Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

System progressive protection/Spyhunter

tdlarsen

By tdlarsen
in Spyware-Malware Removal Help!

Recommended Posts

tdlarsen Newbie

tdlarsen

Posted
Posted

I've been blessed with this one at my work desktop. Running Win XP Pro. Tried RKill + Malwarebytes + HitmanPro + RogueKiller, but it gets installed again, because of some search hijack still left on the computer. Now my tech support wants me to register Spyhunter 4, but I read in a thread here, that it might be part of this whole malware infection, so I'm holding back for a while before hearing from you guys, especially SuperDave :)

IoBit Malware Fighter Free found nothing on full scan ?!

Below are logs from DDS

 

Thanks in advance!

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

DDS.txt

 

DDS (Ver_2012-11-05.02) - NTFS_x86

Internet Explorer: 8.0.6001.18702

Run by TJ at 12:39:02 on 2012-11-07

Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.1993.1319 [GMT 1:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ================

.

C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE

C:\Programmer\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programmer\Symantec\pcAnywhere\awhost32.exe

C:\Programmer\Java\jre6\bin\jqs.exe

C:\Programmer\Intel\AMT\LMS.exe

C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programmer\Sentinel Klient\UpdateClientService.exe

C:\Programmer\Google\Update\GoogleUpdate.exe

C:\WINDOWS\Explorer.EXE

C:\Programmer\Fælles filer\Intel\Privacy Icon\UNS\UNS.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Programmer\Sentinel Klient\Client.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\System32\alg.exe

C:\Programmer\Fælles filer\Java\Java Update\jusched.exe

C:\Programmer\Microsoft Security Client\msseces.exe

C:\Programmer\Browny02\Brother\BrStMonW.exe

C:\Programmer\Enigma Software Group\SpyHunter\SpyHunter4.exe

C:\Programmer\Browny02\BrYNSvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programmer\Hardcopy\hardcopy.exe

C:\Programmer\IObit\IObit Malware Fighter\IMFsrv.exe

C:\Programmer\IObit\IObit Malware Fighter\IMF.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\SearchFilterHost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\programmer\fælles filer\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\programmer\google\googletoolbarnotifier\5.7.7529.1424\swg.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\programmer\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\programmer\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\programmer\google\google toolbar\GoogleToolbar_32.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [picon] "c:\programmer\fælles filer\intel\privacy icon\PrivacyIconClient.exe" -startup

mRun: [Windows Defender] "c:\programmer\windows defender\MSASCui.exe" -hide

mRun: [sentinelKlient] c:\programmer\sentinel klient\Client.exe

mRun: [sunJavaUpdateSched] "c:\programmer\fælles filer\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\programmer\fælles filer\adobe\arm\1.0\AdobeARM.exe"

mRun: [MSC] "c:\programmer\microsoft security client\msseces.exe" -hide -runkey

mRun: [brStsMon00] c:\programmer\browny02\brother\BrStMonW.exe /AUTORUN

mRun: [spyHunter Security Suite] c:\programmer\enigma software group\spyhunter\SpyHunter4.exe

mRun: [iObit Malware Fighter] "c:\programmer\iobit\iobit malware fighter\IMF.exe" /autostart

StartupFolder: c:\docume~1\alluse~1\menuen~1\progra~1\start\hardcopy.lnk - c:\programmer\hardcopy\hardcopy.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmer\messenger\msmsgs.exe

Trusted Zone: danid.dk

Trusted Zone: danid.dk

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263405789250

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263455791875

DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} - hxxps://danid.dk/csp/authenticode/csp.exe

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: Interfaces\{29081F36-388C-4802-A6EF-EE72E74DD688} : NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1

Notify: igfxcui - igfxdev.dll

Notify: PCANotify - PCANotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\programmer\windows desktop search\MSNLNamespaceMgr.dll

SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\programmer\windows defender\MpShHook.dll

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 193552]

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2007-3-30 18232]

R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2007-3-30 17848]

R1 MpKslb8cae9ae;MpKslb8cae9ae;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ffa4ff11-87e2-48e0-881c-d5434f45f492}\MpKslb8cae9ae.sys [2012-11-7 29904]

R2 awhost32;Symantec pcAnywhere Host Service;c:\programmer\symantec\pcanywhere\awhost32.exe [2007-5-11 132728]

R2 IMFservice;IMF Service;c:\programmer\iobit\iobit malware fighter\IMFsrv.exe [2012-11-7 821592]

R2 Sentinel_Update;Sentinel Updater;c:\programmer\sentinel klient\UpdateClientService.exe [2011-2-3 12800]

R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2012-10-8 766400]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\programmer\fælles filer\intel\privacy icon\uns\UNS.exe [2010-1-13 2066968]

R3 BrYNSvc;BrYNSvc;c:\programmer\browny02\BrYNSvc.exe [2012-11-5 249856]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-10-1 160424]

R3 esgiguard;esgiguard;c:\programmer\enigma software group\spyhunter\esgiguard.sys [2011-5-6 13904]

R3 FileMonitor;FileMonitor;c:\programmer\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2012-11-7 246816]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]

R3 RegFilter;RegFilter;c:\programmer\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2012-11-7 30408]

R3 UrlFilter;UrlFilter;c:\programmer\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2012-11-7 16248]

