[2008-11-21|23:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft
[2008-05-24|19:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\Mozilla
[2007-02-05|17:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\ScanSoft
[2007-01-18|21:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
[2006-12-01|00:15] C:\DOCUME~1\ADMINI~1\APPLIC~1\Sun
[2006-12-03|22:08] C:\DOCUME~1\ADMINI~1\APPLIC~1\vlc
[0|fil(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte
[24|katalog(er)] C:\DOCUME~1\ADMINI~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[2007-03-07|22:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[2007-02-05|17:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
[2009-01-22|19:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
[2008-09-18|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[2008-09-28|12:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[2009-01-23|12:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[2009-01-22|00:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NortonInstaller
[2008-11-07|08:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NOS
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[2007-02-05|17:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
[2006-12-01|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
[2008-10-21|11:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[2007-10-25|09:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Winamp Toolbar
[2007-10-24|10:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[2007-11-20|20:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[0|fil(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte
[21|katalog(er)] C:\DOCUME~1\ALLUSE~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte
[3|katalog(er)] C:\DOCUME~1\DEFAUL~1\APPLIC~1\byte ledigt

[2008-02-01|14:56] C:\DOCUME~1\Guest\APPLIC~1\Adobe
[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Google
[2008-02-01|14:29] C:\DOCUME~1\Guest\APPLIC~1\Identities
[2008-02-01|14:35] C:\DOCUME~1\Guest\APPLIC~1\Macromedia
[2008-02-01|14:34] C:\DOCUME~1\Guest\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\Guest\APPLIC~1\byte
[7|katalog(er)] C:\DOCUME~1\Guest\APPLIC~1\byte ledigt

[2008-08-22|08:26] C:\DOCUME~1\LOCALS~1\APPLIC~1\Adobe
[2008-08-21|07:38] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte
[4|katalog(er)] C:\DOCUME~1\LOCALS~1\APPLIC~1\byte ledigt

[2006-12-01|08:16] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[0|fil(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte
[3|katalog(er)] C:\DOCUME~1\NETWOR~1\APPLIC~1\byte ledigt

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[2009-01-18 17:48][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009-01-23 13:15][--ah-----] C:\WINDOWS\tasks\SA.DAT
[2006-03-16 05:00][-rah-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[2006-12-01|08:16] C:\Program Files\Adobe
[2007-03-07|22:06] C:\Program Files\Apple Software Update
[2007-08-09|14:58] C:\Program Files\ArcSoft
[2007-02-05|17:48] C:\Program Files\Canon
[2007-02-05|17:37] C:\Program Files\CanonBJ
[2009-01-22|20:38] C:\Program Files\Common Files
[2006-12-01|08:16] C:\Program Files\ComPlus Applications
[2006-12-01|08:16] C:\Program Files\CONEXANT
[2007-08-09|15:01] C:\Program Files\Creative
[2007-01-18|21:39] C:\Program Files\DAEMON Tools
[2009-01-22|20:35] C:\Program Files\Google
[2006-12-01|08:16] C:\Program Files\Hewlett-Packard
[2006-12-01|08:16] C:\Program Files\HP
[2006-11-30|23:42] C:\Program Files\HPQ
[2008-03-10|22:12] C:\Program Files\InstallShield Installation Information
[2008-12-12|15:56] C:\Program Files\Internet Explorer
[2008-12-15|20:40] C:\Program Files\Java
[2006-12-25|21:34] C:\Program Files\JoWood
[2008-06-07|18:06] C:\Program Files\K-Lite Codec Pack
[2009-01-21|16:48] C:\Program Files\Malwarebytes' Anti-Malware
[2008-03-01|00:21] C:\Program Files\Maxis
[2008-08-31|09:16] C:\Program Files\Messenger
[2007-05-11|23:46] C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2006-12-01|08:16] C:\Program Files\microsoft frontpage
[2009-01-23|12:59] C:\Program Files\Microsoft Office
[2009-01-23|12:59] C:\Program Files\Microsoft Works
[2008-08-31|09:06] C:\Program Files\Movie Maker
[2008-02-06|20:06] C:\Program Files\Mozilla Firefox
[2006-12-01|08:16] C:\Program Files\MSN
[2006-12-01|08:16] C:\Program Files\MSN Gaming Zone
[2006-12-02|03:15] C:\Program Files\MSXML 4.0
[2008-08-31|08:59] C:\Program Files\NetMeeting
[2006-12-01|08:16] C:\Program Files\NetWaiting
[2008-10-31|10:48] C:\Program Files\Norton Security Scan
[2008-11-07|08:38] C:\Program Files\NOS
[2008-05-26|22:22] C:\Program Files\Octoshape Streaming Services
[2006-12-01|08:16] C:\Program Files\Online Services
[2008-08-31|08:59] C:\Program Files\Outlook Express
[2007-03-08|10:54] C:\Program Files\QuickTime
[2007-02-05|17:44] C:\Program Files\ScanSoft
[2006-12-01|08:16] C:\Program Files\Sonic
[2006-12-01|08:16] C:\Program Files\Synaptics
[2009-01-21|18:59] C:\Program Files\Trend Micro
[2006-12-01|08:16] C:\Program Files\Uninstall Information
[2006-12-03|21:27] C:\Program Files\VideoLAN
[2007-10-25|19:27] C:\Program Files\Winamp
[2007-11-20|20:36] C:\Program Files\Windows Live
[2006-12-01|08:16] C:\Program Files\Windows Media Connect 2
[2006-12-16|03:01] C:\Program Files\Windows Media Player
[2008-08-31|08:59] C:\Program Files\Windows NT
[2006-12-01|08:16] C:\Program Files\Windows Plus
[2006-12-01|08:16] C:\Program Files\Windows XP MUI Pack
[2006-12-01|08:16] C:\Program Files\WindowsUpdate
[2006-12-01|08:16] C:\Program Files\xerox
[0|fil(er)] C:\Program Files\byte
[56|katalog(er)] C:\Program Files\byte ledigt

