Win32 Mebroot Trojan/Virus Problem :(

Tubnarden · 29-Jul-2010, 03:29 AM #1

I believe I have the same infection as a few other posts I've been seeing around the next the last couple of days.
ESET detected a Mebroot Trojan it can't clean in the operating memory, and I am very certain that it is causing my PC's weird behavior.
My virus constantly gives me alerts about blocking the infection from doing all the weird stuff it is set up to do (popups in my browser, play weird noises in the background, etc.)

I would really appreciate any help I can get removing this.

Thank you so much in advance!

Also, here is a HijackThis log..

HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:28:33, on 29-07-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\system32\conime.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\IDT\wdm\sttray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Medion\MD 86097 W-LAN USB Remote Hub\RemoteUSBHub.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Users\Alvand\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\Alvand\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvand\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvand\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvand\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhosts
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Hjælp til tilmelding til Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Sys32V2Contoller] C:\Windows\mw2mmgr32\mw2mmgr32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Remote USB Hub] "C:\Program Files\Medion\MD 86097 W-LAN USB Remote Hub\RemoteUSBHub.exe" hide
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETVÆRKSTJENESTE')
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send billede til &Bluetooth-enhed... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send siden til &Bluetooth-enhed... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart markering - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - (no file)
O13 - Gopher Prefix:
O15 - Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.1.1
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Norton 2009 Reset (.norton2009Reset) - Unknown owner - C:\ProgramData\Norton\Norton2009Reset.exe
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\aestsrv.e xe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdx_device - - C:\Windows\system32\lxdxcoms.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RealtekUSB - Realtek - C:\Program Files\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\STacSV.ex e
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 11352 bytes

**dvk01** · 29-Jul-2010, 07:16 AM #2

before we start, this is a beta version of combofix taht hopefully will cure this infection but it isn't guaranteed to do so

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again after combofix has finished

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Please tell us if it has cured the problems or if there are any outstanding issues

Tubnarden · 29-Jul-2010, 04:36 PM #3

Okay, I did exactly as u told me too, i followed the steps chronologically and I am now in posession of the ComboFix-log that you requested.

Oh and btw. some of the log is in Danish (I Guess combofix detected the language-setting set to danish) - if you want me to, i could translate it for you!

ComboFix Log

ComboFix 10-07-27.04 - Alvand 29-07-2010 21:01:38.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.45.1030.18.3038.2093 [GMT 2:00]
Kører fra: c:\users\Alvand\Desktop\wCFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Andet, der er slettet )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\programdata\mw2mmgr.inc
c:\programdata\mw2mmgr.txt
c:\users\Alvand\AppData\Roaming\Microsoft\profile.dat
c:\windows\system32\%appdata%

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_.norton2009Reset

((((((((((((((((((((((((((((( Filer skabt fra 2010-06-28 til 2010-07-29 )))))))))))))))))))))))))))))))))))
.