RUnknown MpKsle18fb0ad;MpKsle18fb0ad; [x]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 WinDefend;Windows Defender;c:\programmer\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [2012-6-22 19984]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-15 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-11-07 11:22:36 -------- d-----w- c:\documents and settings\all users\application data\IObit

2012-11-07 11:22:35 -------- d-----w- c:\documents and settings\tj\application data\IObit

2012-11-07 11:22:30 -------- d-----w- c:\programmer\IObit

2012-11-07 11:21:31 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ffa4ff11-87e2-48e0-881c-d5434f45f492}\MpKslb8cae9ae.sys

2012-11-07 11:19:22 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ffa4ff11-87e2-48e0-881c-d5434f45f492}\offreg.dll

2012-11-07 11:18:38 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ffa4ff11-87e2-48e0-881c-d5434f45f492}\MpKsle18fb0ad.sys

2012-11-07 10:01:39 110080 ----a-r- c:\documents and settings\tj\application data\microsoft\installer\{ddabc667-56b3-4122-82b0-2f5782ea2f9a}\IconF7A21AF7.exe

2012-11-07 10:01:39 110080 ----a-r- c:\documents and settings\tj\application data\microsoft\installer\{ddabc667-56b3-4122-82b0-2f5782ea2f9a}\IconD7F16134.exe

2012-11-07 10:01:39 110080 ----a-r- c:\documents and settings\tj\application data\microsoft\installer\{ddabc667-56b3-4122-82b0-2f5782ea2f9a}\IconCF33A0CE.exe

2012-11-07 10:01:37 -------- d-----w- C:\sh4ldr

2012-11-07 10:01:37 -------- d-----w- c:\programmer\Enigma Software Group

2012-11-07 08:09:13 -------- d-----w- c:\windows\ERUNT

2012-11-07 08:06:16 0 ----a-w- C:\SDFix.exe

2012-11-07 08:04:06 -------- d-----w- C:\SDFix

2012-11-07 07:53:52 -------- d-----w- c:\documents and settings\tj\application data\Windows Search

2012-11-06 14:06:11 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ffa4ff11-87e2-48e0-881c-d5434f45f492}\mpengine.dll

2012-11-06 13:34:28 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro

2012-11-06 12:28:11 -------- d-----w- c:\documents and settings\all users\application data\88B8B9ACFFC33652000088B830FF40C4

2012-11-06 12:27:24 61952 ---ha-w- c:\windows\system32\atnsta.dll

2012-11-05 14:25:36 77824 ----a-w- c:\windows\system32\BRLMW03A.DLL

2012-11-05 14:25:36 45056 ----a-w- c:\windows\system32\BRTCPCON.DLL

2012-11-05 14:25:36 25299 ----a-w- c:\windows\system32\BRLM03A.DLL

2012-11-05 14:25:36 180224 ----a-w- c:\windows\system32\BROSNMP.DLL

2012-11-05 14:25:36 175104 ----a-w- c:\windows\system32\BRCOM11A.DLL

2012-11-05 14:25:36 107888 ----a-w- c:\windows\system32\BRRBTOOL.EXE

2012-11-05 14:25:35 -------- d-----w- C:\Brother

2012-11-05 14:25:32 -------- d-----w- c:\programmer\Browny02

2012-11-05 14:25:18 -------- d-----w- c:\programmer\Brother

2012-11-05 14:24:39 -------- d-----w- c:\documents and settings\all users\application data\Brother

2012-11-05 14:07:33 6918632 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

.

==================== Find3M ====================

.

2012-09-29 18:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-21 05:48:41 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-21 05:48:41 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-30 20:03:50 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2012-08-28 15:17:30 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:17:19 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:17:18 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07:32 385024 ----a-w- c:\windows\system32\html.iec

2012-08-24 13:53:16 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-08-23 06:27:18 2151424 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-08-23 06:27:18 2030080 ----a-w- c:\windows\system32\ntkrnlpa.exe

.

============= FINISH: 12:42:22,98 ===============

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

Attach.txt

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-05.02)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 13-01-2010 18:50:31

System Uptime: 07-11-2012 12:20:22 (0 hours ago)

.

Motherboard: Hewlett-Packard | | 3646h

Processor: Intel Pentium III Xeon-processor | XU1 PROCESSOR | 2992/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 80 GiB total, 67,723 GiB free.

D: is FIXED (NTFS) - 218 GiB total, 217,983 GiB free.

F: is NetworkDisk (NTFS) - 126 GiB total, 40,216 GiB free.

S: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1: 07-11-2012 11:06:40 - Systemkontrolpunkt

RP2: 07-11-2012 12:00:14 - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.0) - Dansk

Digital Signatur

Elektronisk Indberetning

Embedded Security for HP ProtectTools Driver

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

HL-5450DN

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB976002-v5)

Hotfix til Windows Media Player 11 (KB939683)

Hotfix til Windows XP (KB2443685)

Hotfix til Windows XP (KB2570791)

Hotfix til Windows XP (KB2633952)

Hotfix til Windows XP (KB2756822)

Hotfix til Windows XP (KB952287)

Hotfix til Windows XP (KB961118)

Hotfix til Windows XP (KB969084)

Hotfix til Windows XP (KB976098-v2)

Hotfix til Windows XP (KB979306)

Hotfix til Windows XP (KB981793)