--------------------\\ Listing Folders in C:\Program Files\Common Files

[2006-12-01|08:16] C:\Program Files\Common Files\Adobe
[2006-12-01|08:16] C:\Program Files\Common Files\HP
[2006-12-01|08:16] C:\Program Files\Common Files\InstallShield
[2006-12-01|08:16] C:\Program Files\Common Files\Java
[2006-12-01|08:16] C:\Program Files\Common Files\LightScribe
[2009-01-23|12:59] C:\Program Files\Common Files\Microsoft Shared
[2006-12-01|08:16] C:\Program Files\Common Files\MSSoap
[2006-12-01|08:16] C:\Program Files\Common Files\ODBC
[2007-02-05|17:45] C:\Program Files\Common Files\ScanSoft Shared
[2006-12-01|08:16] C:\Program Files\Common Files\Services
[2006-12-01|08:16] C:\Program Files\Common Files\Sonic Shared
[2006-12-01|08:16] C:\Program Files\Common Files\SpeechEngines
[2006-12-01|08:16] C:\Program Files\Common Files\SureThing Shared
[2009-01-22|00:38] C:\Program Files\Common Files\Symantec Shared
[2009-01-23|12:55] C:\Program Files\Common Files\System
[2006-12-01|08:16] C:\Program Files\Common Files\TiVo Shared
[2007-11-20|20:36] C:\Program Files\Common Files\WindowsLiveInstaller
[0|fil(er)] C:\Program Files\Common Files\byte
[19|katalog(er)] C:\Program Files\Common Files\byte ledigt

--------------------\\ Process

( 62 Processes )

iexplore.exe ~ [PID:860]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\ADMINI~1\Cookies\administrator@advertising[2].txt
C:\DOCUME~1\ADMINI~1\Cookies\administrator@adopt.euroclick[1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 19:52:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections


No other infections found !

[F:10][D:2]-> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
[F:67][D:0]-> C:\DOCUME~1\ADMINI~1\Cookies
[F:1479][D:6]-> C:\DOCUME~1\ADMINI~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 2009-01-22|21:02 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - 2009-01-23|13:46 - Option : [1]
3 - "C:\Lop SD\LopR_3.txt" - 2009-01-23|19:53 - Option : [1]

--------------------\\ Scan completed at 19:53:25

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.


Please download the following scanning tool. GMER

• Open the zip file and copy the file gmer.exe to your Desktop.
• Double click on gmer.exe and run it.
• It may take a minute to load and become available.
• Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button.
• DO NOT Click on the SCAN button.
• This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.
• Click OK and quit the GMER program.

