C:\windows\system32\sshnas21.dll infected, Trojan Horse

[Andrimner]

Hello!

AVG is telling me that my C:\Windows\System32\sshnas21.dll is infected with Trojan horse PSW.Generic7.BGKK, and that it cannot be removed.

Any help would be appreciated

[evilfantasy]

That's a malicious file and there are likely others.

Start here and post the 3 logs when complete.

[Andrimner]

All steps completed, here are the logs!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/04/2010 at 10:55 AM

Application Version : 4.33.1000

Core Rules Database Version : 4552
Trace Rules Database Version: 2364

Scan type       : Complete Scan
Total Scan Time : 11:14:47

Memory items scanned      : 765
Memory threats detected   : 3
Registry items scanned    : 6288
Registry threats detected : 1
File items scanned        : 67848
File threats detected     : 14

Trojan.Agent/Gen-SSHNas[FakeAlert]
   C:\WINDOWS\SYSTEM32\SSHNAS21.DLL
   C:\WINDOWS\SYSTEM32\SSHNAS21.DLL

Trojan.Dropper/Win-NV
   C:\WINDOWS\MSA.EXE
   C:\WINDOWS\MSA.EXE

Trojan.Agent/Gen-CDesc[NewF]
   C:\USERS\VEGAR\APPDATA\LOCAL\TEMP\WFX.EXE
   C:\USERS\VEGAR\APPDATA\LOCAL\TEMP\WFX.EXE
   [BMIMZMHMFM] C:\USERS\VEGAR\APPDATA\LOCAL\TEMP\WFX.EXE

Adware.Tracking Cookie
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\vegar@mediaplex[1].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\vegar@doubleclick[1].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\vegar@apmebf[1].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\vegar@atdmt[2].txt
   C:\Users\Vegar\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt


--------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.44
Database version: 3688
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

04.02.2010 15:51:30
mbam-log-2010-02-04 (15-51-30).txt

Scan type: Quick Scan
Objects scanned: 100705
Time elapsed: 16 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\BMIMZMHMFM (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\losalamos (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:52:29, on 04.02.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\ASUS\Asus WebStorage\BackupService.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel.exe
C:\windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotkeyService] AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
O4 - HKLM\..\Run: [SuperHybridEngine] AsusSender.exe C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EeeStorageBackup] C:\Program Files\ASUS\Asus WebStorage\BackupService.exe
O4 - HKLM\..\Run: [liveUpdate] AsusSender.exe C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe auto
O4 - HKLM\..\Run: [SynAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [HotKeyMon] AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxExt] C:\windows\system32\IgfxExt.exe /RegServer
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETTVERKSTJENESTE')
O4 - Global Startup: HotKeyMon.lnk = C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
O4 - Global Startup: SRS Premium Sound.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blogg dette - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blogg dette i Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Asus Launcher Service (AsusService) - Unknown owner - C:\Windows\System32\AsusService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

--
End of file - 7023 bytes

[evilfantasy]

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Andrimner]

Here is the Combofix-log:

ComboFix 10-02-04.01 - Vegar 04.02.2010  22:32:22.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.47.1044.18.2038.1085 [GMT 1:00]
Kjører fra: c:\users\Vegar\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

(((((((((((((((((((((((((((((((((((((((   Andre slettinger   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HotKeyMon.lnk
c:\windows\system32\Thumbs.db

Infisert kopi av c:\windows\system32\DRIVERS\atapi.sys ble funnet og desinfisert [translation: Infected copy of c:\...\atapi.sys was found and disinfected]
Gjenopprettet kopi fra - c:\combofix\HarddiskVolumeShadowCopy2_!Windows!System32!drivers!atapi.sys [translation: restored copy  from - c:\...]
.
(((((((((((((((((((((((((((   Filer Opprettet Fra 2010-01-04 til 2010-02-04  )))))))))))))))))))))))))))))))))
.