HP Softpaq SP45367

HP Softpaq SP45411

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Interface

Intel® Network Connections Drivers

Intel® Active Management Technology

IObit Malware Fighter

Java Auto Updater

Java 6 Update 29

Kompatibilitetspakke til Office 2007-systemet

LiveReg (Symantec Corporation)

LiveUpdate 3.2 (Symantec Corporation)

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Danish Language Pack

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB2656370)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - DAN

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - DAN

Microsoft .NET Framework 3.5 Language Pack SP1 - dan

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile DAN Language Pack

Microsoft .NET Framework 4 Client Profile DAN sprogpakke

Microsoft Antimalware Service DA-DK Language Pack

Microsoft Application Error Reporting

Microsoft Base Smart Card Crypto-udbyder

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office File Validation Add-In

Microsoft Office Word 2003

Microsoft Security Client

Microsoft Security Client DA-DK Language Pack

Microsoft Security Essentials

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

MSXML 6.0 Parser

OGA Notifier 2.0.0048.0

Opdatering til Microsoft Windows (KB971513)

Opdatering til Windows Internet Explorer 8 (KB2447568)

Opdatering til Windows Internet Explorer 8 (KB2598845)

Opdatering til Windows Internet Explorer 8 (KB2632503)

Opdatering til Windows Internet Explorer 8 (KB975364)

Opdatering til Windows Internet Explorer 8 (KB976662)

Opdatering til Windows Internet Explorer 8 (KB978506)

Opdatering til Windows Internet Explorer 8 (KB980182)

Opdatering til Windows Internet Explorer 8 (KB980302)

Opdatering til Windows Internet Explorer 8 (KB982632)

Opdatering til Windows Internet Explorer 8 (KB982664)

Opdatering til Windows XP (KB2141007)

Opdatering til Windows XP (KB2345886)

Opdatering til Windows XP (KB2467659)

Opdatering til Windows XP (KB2492386)

Opdatering til Windows XP (KB2541763)

Opdatering til Windows XP (KB2607712)

Opdatering til Windows XP (KB2616676)

Opdatering til Windows XP (KB2641690)

Opdatering til Windows XP (KB2661254-v2)

Opdatering til Windows XP (KB2718704)

Opdatering til Windows XP (KB2736233)

Opdatering til Windows XP (KB2749655)

Opdatering til Windows XP (KB898461)

Opdatering til Windows XP (KB943729)

Opdatering til Windows XP (KB951978)

Opdatering til Windows XP (KB955759)

Opdatering til Windows XP (KB967715)

Opdatering til Windows XP (KB968389)

Opdatering til Windows XP (KB971029)

Opdatering til Windows XP (KB971737)

Opdatering til Windows XP (KB973687)

Opdatering til Windows XP (KB973815)

Realtek High Definition Audio Driver

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Windows Search 4 - KB963093

Sentinel Klient Installation

Sikkerhedsopdatering til Microsoft Windows (KB2564958)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2183461)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2416400)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2482017)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2497640)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2510531)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2530548)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2544521)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2559049)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2586448)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2618444)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2647516)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2675157)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2699988)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2722913)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB2744842)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB971961)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB976325)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB978207)

Sikkerhedsopdatering til Windows Internet Explorer 8 (KB981332)

Sikkerhedsopdatering til Windows Media Player (KB2378111)

Sikkerhedsopdatering til Windows Media Player (KB952069)

Sikkerhedsopdatering til Windows Media Player (KB954155)

Sikkerhedsopdatering til Windows Media Player (KB968816)

Sikkerhedsopdatering til Windows Media Player (KB973540)

Sikkerhedsopdatering til Windows Media Player (KB975558)

Sikkerhedsopdatering til Windows Media Player (KB978695)

Sikkerhedsopdatering til Windows Media Player 11 (KB954154)

Sikkerhedsopdatering til Windows XP (KB2079403)

Sikkerhedsopdatering til Windows XP (KB2115168)

Sikkerhedsopdatering til Windows XP (KB2121546)

Sikkerhedsopdatering til Windows XP (KB2160329)

Sikkerhedsopdatering til Windows XP (KB2229593)

Sikkerhedsopdatering til Windows XP (KB2259922)

Sikkerhedsopdatering til Windows XP (KB2286198)

Sikkerhedsopdatering til Windows XP (KB2296011)

Sikkerhedsopdatering til Windows XP (KB2296199)

Sikkerhedsopdatering til Windows XP (KB2347290)

Sikkerhedsopdatering til Windows XP (KB2360937)

Sikkerhedsopdatering til Windows XP (KB2387149)

Sikkerhedsopdatering til Windows XP (KB2393802)

Sikkerhedsopdatering til Windows XP (KB2412687)

Sikkerhedsopdatering til Windows XP (KB2419632)

Sikkerhedsopdatering til Windows XP (KB2423089)

Sikkerhedsopdatering til Windows XP (KB2436673)

Sikkerhedsopdatering til Windows XP (KB2440591)

Sikkerhedsopdatering til Windows XP (KB2443105)

Sikkerhedsopdatering til Windows XP (KB2476490)

Sikkerhedsopdatering til Windows XP (KB2476687)

Sikkerhedsopdatering til Windows XP (KB2478960)

Sikkerhedsopdatering til Windows XP (KB2478971)

Sikkerhedsopdatering til Windows XP (KB2479628)

Sikkerhedsopdatering til Windows XP (KB2479943)