2010-07-29 19:15 . 2010-07-29 19:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-29 19:15 . 2010-07-29 19:15 -------- d-----w- c:\users\Alvand\AppData\Local\temp
2010-07-29 04:06 . 2010-07-29 04:06 -------- d-----w- c:\users\Alvand\DoctorWeb
2010-07-28 17:57 . 2010-07-28 17:57 -------- d-----w- C:\$AVG
2010-07-28 17:55 . 2010-07-28 17:55 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-28 17:55 . 2010-07-28 17:55 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-28 17:55 . 2010-07-28 17:55 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-28 17:55 . 2010-07-28 17:55 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-28 17:55 . 2010-07-28 23:19 -------- d-----w- c:\windows\system32\drivers\Avg
2010-07-28 17:52 . 2010-07-28 17:52 -------- d-----w- c:\program files\AVG
2010-07-28 17:52 . 2010-07-28 17:52 -------- d-----w- c:\programdata\avg9
2010-07-28 15:54 . 2010-07-28 15:54 -------- d-----w- c:\programdata\WindowsSearch
2010-07-22 17:26 . 2010-07-22 17:26 -------- d-----w- c:\program files\ESET
2010-07-22 17:07 . 2010-07-22 17:07 -------- d-----w- c:\users\Alvand\Skole Filer
2010-07-16 14:51 . 2010-07-16 14:51 -------- d-----w- C:\Medion
2010-07-14 05:12 . 2010-07-14 05:12 -------- d-----w- c:\windows\OPTIONS
2010-07-14 05:12 . 2008-06-27 07:40 335872 ----a-w- c:\windows\system\rtl8187.sys
2010-07-14 05:12 . 2010-07-14 05:12 -------- d-----w- c:\windows\system32\REALTEK RTL8187 Wireless LAN Driver and Utility
2010-07-14 05:12 . 2007-04-23 08:50 25896 ----a-w- c:\windows\system32\drivers\RtlProt.sys
2010-07-14 05:03 . 2008-06-27 07:40 335872 ----a-w- c:\windows\system32\drivers\rtl8187.sys
2010-07-13 05:24 . 2007-02-02 09:26 273920 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp4v2.dll
2010-07-13 05:23 . 2007-02-02 09:27 117760 ----a-w- c:\windows\system32\hpz3l4v2.dll
2010-07-02 00:42 . 2010-07-02 00:42 -------- d-----w- c:\users\Alvand\AppData\Local\Xenocode
2010-07-02 00:32 . 2010-07-02 00:32 -------- d-----w- c:\program files\RVG Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 19:21 . 2009-09-02 16:13 -------- d-----w- c:\users\Alvand\AppData\Roaming\Skype
2010-07-29 19:21 . 2009-09-02 16:14 -------- d-----w- c:\users\Alvand\AppData\Roaming\skypePM
2010-07-29 19:18 . 2009-03-30 09:54 303618 ----a-w- c:\programdata\nvModes.dat
2010-07-29 19:16 . 2009-02-23 18:00 1076 ----a-w- c:\windows\bthservsdp.dat
2010-07-29 01:24 . 2009-03-29 21:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-29 00:34 . 2009-04-05 20:15 -------- d-----w- c:\program files\Wireless LAN Utility
2010-07-29 00:33 . 2009-02-23 18:08 -------- d-----w- c:\program files\Realtek
2010-07-29 00:33 . 2008-11-17 06:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-29 00:31 . 2010-06-13 09:36 -------- d-----w- c:\program files\Macromedia
2010-07-29 00:30 . 2009-11-27 01:32 -------- d-----w- c:\users\Alvand\AppData\Roaming\JLC's Software
2010-07-29 00:30 . 2009-11-27 01:32 -------- d-----w- c:\program files\JLC's Software
2010-07-29 00:29 . 2010-06-13 09:37 -------- d-----w- c:\program files\Common Files\Macromedia
2010-07-28 23:47 . 2009-08-22 02:19 -------- d-----w- c:\program files\BatteryCare
2010-07-28 21:11 . 2009-03-29 22:43 -------- d-----w- c:\users\Alvand\AppData\Roaming\uTorrent
2010-07-28 19:44 . 2008-11-17 07:30 592200 ----a-w- c:\windows\system32\perfh01D.dat
2010-07-28 19:44 . 2008-11-17 07:30 118140 ----a-w- c:\windows\system32\perfc01D.dat
2010-07-28 19:44 . 2008-11-17 07:23 77234 ----a-w- c:\windows\system32\perfc014.dat
2010-07-28 19:44 . 2008-11-17 07:23 446736 ----a-w- c:\windows\system32\perfh014.dat
2010-07-28 19:44 . 2008-11-17 07:17 81456 ----a-w- c:\windows\system32\perfc00B.dat
2010-07-28 19:44 . 2008-11-17 07:17 430022 ----a-w- c:\windows\system32\perfh00B.dat
2010-07-28 19:44 . 2008-11-17 07:11 78210 ----a-w- c:\windows\system32\perfc006.dat
2010-07-28 19:44 . 2008-11-17 07:11 466378 ----a-w- c:\windows\system32\perfh006.dat
2010-07-27 00:27 . 2009-04-01 18:21 -------- d-----w- c:\users\Alvand\AppData\Roaming\dvdcss
2010-07-25 05:45 . 2009-04-03 22:54 -------- d-----w- c:\users\Alvand\AppData\Roaming\FileZilla
2010-07-17 14:05 . 2009-07-02 17:41 -------- d-----w- c:\programdata\TrackMania
2010-07-17 14:00 . 2009-05-06 17:37 -------- d-----w- c:\program files\Steam
2010-07-16 23:21 . 2010-02-07 23:12 -------- d-----w- c:\program files\SopCast
2010-07-16 23:21 . 2009-05-07 20:48 -------- d-----w- c:\program files\Ventrilo
2010-07-16 23:21 . 2009-07-23 05:25 -------- d-----w- c:\program files\Mario Forever
2010-07-16 23:21 . 2010-03-07 13:15 -------- d-----w- c:\program files\Fake Webcam
2010-07-16 23:21 . 2010-01-30 06:45 -------- d-----w- c:\program files\Easy GIF Animator
2010-07-16 23:21 . 2010-05-20 15:55 -------- d-----w- c:\program files\AviSynth 2.5
2010-07-16 23:21 . 2010-03-07 13:15 -------- d-----w- c:\program files\Common Files\fwc
2010-07-16 23:21 . 2009-05-22 22:31 -------- d-----w- c:\program files\Audacity
2010-07-16 23:21 . 2009-05-07 20:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-16 23:21 . 2009-07-28 09:47 -------- d-----w- c:\program files\Popcap Game Collection
2010-07-16 23:19 . 2010-06-13 09:38 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2010-07-16 13:40 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-16 13:36 . 2009-03-29 21:44 -------- d-----w- c:\programdata\Microsoft Help
2010-07-11 05:22 . 2009-04-05 11:48 -------- d-----w- c:\users\Alvand\AppData\Roaming\mIRC
2010-07-11 02:06 . 2009-04-05 11:48 -------- d-----w- c:\program files\mIRC
2010-07-10 23:24 . 2010-04-22 22:53 -------- d-----w- c:\program files\DOSBox-0.73
2010-07-03 02:03 . 2009-04-14 03:01 -------- d-----w- c:\users\Alvand\AppData\Roaming\LimeWire
2010-07-02 02:10 . 2010-06-29 00:52 -------- d-----w- c:\program files\WebWriter4
2010-07-02 02:10 . 2010-06-13 10:30 -------- d-----w- c:\program files\iMapBuilder
2010-06-29 21:19 . 2009-03-29 21:54 112896 ----a-w- c:\users\Alvand\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-29 12:55 . 2010-06-28 21:10 -------- d-----w- c:\program files\PokerStars
2010-06-27 22:14 . 2010-02-25 23:32 -------- d-----w- c:\program files\TeamViewer
2010-06-21 21:40 . 2010-06-21 21:40 -------- d-----w- c:\program files\Medion
2010-06-21 21:38 . 2010-06-21 21:38 -------- d-----w- c:\programdata\Medion
2010-06-21 21:37 . 2010-06-21 21:37 -------- d-----w- c:\programdata\MD 86097 W-LAN USB Remote Hub
2010-06-19 20:58 . 2009-08-22 02:19 -------- d-----w- c:\users\Alvand\AppData\Roaming\BatteryCare
2010-06-14 02:03 . 2010-06-14 02:03 -------- d-----w- c:\users\Alvand\AppData\Roaming\StreamTorrent
2010-06-13 10:30 . 2010-06-13 10:30 -------- d-----w- c:\users\Alvand\AppData\Roaming\iMapBuilder
2010-06-13 09:40 . 2010-06-13 09:40 -------- d-----w- c:\programdata\Macrovision
2010-06-13 09:36 . 2008-11-17 06:40 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-12 18:48 . 2010-06-12 18:48 -------- d-----w- c:\users\Alvand\AppData\Roaming\PPMate
2010-06-12 18:48 . 2010-06-12 18:48 -------- d-----w- c:\program files\Common Files\Synacast
2010-06-12 03:56 . 2009-05-06 17:37 -------- d-----w- c:\program files\Common Files\Steam
2010-06-04 18:41 . 2009-07-29 07:03 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-10 14:59 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 14:59 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 12:14 . 2009-10-03 05:07 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59 . 2010-06-10 14:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 14:59 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-10 14:59 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-10 14:59 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-10 14:59 2037248 ----a-w- c:\windows\system32\win32k.sys
2009-05-20 07:43 . 2009-05-20 07:38 355517557 ----a-w- c:\program files\Steam.rar
2008-11-17 08:01 . 2008-11-17 07:32 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((( Start steder i reg.basen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Remote USB Hub"="c:\program files\Medion\MD 86097 W-LAN USB Remote Hub\RemoteUSBHub.exe" [2010-02-22 409600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-06-20 1316136]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-02 202032]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2008-09-23 912688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-22 458844]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-28 2065760]