2010-02-04 21:46 . 2010-02-04 21:46   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-02-04 21:46 . 2010-02-04 21:48   --------   d-----w-   c:\users\Vegar\AppData\Local\temp
2010-02-04 18:38 . 2010-02-04 18:38   --------   d-----w-   c:\program files\Trend Micro
2010-02-04 16:21 . 2010-02-04 16:21   --------   d-----w-   C:\JavaRa
2010-02-04 16:16 . 2010-02-04 16:16   --------   d-----w-   c:\program files\Common Files\Java
2010-02-04 16:10 . 2010-02-04 16:09   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-04 16:09 . 2010-02-04 16:09   --------   d-----w-   c:\program files\Java
2010-02-04 14:27 . 2010-02-04 14:27   --------   d-----w-   c:\users\Vegar\AppData\Roaming\Malwarebytes
2010-02-04 14:26 . 2010-01-07 15:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 14:26 . 2010-02-04 14:26   --------   d-----w-   c:\programdata\Malwarebytes
2010-02-04 14:26 . 2010-01-07 15:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-04 14:26 . 2010-02-04 14:26   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-03 22:23 . 2010-02-03 22:23   52224   ----a-w-   c:\users\Vegar\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-03 22:22 . 2010-02-03 22:22   117760   ----a-w-   c:\users\Vegar\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-03 22:19 . 2010-02-03 22:19   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-02-03 22:18 . 2010-02-03 22:18   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-02-03 22:17 . 2010-02-03 22:18   --------   d-----w-   c:\users\Vegar\AppData\Roaming\SUPERAntiSpyware.com
2010-02-03 22:15 . 2010-02-03 22:15   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-02-03 22:02 . 2010-02-03 22:02   --------   d-----w-   c:\program files\CCleaner
2010-02-03 21:03 . 2010-02-03 21:03   691696   ----a-w-   c:\windows\system32\drivers\sptd.sys
2010-02-03 21:00 . 2010-02-04 10:00   --------   d-----w-   c:\program files\DAEMON Tools Lite
2010-02-03 21:00 . 2010-02-04 21:07   --------   d-----w-   c:\users\Vegar\AppData\Roaming\DAEMON Tools Lite
2010-02-03 21:00 . 2010-02-03 21:00   --------   d-----w-   c:\programdata\DAEMON Tools Lite
2010-02-03 20:31 . 2010-02-03 20:32   --------   d-----w-   C:\OFFICE
2010-02-03 11:38 . 2010-02-03 11:38   --------   d-----w-   c:\users\Vegar\AppData\Local\Diagnostics
2010-02-03 06:26 . 2010-01-30 21:14   --------   d-----w-   C:\Microsoft Office 2007
2010-02-02 21:35 . 2010-02-03 06:30   --------   d-----w-   c:\users\Vegar\Nedlastinger
2010-02-02 21:32 . 2010-02-02 21:32   175   ----a-w-   c:\users\Vegar\AppData\Roaming\Azureus\restart.bat
2010-02-02 21:27 . 2010-02-02 21:27   --------   d-----w-   c:\programdata\Azureus
2010-02-02 21:27 . 2010-02-03 20:30   --------   d-----w-   c:\users\Vegar\AppData\Roaming\Azureus
2010-02-02 21:24 . 2010-02-03 20:31   --------   d-----w-   c:\program files\Vuze