Sikkerhedsopdatering til Windows XP (KB2483185)

Sikkerhedsopdatering til Windows XP (KB2483614)

Sikkerhedsopdatering til Windows XP (KB2485376)

Sikkerhedsopdatering til Windows XP (KB2485663)

Sikkerhedsopdatering til Windows XP (KB2503658)

Sikkerhedsopdatering til Windows XP (KB2503665)

Sikkerhedsopdatering til Windows XP (KB2506212)

Sikkerhedsopdatering til Windows XP (KB2506223)

Sikkerhedsopdatering til Windows XP (KB2507618)

Sikkerhedsopdatering til Windows XP (KB2507938)

Sikkerhedsopdatering til Windows XP (KB2508272)

Sikkerhedsopdatering til Windows XP (KB2508429)

Sikkerhedsopdatering til Windows XP (KB2509553)

Sikkerhedsopdatering til Windows XP (KB2511455)

Sikkerhedsopdatering til Windows XP (KB2524375)

Sikkerhedsopdatering til Windows XP (KB2535512)

Sikkerhedsopdatering til Windows XP (KB2536276-v2)

Sikkerhedsopdatering til Windows XP (KB2536276)

Sikkerhedsopdatering til Windows XP (KB2544893-v2)

Sikkerhedsopdatering til Windows XP (KB2544893)

Sikkerhedsopdatering til Windows XP (KB2555917)

Sikkerhedsopdatering til Windows XP (KB2562937)

Sikkerhedsopdatering til Windows XP (KB2566454)

Sikkerhedsopdatering til Windows XP (KB2567053)

Sikkerhedsopdatering til Windows XP (KB2567680)

Sikkerhedsopdatering til Windows XP (KB2570222)

Sikkerhedsopdatering til Windows XP (KB2570947)

Sikkerhedsopdatering til Windows XP (KB2584146)

Sikkerhedsopdatering til Windows XP (KB2585542)

Sikkerhedsopdatering til Windows XP (KB2592799)

Sikkerhedsopdatering til Windows XP (KB2598479)

Sikkerhedsopdatering til Windows XP (KB2603381)

Sikkerhedsopdatering til Windows XP (KB2618451)

Sikkerhedsopdatering til Windows XP (KB2619339)

Sikkerhedsopdatering til Windows XP (KB2620712)

Sikkerhedsopdatering til Windows XP (KB2621440)

Sikkerhedsopdatering til Windows XP (KB2624667)

Sikkerhedsopdatering til Windows XP (KB2631813)

Sikkerhedsopdatering til Windows XP (KB2633171)

Sikkerhedsopdatering til Windows XP (KB2639417)

Sikkerhedsopdatering til Windows XP (KB2641653)

Sikkerhedsopdatering til Windows XP (KB2646524)

Sikkerhedsopdatering til Windows XP (KB2647518)

Sikkerhedsopdatering til Windows XP (KB2653956)

Sikkerhedsopdatering til Windows XP (KB2655992)

Sikkerhedsopdatering til Windows XP (KB2659262)

Sikkerhedsopdatering til Windows XP (KB2660465)

Sikkerhedsopdatering til Windows XP (KB2661637)

Sikkerhedsopdatering til Windows XP (KB2676562)

Sikkerhedsopdatering til Windows XP (KB2685939)

Sikkerhedsopdatering til Windows XP (KB2686509)

Sikkerhedsopdatering til Windows XP (KB2691442)

Sikkerhedsopdatering til Windows XP (KB2695962)

Sikkerhedsopdatering til Windows XP (KB2698365)

Sikkerhedsopdatering til Windows XP (KB2705219)

Sikkerhedsopdatering til Windows XP (KB2707511)

Sikkerhedsopdatering til Windows XP (KB2709162)

Sikkerhedsopdatering til Windows XP (KB2712808)

Sikkerhedsopdatering til Windows XP (KB2718523)

Sikkerhedsopdatering til Windows XP (KB2719985)

Sikkerhedsopdatering til Windows XP (KB2723135)

Sikkerhedsopdatering til Windows XP (KB2724197)

Sikkerhedsopdatering til Windows XP (KB2731847)

Sikkerhedsopdatering til Windows XP (KB923561)

Sikkerhedsopdatering til Windows XP (KB923789)

Sikkerhedsopdatering til Windows XP (KB941569)

Sikkerhedsopdatering til Windows XP (KB946648)

Sikkerhedsopdatering til Windows XP (KB950762)

Sikkerhedsopdatering til Windows XP (KB950974)

Sikkerhedsopdatering til Windows XP (KB951066)

Sikkerhedsopdatering til Windows XP (KB951376-v2)

Sikkerhedsopdatering til Windows XP (KB951748)

Sikkerhedsopdatering til Windows XP (KB952004)

Sikkerhedsopdatering til Windows XP (KB952954)

Sikkerhedsopdatering til Windows XP (KB954459)

Sikkerhedsopdatering til Windows XP (KB955069)

Sikkerhedsopdatering til Windows XP (KB956572)

Sikkerhedsopdatering til Windows XP (KB956744)

Sikkerhedsopdatering til Windows XP (KB956802)

Sikkerhedsopdatering til Windows XP (KB956803)

Sikkerhedsopdatering til Windows XP (KB956844)

Sikkerhedsopdatering til Windows XP (KB957097)

Sikkerhedsopdatering til Windows XP (KB958644)