I'm not sure how to send the logs, do you want me to put them in a codebox or something else..?

MBAM didn't find anything..
Malwarebytes' Anti-Malware 1.33
Databasversion: 1688
Windows 5.1.2600 Service Pack 3

2009-01-24 13:38:51
mbam-log-2009-01-24 (13-38-51).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 53795
Förfluten tid: 4 minute(s), 58 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:45:01, on 2009-01-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9521 bytes






GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-24 13:47:37
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwEnumerateKey [0xF72B2A92]
SSDT sptd.sys ZwEnumerateValueKey [0xF72B2E20]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 868F11E8
Device \FileSystem\Fastfat \Fat 859FD980

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

---- EOF - GMER 1.0.14 ----

any further help?

Sorry for the delay but I've been quite busy at work.

Please delete your current copy of Combofix and download a new version and run it. You still show something on the box.
Also, remove ALL versions of JAVA from Control Panel, Add/Remove until we're done cleaning the system.

Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

ComboFix 09-01-21.04 - Administrator 2009-01-27 16:55:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.489 [GMT 1:00]
Körs från: c:\documents and settings\Administrator\Skrivbord\ComboFix.exe
AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((( Filer Skapade från 2008-12-27 till 2009-01-27 ))))))))))))))))))))))))))))))
.

2009-01-26 14:58 . 2009-01-26 14:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2009-01-26 14:54 . 2009-01-26 14:54 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-26 14:54 . 2009-01-26 14:54 <DIR> d-------- c:\program files\JRE
2009-01-24 13:47 . 2009-01-24 13:47 250 --a------ c:\windows\gmer.ini
2009-01-22 20:59 . 2009-01-23 19:53 <DIR> d-------- C:\Lop SD
2009-01-22 00:36 . 2009-01-22 00:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-21 18:59 . 2009-01-21 18:59 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 15:49 --------- d-----w c:\program files\Java
2009-01-23 11:59 --------- d-----w c:\program files\Microsoft Works
2009-01-23 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-22 19:35 --------- d-----w c:\program files\Google
2009-01-21 23:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 15:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-11 16:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Canon
2008-12-15 19:40 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-14 03:45 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-10-20 19:21 19,108 ----a-w c:\documents and settings\Administrator\Application Data\nonesono.com
2008-10-20 19:21 18,080 ----a-w c:\program files\Common Files\sytivyp.bat
2008-10-20 19:21 17,401 ----a-w c:\program files\Common Files\byquciqo.vbs
2008-10-20 19:21 15,072 ----a-w c:\program files\Common Files\dylikiwo.com
2008-10-20 19:21 13,921 ----a-w c:\documents and settings\Administrator\Application Data\vebaxe.dat
2008-10-20 19:21 12,224 ----a-w c:\program files\Common Files\melonyp.inf
2006-11-30 22:08 0 -c--a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2008-10-21 13:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102120081022\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-22_20.54.43.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-24 12:47:10 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 20:13:02 811,008 ----a-r c:\windows\gmer.exe
+ 2009-01-26 13:56:03 7,424,000 ----a-r c:\windows\Installer\{161B3AC6-593F-4AC7-BBBF-88B72012A94E}\soffice.exe
+ 2009-01-24 12:47:10 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-10-15 18:08:05 305,216 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-27 11:46:24 319,544 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-09-30 17:43:36 224,768 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2008-09-30 17:43:36 568,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2008-09-30 17:43:36 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"nwiz"="nwiz.exe" [2006-08-18 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Photosmart Premier Snabbstart.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6081:TCP"= 6081:TCP:RPC