c:\users\Alvand\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2006-1-21 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Alvand\AppData\Local\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Health Check Scheduler"=c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a0,bf,5c,30,3e,78,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1706451100-832719151-246968079-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-13 133104]
R3 EMebDrv;EMebDrv;c:\users\Alvand\AppData\Local\Temp\EMebDrv.sys [x]
R3 PEEK4;PEEK4 Protocol Driver;c:\users\Alvand\Chrome Downloads\aircrack-ng-0.9.3-win\bin\PEEK4.SYS [x]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]
R3 SIS163u;SiS163 usb Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2005-06-20 215040]
R3 USBAAPL;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl.sys [2010-04-16 41472]
R3 VMMDriver;VMM Driver;c:\users\Alvand\Downloads\Portable Microsoft Virtual Pc 2007\Portable Microsoft Virtual Pc 2007\Appdata\bin\VMM\VMM.sys [x]
R3 WSDPrintDevice;Support til WSD-udskrivning via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-03-26 691696]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-07-28 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-07-28 243024]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-29 108792]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\a estsrv.exe [2009-03-03 81920]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-28 308136]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-29 735960]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2009-09-29 95896]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-03-19 19456]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2009-10-17 589824]
S2 RealtekUSB;RealtekUSB;c:\program files\Realtek\RTL8187 Wireless LAN Utility\RtlService.exe [2007-07-27 36864]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-06-21 173352]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
S3 azvusb;Virtual USB Hub;c:\windows\system32\DRIVERS\azvusb.sys [2009-08-13 44544]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-09-04 54784]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-26 66080]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
ezSharedSvc
.
Indhold af mappen 'Planlagte Opgaver'