Sikkerhedsopdatering til Windows XP (KB958687)

Sikkerhedsopdatering til Windows XP (KB958869)

Sikkerhedsopdatering til Windows XP (KB959426)

Sikkerhedsopdatering til Windows XP (KB960225)

Sikkerhedsopdatering til Windows XP (KB960803)

Sikkerhedsopdatering til Windows XP (KB960859)

Sikkerhedsopdatering til Windows XP (KB961501)

Sikkerhedsopdatering til Windows XP (KB969059)

Sikkerhedsopdatering til Windows XP (KB969947)

Sikkerhedsopdatering til Windows XP (KB970238)

Sikkerhedsopdatering til Windows XP (KB970430)

Sikkerhedsopdatering til Windows XP (KB971468)

Sikkerhedsopdatering til Windows XP (KB971486)

Sikkerhedsopdatering til Windows XP (KB971557)

Sikkerhedsopdatering til Windows XP (KB971633)

Sikkerhedsopdatering til Windows XP (KB971657)

Sikkerhedsopdatering til Windows XP (KB971961)

Sikkerhedsopdatering til Windows XP (KB972270)

Sikkerhedsopdatering til Windows XP (KB973354)

Sikkerhedsopdatering til Windows XP (KB973507)

Sikkerhedsopdatering til Windows XP (KB973525)

Sikkerhedsopdatering til Windows XP (KB973869)

Sikkerhedsopdatering til Windows XP (KB973904)

Sikkerhedsopdatering til Windows XP (KB974112)

Sikkerhedsopdatering til Windows XP (KB974318)

Sikkerhedsopdatering til Windows XP (KB974392)

Sikkerhedsopdatering til Windows XP (KB974571)

Sikkerhedsopdatering til Windows XP (KB975025)

Sikkerhedsopdatering til Windows XP (KB975467)

Sikkerhedsopdatering til Windows XP (KB975560)

Sikkerhedsopdatering til Windows XP (KB975561)

Sikkerhedsopdatering til Windows XP (KB975562)

Sikkerhedsopdatering til Windows XP (KB975713)

Sikkerhedsopdatering til Windows XP (KB976325)

Sikkerhedsopdatering til Windows XP (KB977165-v2)

Sikkerhedsopdatering til Windows XP (KB977816)

Sikkerhedsopdatering til Windows XP (KB977914)

Sikkerhedsopdatering til Windows XP (KB978037)

Sikkerhedsopdatering til Windows XP (KB978251)

Sikkerhedsopdatering til Windows XP (KB978262)

Sikkerhedsopdatering til Windows XP (KB978338)

Sikkerhedsopdatering til Windows XP (KB978542)

Sikkerhedsopdatering til Windows XP (KB978601)

Sikkerhedsopdatering til Windows XP (KB978706)

Sikkerhedsopdatering til Windows XP (KB979309)

Sikkerhedsopdatering til Windows XP (KB979482)

Sikkerhedsopdatering til Windows XP (KB979683)

Sikkerhedsopdatering til Windows XP (KB979687)

Sikkerhedsopdatering til Windows XP (KB980195)

Sikkerhedsopdatering til Windows XP (KB980218)

Sikkerhedsopdatering til Windows XP (KB980232)

Sikkerhedsopdatering til Windows XP (KB980436)

Sikkerhedsopdatering til Windows XP (KB981322)

Sikkerhedsopdatering til Windows XP (KB981852)

Sikkerhedsopdatering til Windows XP (KB981997)

Sikkerhedsopdatering til Windows XP (KB982132)

Sikkerhedsopdatering til Windows XP (KB982214)

Sikkerhedsopdatering til Windows XP (KB982665)

Spelling Dictionaries Support For Adobe Reader 9

Sprogpakke til Microsoft .NET Framework 3.5 SP1 - dansk

SpyHunter

Symantec pcAnywhere

Uninstall Hardcopy

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

WebFldrs XP

Windows Defender

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Format 11 runtime

Windows Media Player 11

Windows Search 4.0

XML Paper Specification Shared Components Language Pack 1.0

.

==== End Of File ===========================

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted
Hi tdlarsen

What is the problem?

I noticed that you use pcanywhere

There was a problem with that program in the beginnig of this year

On the 11th of April 2012, a patch has been released: About the pcAnywhere 12.5 SP4 and pcAnywhere Solution 12.6.7 releases

Does your problem have anything to do with that?

Cheers

solbjerg

 

No, I highly doubt that. Our service provider use PC Anywhere to remotely access our PC in case of trouble, and as remote education, when new functions in our system is introduced.

Except today, when they installed Spyhunter 4 in an attempt to get rid of this incredibly resistant infection.

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

Hmm, no edit function, so I'll post more here:

PC Anywhere is used through a VPN tunnel between Medigate 5 Firewalls. That's why I doubt the problem lies there.

I think the computer got infected via a hit and run download from some homepage. Problem is we have absolutely no idea how, when and where. We first got the infection some 6 months ago, and thought everything got cleaned back then, but yesterday it showed up again, even more aggressive than last.

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.

 

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

 

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

*************************************************************

Please download AdwCleaner by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

****************************************************

 

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

 

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

Hi again

 

Will do as requested first thing in the morning. There's some time difference between Canada and Denmark, please bear with me.