2010-02-02 21:24 . 2010-02-02 21:24   --------   d-----w-   c:\program files\Common Files\i4j_jres
2010-02-02 21:07 . 2010-02-03 06:45   --------   d-----w-   C:\$AVG
2010-02-02 21:07 . 2010-02-02 21:07   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-02-02 21:07 . 2010-02-02 21:07   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-02-02 21:07 . 2010-02-02 21:07   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-02-02 21:07 . 2010-02-02 21:07   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-02-02 21:07 . 2010-02-04 16:55   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-02-02 21:07 . 2010-02-02 21:07   --------   d-----w-   c:\program files\AVG
2010-02-02 21:07 . 2010-02-02 21:07   --------   d-----w-   c:\programdata\avg9
2010-02-02 20:59 . 2010-01-14 10:12   181120   ------w-   c:\windows\system32\MpSigStub.exe
2010-01-31 12:33 . 1999-03-06 11:38   6144   ----a-w-   c:\windows\system32\drivers\ASUSHWIO.SYS
2010-01-31 12:24 . 2009-09-10 05:52   257024   ----a-w-   c:\windows\system32\msv1_0.dll
2010-01-31 12:07 . 2009-10-29 07:22   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-01-30 23:35 . 2010-02-01 23:20   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-30 23:35 . 2009-08-05 21:48   54632   ----a-w-   c:\windows\system32\drivers\fssfltr.sys
2010-01-30 22:55 . 2010-02-03 17:08   --------   d-----w-   c:\users\Vegar\Tracing
2010-01-30 22:55 . 2010-01-30 22:55   --------   d-----w-   c:\users\Vegar\AppData\Local\Windows Live Writer
2010-01-30 22:55 . 2010-01-30 22:55   --------   d-----w-   c:\users\Vegar\AppData\Roaming\Windows Live Writer
2010-01-30 20:48 . 2009-10-31 05:45   2614272   ----a-w-   c:\windows\explorer.exe
2010-01-30 20:48 . 2009-10-28 06:17   285696   ----a-w-   c:\windows\system32\winlogon.exe
2010-01-30 20:48 . 2009-08-29 06:57   34816   ----a-w-   c:\windows\system32\msasn1.dll
2010-01-30 20:48 . 2009-10-02 04:06   728648   ----a-w-   c:\windows\system32\drivers\dxgkrnl.sys
2010-01-30 20:48 . 2009-09-03 07:04   1320960   ----a-w-   c:\windows\system32\CertEnroll.dll
2010-01-30 20:48 . 2009-08-19 07:20   507568   ----a-w-   c:\windows\system32\winload.exe
2010-01-30 20:48 . 2009-08-19 07:20   442920   ----a-w-   c:\windows\system32\winresume.exe
2010-01-30 20:48 . 2009-08-29 06:54   12625408   ----a-w-   c:\windows\system32\wmploc.DLL
2010-01-30 20:47 . 2009-10-19 14:10   108544   ----a-w-   c:\windows\system32\t2embed.dll
2010-01-30 20:47 . 2009-10-19 14:10   70656   ----a-w-   c:\windows\system32\fontsub.dll
2010-01-30 20:47 . 2009-07-30 04:44   293888   ----a-w-   c:\windows\system32\atmfd.dll
2010-01-30 20:45 . 2009-12-19 09:02   977920   ----a-w-   c:\windows\system32\wininet.dll
2010-01-30 20:28 . 2010-01-30 20:28   --------   d-----w-   c:\users\Vegar\AppData\Local\Mozilla