R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\Bin\Nsesvc.exe [2005-12-31 322616]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\npm\bin\nvcsched.exe [2008-06-04 154680]
R4 Ndiskio;Ndiskio;c:\norman\Nse\Bin\Ndiskio.sys [2007-01-30 20448]
R4 NVOY;Norman's Very Own supplY of resources;c:\norman\npm\bin\nvoy.exe [2008-06-04 121912]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-06-06 61952]
S3 nvcfsr;nvcfsr;c:\norman\NVC\Bin\Nvcfsr.sys [2007-01-30 6712]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2007-05-02 19512]
S3 nvcoafl51;nvcoafl51;c:\norman\NVC\Bin\Nvcoafl51.sys [2007-01-30 30264]
S3 nvcoaft51;nvcoaft51;c:\norman\NVC\Bin\Nvcoaft51.sys [2007-01-30 129848]
S3 nvcoarc51;nvcoarc51;c:\norman\NVC\Bin\Nvcoarc51.sys [2007-01-30 23224]
S3 nvcoas;Norman Virus Control on-access component;c:\norman\NVC\Bin\Nvcoas.exe [2008-01-14 191544]
S4 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]

--- Övriga tjänster/drivrutiner i minnet ---

*Deregistered* - mchInjDrv
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 16:58:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ???H[??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Sluttid: 2009-01-27 17:00:26
ComboFix-quarantined-files.txt 2009-01-27 16:00:02
ComboFix2.txt 2009-01-22 19:55:46

Före genomsökningen: 9 311 895 552 bytes free
Efter genomsökningen: 9,325,510,656 byte ledigt

151 --- E O F --- 2009-01-14 22:04:24







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03:08, on 2009-01-27
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9054 bytes

I'll be out of town tonight and will look at this for you tomorrow.

Thanks

You need to uninstall Adobe Acrobat Reader 7 and upgrade to version 9 if you want the Reader.

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat


Please download the following scanning tool. GMER

• Open the zip file and copy the file gmer.exe to your Desktop.
• Double click on gmer.exe and run it.
• It may take a minute to load and become available.
• Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
• Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
• Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
• DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

i'm not sure what i'm doing.. hope it's right..

Okay that looks okay. That hidden driver appears to be from the copy of Daemon Tools you have running on the system.

Please run the following one more time.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.

Then let me know if you're still having any signs of an infection or not.

The problem is still there, there's only "nimda" as a user account on the welcome-screen.. And about a day ago Norman catched A0066131.sys W32/Agent.HHSF and put it in quarantine, but i think MBAM couldn't see it. Here is the logs:

Malwarebytes' Anti-Malware 1.33
Databasversion: 1705
Windows 5.1.2600 Service Pack 3

2009-01-29 15:57:00
mbam-log-2009-01-29 (15-57-00).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 54592
Förfluten tid: 6 minute(s), 39 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02:52, on 2009-01-29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9190 bytes

Please do not use the Quote or CODE tags when posting. Just post directly, thank you.


Please try the following. Download it, double-click on it with a blank CD-R in the CD Burner and it will automatically burn a bootable CD for you to boot with and run and scan.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

Avira AntiVir Rescue System - download

Avira AntiVir Rescue System
Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


repair a damaged system,


rescue data,


scan the system for virus infections.


Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

i have to get a cd-r, i'll be back when i have one.

Okay, let me know when you're ready please.

Please post a status update on this

Hi, i did burn a cd and i started the scan with avira but in the middle of the scanning process the computer shut down, is it suppose to happen? i don't understand if i did anything wrong, if the process is fullfilled or not, or what to du after the scanning? When the computer shut down i started it with the scan again and the same thing happend, then i took out the cd and started without it and everything is the same as before as far as i can see..

The situation is still the same, the nimda account is still there.. i did a MBAM but it couldn't find anything. I'm sending you a Hijackthis log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59:16, on 2009-02-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9187 bytes

Hi yeka,

Well that isn't too good. I really try to help users get back control of their system, but yours is not looking good.
Do you have the Windows XP CD that came with the system? We might have to just backup the system and re-install Windows.

Do you have any other accessories attached to the computer like printers or cameras, etc.? You could try removing ALL external devices and try to run the CD again. I've never heard of anyone complaining of the computer shutting down before while using that CD.

Hi, i don't have any windows xp cd, i think i have to create recovery discs? If re-installing is the only solution left i would like to return to the swedish forum so i can be guided in swedish. I'll be waiting for an answer from you before i do anything else. Thank you for your help

Okay let's make one more try first with Combofix again.

Please delete your current copy of Combofix.exe and download a NEW fresh copy and run that and post back that log.