Actually computer is behaving frightfully 'normal' since I wrote the first post. Could be either victory or a sneaky hideout. Damnedest thing I've seen yet, this one.

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

Adwcleaner report

 

# AdwCleaner v2.007 - Logfil lavet d. 08/11/2012 kl. 07:37:56

# Opdateret d. 06/11/2012 af Xplode

# Operativ system : Microsoft Windows XP Service Pack 3 (32 bits)

# Bruger : TJ - PC03

# Boot Mode : Normal

# Kører fra : C:\Documents and Settings\TJ\Skrivebord\adwcleaner.exe

# Indstilling [søg]

 

 

***** [servicer] *****

 

 

***** [Filer / Mapper] *****

 

 

***** [Registeret] *****

 

Nøgle Fundet : HKLM\SOFTWARE\Classes\S

 

***** [internet Browsers] *****

 

-\\ Internet Explorer v8.0.6001.18702

 

[OK] Registeret er rent.

 

*************************

 

AdwCleaner[R1].txt - [571 octets] - [08/11/2012 07:37:56]

 

########## EOF - C:\AdwCleaner[R1].txt - [630 octets] ##########

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

MBAM report

 

Malwarebytes Anti-Malware 1.65.1.1000

http://www.malwarebytes.org

 

Database version: v2012.11.08.01

 

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

TJ :: PC03 [administrator]

 

08-11-2012 07:42:12

mbam-log-2012-11-08 (07-42-12).txt

 

Skanningstype: Fuldstændig skanning (C:\|D:\|)

Skanningsmuligheder valgt: Hukommelse | Opstart | Registreringsdatabasen | Filsystem | Heuristics/Ekstra | Heuristics/Shuriken | PUP | PUM

Skanningsmuligheder som er deaktiverede: P2P

Objekter skannet: 254820

Tid gået: 16 minut(ter), 40 sekund(er)

 

Hukommelses Processorer Inficeret: 0

(Ingen skadelige objekter blev fundet)

 

Hukommelses Moduler Inficeret: 0

(Ingen skadelige objekter blev fundet)

 

Registreringsdatabasenøgler Inficeret: 0

(Ingen skadelige objekter blev fundet)

 

Registreringsdatabaseværdier Inficeret: 0

(Ingen skadelige objekter blev fundet)

 

Registreringsdatabasedata Objekter Inficeret: 0

(Ingen skadelige objekter blev fundet)

 

Inficerede Mapper: 0

(Ingen skadelige objekter blev fundet)

 

Inficerede Filer: 0

(Ingen skadelige objekter blev fundet)

 

(færdig)

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

Download Combofix from any of the links below, and save it to your DESKTOP.

 

Link 1

Link 2

Link 3

 

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.
     
    You will see the following image:

http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png

 

Click I Agree to start the program.

 

ComboFix will then extract the necessary files and you will see this:

 

http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png

 

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

 

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

 

If you did not have it installed, you will see the prompt below. Choose YES.

 

http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif

 

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://i424.photobucket.com/albums/pp322/digistar/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

 

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

 

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Link to comment
Share on other sites
Melvin_Deal Newbie

Melvin_Deal

Posted
Posted
Hmm, no edit function, so I'll post more here,
This is a highly restricted section of the forum to augment clarity, the edit button is disabled to enhance purity of information. You did right to add an additional post. The only people that can respond to your posts are the forum leaders. :wink:

 

Sincerely,

-Mel

Live long and prosper!

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

ComboFix log

 

ComboFix 12-11-08.01 - TJ 09-11-2012 7:52.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.45.1030.18.1993.1506 [GMT 1:00]

Kører fra: c:\documents and settings\TJ\Skrivebord\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!

.

.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\SDFix.exe

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((((((( Filer skabt fra 2012-10-09 til 2012-11-09 )))))))))))))))))))))))))))))))))))

.

.

2012-11-08 14:13 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1EE847AE-FAA9-4695-A684-95A280687C0E}\mpengine.dll

2012-11-08 06:41 . 2012-11-08 06:41 -------- d-----w- c:\programmer\Malwarebytes' Anti-Malware

2012-11-08 06:41 . 2012-09-29 18:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-07 16:35 . 2012-11-07 16:35 -------- d-----w- c:\windows\DDABC66756B3412282B02F5782EA2F9A.TMP

2012-11-07 13:33 . 2012-10-12 05:56 6918632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-11-07 11:22 . 2012-11-07 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit

2012-11-07 11:22 . 2012-11-07 11:22 -------- d-----w- c:\documents and settings\TJ\Application Data\IObit

2012-11-07 11:22 . 2012-11-07 11:22 -------- d-----w- c:\programmer\IObit

2012-11-07 10:01 . 2012-11-07 10:01 -------- d-----w- c:\programmer\Enigma Software Group

2012-11-07 10:01 . 2012-11-07 10:01 -------- d-----w- c:\programmer\Fælles filer\Wise Installation Wizard

2012-11-07 08:09 . 2012-11-07 08:09 -------- d-----w- c:\windows\ERUNT

2012-11-07 08:04 . 2012-11-07 08:43 -------- d-----w- C:\SDFix

2012-11-07 07:53 . 2012-11-07 07:53 -------- d-----w- c:\documents and settings\TJ\Application Data\Windows Search

2012-11-06 13:34 . 2012-11-06 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2012-11-06 12:28 . 2012-11-06 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\88B8B9ACFFC33652000088B830FF40C4