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-13 23:29]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-13 23:29]

2010-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1706451100-832719151-246968079-1000Core.job
- c:\users\Alvand\AppData\Local\Google\Update\GoogleUpdate.exe [2009-03-29 22:17]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1706451100-832719151-246968079-1000UA.job
- c:\users\Alvand\AppData\Local\Google\Update\GoogleUpdate.exe [2009-03-29 22:17]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=da_dk&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=da_dk&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = local
IE: Download ALL with IDA
IE: Download with IDA
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send billede til &Bluetooth-enhed... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send siden til &Bluetooth-enhed... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
.
------- Fil Associationer -------
.
.txt=
.
- - - - TOMME GENVEJE FJERNET - - - -

HKLM-Run-Sys32V2Contoller - c:\windows\mw2mmgr32\mw2mmgr32.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-29 21:22
Windows 6.0.6002 Service Pack 2 NTFS

scanner skjulte processer ...

scanner skjulte autostarter ...

scanner skjulte filer ...

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,ec,b3,c4,9a,31,a3,45,93,7c,c0, \
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01 ,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,ec,b3,c4,9a,31,a3,45,93,7c,c0, \

[HKEY_USERS\S-1-5-21-1706451100-832719151-246968079-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{67BBBFAE-FB58-12DF-B22B-EA4BD4E5DC78}*]
"falfaokjklel"=hex:66,61,6d,70,65,66,63,6c,67,6c,62,6d,00,ff
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'Explorer.exe'(3824)
c:\windows\system32\btncopy.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_e2247046\STacSV.ex e
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Realtek\RTL8187 Wireless LAN Utility\RtWlan.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Gennemført tid: 2010-07-29 21:30:19 - maskinen blev genstartet
ComboFix-quarantined-files.txt 2010-07-29 19:30

Pre-Kørsel: 31.300.919.296 byte ledig
Post-Kørsel: 34.352.504.832 byte ledig

- - End Of File - - 727932CF89421832687AE4C41C2C3EE3

Tubnarden · 04:54 PM

woops, doubble post

**dvk01** · 29-Jul-2010, 06:08 PM #5

how is it now

have problemsstopped

Tubnarden · 29-Jul-2010, 08:21 PM #6

I happen to think so, before this i would receive a notice all the time. However, that is not the case now, i have used my computer for a couple of hours now, and I have not gotten any of the symptoms so far...

Do you recommend that I change all my passwords ? email, forums, facebook, net-banking, skype, ... u know, everything /:

Btw. thank you very much! I cannot even begin to express my gratitude towards your help! Thank you once again for taking time of and helping me.

**dvk01** · 30-Jul-2010, 04:42 AM #7

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click START then RUN
* Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place

definitely need to change passwords etc

Similar Threads
Title	Thread Starter	Forum	Replies	Last Post
Infected with Win32/Olmarik trojan	Shiromagius	Virus & Other Malware Removal	29	01-Feb-2010 12:51 PM
lots of viruses, mostly win32 and trojan horses	fuzexi	Virus & Other Malware Removal	3	13-Jul-2009 03:49 AM
Zlob, Pidief.c, and rookit.win32.tdss.a virus	christof53	Virus & Other Malware Removal	0	10-May-2009 05:06 PM
Trojan/Virus Problems - HJ Log included	nerd-girl	Virus & Other Malware Removal	1	05-May-2009 04:27 AM
Dialer.Trojan virus problem :(	absinthseb	Virus & Other Malware Removal	1	05-Oct-2006 11:52 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!