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

ComboFix 09-02-07.01 - Administrator 2009-02-08 20:52:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.519 [GMT 1:00]
Körs från: c:\documents and settings\Administrator\Skrivbord\ComboFix.exe
AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
* Skapade en ny återställningspunkt
.

(((((((((((((((((((((((( Filer Skapade från 2009-01-08 till 2009-02-08 ))))))))))))))))))))))))))))))
.

2009-01-28 18:20 . 2009-01-28 18:20 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-26 14:58 . 2009-01-26 14:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2009-01-26 14:54 . 2009-01-26 14:54 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-01-26 14:54 . 2009-01-26 14:54 <DIR> d-------- c:\program files\JRE
2009-01-24 13:47 . 2009-01-28 18:26 250 --a------ c:\windows\gmer.ini
2009-01-22 20:59 . 2009-01-23 19:53 <DIR> d-------- C:\Lop SD
2009-01-22 00:36 . 2009-01-22 00:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-21 18:59 . 2009-01-21 18:59 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 14:38 --------- d-----w c:\documents and settings\Administrator\Application Data\Canon
2009-01-27 15:49 --------- d-----w c:\program files\Java
2009-01-23 11:59 --------- d-----w c:\program files\Microsoft Works
2009-01-23 11:58 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-22 19:35 --------- d-----w c:\program files\Google
2009-01-21 23:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 15:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-15 19:40 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-14 03:45 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-10-20 19:21 19,108 ----a-w c:\documents and settings\Administrator\Application Data\nonesono.com
2008-10-20 19:21 18,080 ----a-w c:\program files\Common Files\sytivyp.bat
2008-10-20 19:21 17,401 ----a-w c:\program files\Common Files\byquciqo.vbs
2008-10-20 19:21 15,072 ----a-w c:\program files\Common Files\dylikiwo.com
2008-10-20 19:21 13,921 ----a-w c:\documents and settings\Administrator\Application Data\vebaxe.dat
2008-10-20 19:21 12,224 ----a-w c:\program files\Common Files\melonyp.inf
2006-11-30 22:08 0 -c--a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2008-10-21 13:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102120081022\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-22_20.54.43.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-24 12:47:10 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 20:13:02 811,008 ----a-r c:\windows\gmer.exe
+ 2009-01-26 13:56:03 7,424,000 ----a-r c:\windows\Installer\{161B3AC6-593F-4AC7-BBBF-88B72012A94E}\soffice.exe
+ 2007-12-12 14:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1053-7B44-A90000000001}\SC_Reader.exe
+ 2009-01-24 12:47:10 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-10-15 18:08:05 305,216 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-27 11:46:24 319,544 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2007-08-22 22:18:08 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 21:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
- 2007-08-22 22:18:08 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 21:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
- 2007-08-22 22:18:08 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 21:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2008-09-30 17:43:36 224,768 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2008-09-30 17:43:36 568,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2008-09-30 17:43:36 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2006-08-18 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Snabbstart.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6081:TCP"= 6081:TCP:RPC

R2 Ndiskio;Ndiskio;c:\norman\Nse\Bin\Ndiskio.sys [2007-01-30 20448]
R2 NVOY;Norman's Very Own supplY of resources;c:\norman\npm\bin\nvoy.exe [2008-06-04 121912]
R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\Bin\Nsesvc.exe [2009-01-28 183352]
R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\npm\bin\nvcsched.exe [2008-06-04 154680]
S2 Automatisk LiveUpdate-schemaläggare;Automatisk LiveUpdate-schemaläggare;"c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" --> c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [?]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-06-06 61952]
S3 nvcfsr;nvcfsr;c:\norman\NVC\Bin\Nvcfsr.sys [2007-01-30 6712]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2007-05-02 19512]
S3 nvcoafl51;nvcoafl51;c:\norman\NVC\Bin\Nvcoafl51.sys [2007-01-30 30264]
S3 nvcoaft51;nvcoaft51;c:\norman\NVC\Bin\Nvcoaft51.sys [2007-01-30 129848]
S3 nvcoarc51;nvcoarc51;c:\norman\NVC\Bin\Nvcoarc51.sys [2007-01-30 23224]
S3 nvcoas;Norman Virus Control on-access component;c:\norman\NVC\Bin\Nvcoas.exe [2008-01-14 191544]