2012-11-05 14:25 . 2011-10-23 16:01 175104 ----a-w- c:\windows\system32\BRCOM11A.DLL

2012-11-05 14:25 . 2010-11-17 08:28 107888 ----a-w- c:\windows\system32\BRRBTOOL.EXE

2012-11-05 14:25 . 2010-04-02 05:33 25299 ----a-w- c:\windows\system32\BRLM03A.DLL

2012-11-05 14:25 . 2010-02-05 02:42 180224 ----a-w- c:\windows\system32\BROSNMP.DLL

2012-11-05 14:25 . 2005-01-17 07:10 45056 ----a-w- c:\windows\system32\BRTCPCON.DLL

2012-11-05 14:25 . 2004-08-09 06:42 77824 ----a-w- c:\windows\system32\BRLMW03A.DLL

2012-11-05 14:25 . 2012-11-05 14:25 -------- d-----w- C:\Brother

2012-11-05 14:25 . 2012-11-05 14:25 -------- d-----w- c:\programmer\Browny02

2012-11-05 14:25 . 2012-11-05 14:25 -------- d-----w- c:\programmer\Brother

2012-11-05 14:24 . 2012-11-05 14:24 -------- d-----w- c:\documents and settings\TJ\Application Data\InstallShield

2012-11-05 14:24 . 2012-11-05 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-21 05:48 . 2012-04-11 06:29 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-21 05:48 . 2011-05-17 06:16 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-30 20:03 . 2010-10-24 19:25 193552 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2012-08-28 15:17 . 2008-04-15 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:17 . 2008-04-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:17 . 2008-04-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07 . 2008-04-15 12:00 385024 ----a-w- c:\windows\system32\html.iec

2012-08-24 13:53 . 2008-04-15 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-08-23 06:27 . 2008-04-15 12:00 2151424 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-08-23 06:27 . 2008-04-14 08:45 2030080 ----a-w- c:\windows\system32\ntkrnlpa.exe

.

.

((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Bemærk* tomme linier & lovlige standard linier vises ikke

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-26 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-26 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-26 142872]

"RTHDCPL"="RTHDCPL.EXE" [2009-07-02 18665472]

"picon"="c:\programmer\Fælles filer\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]

"SentinelKlient"="c:\programmer\Sentinel Klient\Client.exe" [2012-09-19 143360]

"SunJavaUpdateSched"="c:\programmer\Fælles filer\Java\Java Update\jusched.exe" [2011-06-09 254696]

"Adobe ARM"="c:\programmer\Fælles filer\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"MSC"="c:\programmer\Microsoft Security Client\msseces.exe" [2012-09-12 947176]

"BrStsMon00"="c:\programmer\Browny02\Brother\BrStMonW.exe" [2011-10-18 2678784]

.

c:\documents and settings\All Users\Menuen Start\Programmer\Start\

Hardcopy.LNK - c:\programmer\Hardcopy\hardcopy.exe [2010-1-14 815104]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmer\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2007-04-27 11:10 18744 ----a-w- c:\windows\system32\PCANotify.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"5985:TCP"= 5985:TCP:*:Disabled:Windows Fjernadministration

.

R2 MBAMScheduler;MBAMScheduler;c:\programmer\Malwarebytes' Anti-Malware\mbamscheduler.exe [08-11-2012 07:41 399432]

R2 Sentinel_Update;Sentinel Updater;c:\programmer\Sentinel Klient\UpdateClientService.exe [03-02-2011 11:12 12800]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\programmer\Fælles filer\Intel\Privacy Icon\UNS\UNS.exe [13-01-2010 19:20 2066968]

R3 BrYNSvc;BrYNSvc;c:\programmer\Browny02\BrYNSvc.exe [05-11-2012 15:25 249856]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [01-10-2009 15:11 160424]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [23-07-2008 11:31 44800]

S2 MBAMService;MBAMService;c:\programmer\Malwarebytes' Anti-Malware\mbamservice.exe [08-11-2012 07:41 676936]

S2 WinDefend;Windows Defender;c:\programmer\Windows Defender\MsMpEng.exe [03-11-2006 19:19 13592]

S3 esgiguard;esgiguard;\??\c:\programmer\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\programmer\Enigma Software Group\SpyHunter\esgiguard.sys [?]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08-11-2012 07:41 22856]

.

Indhold af mappen 'Planlagte Opgaver'

.

2012-11-08 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 05:48]

.

2012-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\programmer\Google\Update\GoogleUpdate.exe [2012-09-21 05:48]

.

2012-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\programmer\Google\Update\GoogleUpdate.exe [2012-09-21 05:48]

.

2012-11-09 c:\windows\Tasks\MpIdleTask.job

- c:\programmer\Microsoft Security Client\MpCmdRun.exe [2012-09-12 15:25]

.

2012-11-09 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

.

.

------- Yderligere scanning -------

.

uStart Page = hxxp://www.google.com/

Trusted Zone: danid.dk

Trusted Zone: webreq.dk\www

Trusted Zone: webreq.dk\www2

TCP: Interfaces\{29081F36-388C-4802-A6EF-EE72E74DD688}: NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1

DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab

DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} - hxxps://danid.dk/csp/authenticode/csp.exe

.

- - - - TOMME GENVEJE FJERNET - - - -

.

Toolbar-Locked - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-09 07:55

Windows 5.1.2600 Service Pack 3 NTFS

.

scanner skjulte processer ...

.

scanner skjulte autostarter ...

.

scanner skjulte filer ...

.

scanning gennemført med succes

skjulte filer: 0

.

**************************************************************************

.

--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs startet under kørende Processer ---------------------

.

- - - - - - - > 'winlogon.exe'(632)

c:\windows\system32\PCANotify.dll

.

Gennemført tid: 2012-11-09 07:56:33

ComboFix-quarantined-files.txt 2012-11-09 06:56

.

Pre-Kørsel: 73.157.087.232 byte ledig

Post-Kørsel: 73.317.675.008 byte ledig

.

- - End Of File - - 15A7884C2219D59B1FEE1089A841E36C

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

Re-running ComboFix to remove infections:

 

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::
     
    File::
    c:\windows\DDABC66756B3412282B02F5782EA2F9A.TMP
     
    Firefox::
    Trusted Zone: danid.dk
    Trusted Zone: webreq.dk\www
    Trusted Zone: webreq.dk\www2
     
    DDS::
     
    Trusted Zone: danid.dk
    Trusted Zone: webreq.dk\www
    Trusted Zone: webreq.dk\www2
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe
     
    http://i424.photobucket.com/albums/pp322/digistar/cfscriptb4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • I don't need to see the log from this script.

************************************************************

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

**************************************************

SysProt Antirootkit

 

Download

SysProt Antirootkit from the link below (you will find it at the bottom

of the page under attachments, or you can get it from one of the

mirrors).

 

http://sites.google.com/site/sysprotantirootkit/

 

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

    [*]At the bottom of the page

    • Hidden Objects Only << Selected

    [*]Click on the Create Log button on the bottom right.

    [*]After a few seconds a new window should appear.

    [*]Select Scan Root Drive. Click on the Start button.

    [*]When it is complete a new window will appear to indicate that the scan is finished.

    [*]The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

RogueKiller report

 

RogueKiller V8.2.3 [11/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

 

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : TJ [Admin rights]

Mode : Scan -- Date : 11/16/2012 14:41:15

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 3 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{29081F36-388C-4802-A6EF-EE72E74DD688} : NameServer (8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{29081F36-388C-4802-A6EF-EE72E74DD688} : NameServer (8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

 

127.0.0.1 localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: WDC WD3200AAJS-60M0A1 +++++

--- User ---

[MBR] 9abe99cc7d1205b06582d87921defcf6

[bSP] 6e1cb52fccfcbb8258f46cbd049ea3c4 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 81956 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 167847120 | Size: 223286 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[1]_S_11162012_02d1441.txt >>

RKreport[1]_S_11162012_02d1441.txt

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

SysProt log

 

SysProt AntiRootkit v1.0.1.0

by swatkat

 

******************************************************************************************

******************************************************************************************

 

No Hidden Processes found

 

******************************************************************************************

******************************************************************************************

Kernel Modules:

Module Name: Combo-Fix.sys

Service Name: ---

Module Base: BA0F8000

Module End: BA107000

Hidden: Yes

 

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys

Service Name: ---

Module Base: 9685A000

Module End: 96934000

Hidden: Yes

 

Module Name: \??\C:\ComboFix\catchme.sys

Service Name: catchme

Module Base: BA358000

Module End: BA360000

Hidden: Yes

 

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Service Name: ---

Module Base: 985CC000

Module End: 985CE000

Hidden: Yes

 

******************************************************************************************

******************************************************************************************

No SSDT Hooks found

 

******************************************************************************************

******************************************************************************************

No Kernel Hooks found

 

******************************************************************************************

******************************************************************************************

No hidden files/folders found

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

How's your computer running now?

 

ESET Online Scan

 

Scan your computer with the ESET FREE Online Virus Scan

 

* Click the ESET Online Scanner button.

 

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

 

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

 

In your next reply please include the ESET Online Scan Log

Link to comment
Share on other sites
tdlarsen Newbie

tdlarsen

Posted
  • Author
Posted

ESET log

 

C:\System Volume Information\_restore{F77CD312-713D-455D-8EE7-094F01EFC669}\RP1\A0000002.exe a variant of Win32/Kryptik.AOLJ trojan cleaned by deleting - quarantined

C:\TDSSKiller_Quarantine\25.04.2012_10.45.06\mbr0000\tdlfs0000\tsk0011.dta Win32/Olmasco.Q trojan cleaned by deleting - quarantined

Link to comment
Share on other sites
Superdave Newbie

Superdave

Posted
Posted

Ok. Let's do some cleanup.

 

To uninstall ComboFix

 

  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall

 

http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg

 

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

 

  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

*****************************************************

Click Start> Computer> right click the C Drive and choose Properties> enter

Click Disk Cleanup from there.

 

http://i424.photobucket.com/albums/pp322/digistar/diskcleanup2.jpg

 

Click OK on the Disk Cleanup Screen.

Click Yes on the Confirmation screen.

 

http://i424.photobucket.com/albums/pp322/digistar/diskcleanup.jpg

 

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)

************************************************

Go to Microsoft Windows Update and get all critical updates.

 

----------

 

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

* Using SpywareBlaster to protect your computer from Spyware and Malware

* If you don't know what ActiveX controls are, see here

 

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

 

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

 

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

Safe Surfing!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...