--- Övriga tjänster/drivrutiner i minnet ---

*Deregistered* - mchInjDrv
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 20:54:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ???H[??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Sluttid: 2009-02-08 20:56:37
ComboFix-quarantined-files.txt 2009-02-08 19:56:11
ComboFix2.txt 2009-01-27 16:00:28
ComboFix3.txt 2009-01-22 19:55:46

Före genomsökningen: 9 741 856 768 bytes free
Efter genomsökningen: 9,726,623,744 byte ledigt

161 --- E O F --- 2009-01-14 22:04:24

Please download Avenger 2.0 from here
Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

• Do not check any other boxes, uncheck Scan for Rootkits if it's checked
• Close all other running applications
• After pasting the text into the main window, click on Execute

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.
Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.



Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.
• Reboot.

Turn ON System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check *Turn off System Restore*.
• Click Apply, and then click OK.

This will remove all restore points except the new one you just created.










Since the Avira did not work out well, plesae try this one.

Download to the desktop: Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

avenger + MBAM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File "c:\documents and settings\Administrator\Application Data\nonesono.com" deleted successfully.
File "c:\program files\Common Files\sytivyp.bat" deleted successfully.
File "c:\program files\Common Files\byquciqo.vbs" deleted successfully.
File "c:\program files\Common Files\dylikiwo.com" deleted successfully.
File "c:\documents and settings\Administrator\Application Data\vebaxe.dat" deleted successfully.
File "c:\program files\Common Files\melonyp.inf" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Malwarebytes' Anti-Malware 1.33
Databasversion: 1740
Windows 5.1.2600 Service Pack 3

2009-02-09 14:25:38
mbam-log-2009-02-09 (14-25-38).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 55030
Förfluten tid: 5 minute(s), 34 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:32:05, on 2009-02-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9138 bytes

everything is still the same. Another thing i noticed is that the little icons (that are shown where you type the www-address) for specific pages is not correct, e.g. YouTube - sometimes there is no icon and sometimes there is another icon that belongs to another site instead of its own logo. I don't know if i managed to explain it, ask again if u didn't understand and if it is relevant.

DrWeb+Hijackthis

A0000001.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{15CB993F-554A-4EB6-86A2-9337A03CDEC3}\RP1\A0000001.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{15CB993F-554A-4EB6-86A2-9337A03CDEC3}\RP1;Archive contains infected objects;;
A0000001.exe;C:\System Volume Information\_restore{15CB993F-554A-4EB6-86A2-9337A03CDEC3}\RP1;Container contains infected objects;Moved.;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\Skrivbord\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Administrator\Skrivbord;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Administrator\Skrivbord;Container contains infected objects;Moved.;




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:21:56, on 2009-02-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Norman\Npm\Bin\Nvcsched.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\System32\alg.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Photosmart Premier Snabbstart.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.till.biblextern.sh....s/ebraryRdr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9138 bytes

Please explain in more detail the current issues you're seeing or having.
In general now you have MBAM and Dr Web both saying that nothing was found that should be an issue.

As a side note this entry RecGuard.exe indicates that you probably have a Recovery Partition on another drive, probably D:
So a recovery back to the way the box was when you got it might be quite simple. You would want to backup all of your data first (as you should have done by now already) before running it, but that should be a good option and easy if you have to. So please let me know with more detail the current issues you see.

i don't know how to explain it in another way.. i'm not so good at "computer-words" hehe.. but i'll try again.

The main issue is that my own useraccount doesn't show up in the welcome-screen. when i start the computer and the welcome-screen comes up there is only nimda as the user account and it wants a password. I tried to log in once with my own password to nimda to see if it works, but it didn't. Then the swedish forum said that the password is probably "nimda" but i never tried it since i found another way to log in with my own account and because i don't feel comfortable to log in with the nimda account. When i'm on the welcome screen and press ctrl+alt+delete twice, a "classic" log in version shows up and there is my own useraccont aldready typed so i just have to type my password and log in.

And the other issue is the one i told yesterday, i've been having this issue for a couple of days now as far as i have noticed it, the little icons that is the websites own logos that is shown beside the www-address is not right.
e.g. Instead of googles logotype my schools logotype takes place, instead of youtube there is a logotype that im not familiar with, same thing is for this site MBAM and so on... And sometimes there's no logo at all, when i know it should be.

another issue that i had after this nimda thing (but it seems to be gone now) is that when i didn't touch the computer for a couple of minutes the account logged out and the welcome-screen appeared. This time both nimda and my own account was there, so i could log in with my own account directly from the welcome-screen. There was two strange things about this, one was that usually it takes longer time for the account to log out itself and the other thing was that when the account logs out usually Msn also log out, but when the account logs out in this way everything is like i never had logged out, the msn is still on when it should have logged out for example.

I was thinking of maybe try to log in in the nimda account and try to remove it myself but i don't now if i dare and if it is safe to do it? or if it even is an actual account...? Maybe it is better to just restore or something..

As i said before, if i'm going to do some re-installing actions i wolud like to return to the swedish forum and get the guidence in swedish if it is ok.

Yes you certainly may go back to a Swedish forum for that, but from what you describe I don't think you need to re-install.
Let me research some fixes for this first and I'll get back to you on it. For the most part unless it's something really hidden or deeply rooted I don't think you're currently infected with Malware anymore. Now we just need to see if we can restore some of the broken functionality of Windows for you.

Try this. Click on START - RUN and type in control userpasswords2 and change your password, or look
on the Advanced tab and make sure that "Require users to press CTRL+ALT+Delete is not checked.
Try creating a new account and giving it a password.


Take a look here and see if one of these fixes apply to your issue.
http://www.kellys-korner-xp.com/xp_wel_screen.htm


The Default Windows Logon Interface May Not Appear After Installing Third-Party Program
http://support.microsoft.com/kb/302346/EN-US/


A discussion about the availability of the Fast User Switching feature
http://support.microsoft.com/kb/294739


How to recover the damaged user profile in Windows XP
http://support.microsoft.com/kb/555473

You can also try this program. I would select ALL check boxes and run it by clicking on the GO button.

Please download and run this program: Dial-a-fix

i had no time to try these things today, i'll try tomorrow! thank you!

Okay, let me know how it goes. Thanks.

Hi, i didn't manage to do all the things you told me.

I tried to give this a try: http://www.kellys-korner-xp.com/xp_wel_screen.htm "Show Administrator on the Welcome Screen" but i didn't understand how to do it.

I also wanted to try this http://support.microsoft.com/kb/302346/, am i suppose to remove this --> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL ? i couldn't find this, maybe i searched wrong. And i also do not have any back up so i was afraid doing it wrong.

What i did was the dial-a-fix thing.

And this: "Try this. Click on START - RUN and type in control userpasswords2 and change your password, or look
on the Advanced tab and make sure that is not checked.
Try creating a new account and giving it a password."

I couldnt find where to change my password doing it your way so i did it through control panel --> user account (i dont know the english words..?) And the "Require users to press CTRL+ALT+Delete" was not checked. I did create a new account with password and then reboot. Now there is nimda and that new account but not my own account. WHile i was changing my password in my own accont i saw this: The administrator account is visible only on the welcome screen when no other user account is created (except the guest account), or when you start the computer in safe mode. (i translated this from swedish). Is this intresting? The nimda account is also a administrator account.. it says so anyway..

Hold on - you hit it right on the nail (so to speak)

Is YOUR account name ADMINISTRATOR ?

If so that is the issue. The Windows XP Welcome screen does not show that account sort of on purpose unless as you say it is the ONLY account on the box. (not a good thing, always better to have another account in case something happens to your account).

Just went and looked at one of your first posts with CF and it shows that ADMINISTRATOR is your account.

c:\documents and settings\Administrator

So, that is why it does not show (and as said, should not show now). Since you did not create the Nimda account yourself I would remove that account and profile and the NEW one you just created and you should now see the Administrator account on the screen. BUT I don't recommend that. You should have another account with Admin rights as well in case of trouble and where you might need that account. I would put a password on both accounts, even if they're simple its better than being blank.

YES!!!!!! it's gone! Thank you for your help! everything is back to the way it was as far as i can see. thank you

If you need it: Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.

• Go to http://java.sun.com/javase/downloads/index.jsp
• Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
• Uncheck the Toolbar button (unless you want the toolbar)
• Reboot your computer

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.
• Reboot.

Turn ON System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check *Turn off System Restore*.
• Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org