.
((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 20:32 . 2009-07-14 04:52   --------   d-----w-   c:\program files\Windows Sidebar
2010-02-02 20:32 . 2009-07-14 02:37   --------   d-----w-   c:\program files\Windows Mail
2010-02-02 20:32 . 2009-07-14 04:52   --------   d-----w-   c:\program files\Windows Photo Viewer
2010-02-02 20:32 . 2009-07-14 07:49   --------   d-----w-   c:\program files\Windows Journal
2010-02-02 20:32 . 2009-07-14 04:52   --------   d-----w-   c:\program files\Windows Defender
2010-02-02 20:31 . 2009-07-14 04:52   --------   d-----w-   c:\program files\DVD Maker
2010-02-02 17:37 . 2009-06-20 18:55   74124   ----a-w-   c:\windows\system32\perfc014.dat
2010-02-02 17:37 . 2009-06-20 18:55   448210   ----a-w-   c:\windows\system32\perfh014.dat
2010-02-02 06:12 . 2009-12-25 10:03   79136   ----a-w-   c:\users\Vegar\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-01 16:32 . 2009-08-31 14:13   --------   d-----w-   c:\programdata\Microsoft Help
2010-01-31 12:22 . 2009-08-31 14:15   --------   d-----w-   c:\program files\Microsoft Works
2010-01-30 23:34 . 2009-12-25 10:10   --------   d-----w-   c:\program files\Windows Live
2009-12-25 10:14 . 2009-12-25 10:10   --------   d-----w-   c:\program files\Microsoft
2009-12-25 10:13 . 2009-12-25 10:13   --------   d-----w-   c:\program files\Microsoft Sync Framework
2009-12-25 10:12 . 2009-12-25 10:12   --------   d-----w-   c:\program files\Microsoft SQL Server Compact Edition
2009-12-25 10:10 . 2009-12-25 10:10   --------   d-----w-   c:\program files\Windows Live SkyDrive
2009-12-25 10:07 . 2009-12-25 10:07   --------   d-----w-   c:\program files\Common Files\Windows Live
2009-06-10 21:26 . 2009-07-14 02:04   9633792   --sha-r-   c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42   396800   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((   Oppstartspunkter I Registeret   )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2009-06-10 21:23   278864   ----a-w-   c:\windows\System32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2009-06-10 21:23   278864   ----a-w-   c:\windows\System32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-08-25 402608]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-20 1545512]
"HotkeyService"="AsusSender.exe" [2009-09-11 33768]
"SuperHybridEngine"="AsusSender.exe" [2009-09-11 33768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"EeeStorageBackup"="c:\program files\ASUS\Asus WebStorage\BackupService.exe" [2009-07-31 947472]
"LiveUpdate"="AsusSender.exe" [2009-09-11 33768]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-07-20 83240]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-20 7625248]
"HotKeyMon"="AsusSender.exe" [2009-09-11 33768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-15 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-15 354840]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SRS Premium Sound.lnk - c:\windows\Installer\{D42F84B6-3709-4A50-8502-6719D16AE6C8}\NewShortcut4_E9C83B3EDF9141A39DA5EC05C79BBB91.exe [2009-8-31 156880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [02.02.2010 22:07 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [02.02.2010 22:07 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05.01.2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05.01.2010 07:56 74480]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [14.07.2009 00:52 48128]
R2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [31.08.2009 15:09 219136]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [02.02.2010 22:07 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [02.02.2010 22:07 285392]
R3 igd;igd;c:\windows\System32\drivers\igdkmd32.sys [10.10.2009 09:04 635552]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\System32\drivers\L1C62x86.sys [18.08.2009 14:24 51712]
S3 fssfltr;fssfltr;c:\windows\System32\drivers\fssfltr.sys [31.01.2010 00:35 54632]
S3 fsssvc;Windows Live Tryggere for familien-tjenesten;c:\program files\Windows Live\Family Safety\fsssvc.exe [05.08.2009 22:48 704864]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05.01.2010 07:56 7408]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [03.02.2010 22:03 691696]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://asus.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Vegar\AppData\Roaming\Mozilla\Firefox\Profiles\9qgas2eo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.startsiden.no/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - TOMME PEKERE FJERNET - - - -

Toolbar-Locked - (no file)
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe


.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'Explorer.exe'(5348)
c:\program files\ASUS\Asus WebStorage\LogicNP.EZShellExtensions.dll
c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\taskhost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\conhost.exe
c:\windows\system32\conhost.exe
c:\program files\Asus\LiveUpdate\LiveUpdate.exe
c:\program files\EeePC\HotkeyService\HotkeyService.exe
c:\program files\EeePC\SHE\SuperHybridEngine.exe
c:\program files\EeePC\HotkeyService\HotKeyMon.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2010-02-04  22:53:38 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt  2010-02-04 21:53

Pre-Run: 82 390 867 968 byte ledig
Post-Run: 82 298 265 600 byte ledig

- - End Of File - - CE42D1426E38CAF7B033CA8EDCAC9AE0

[evilfantasy]

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[Andrimner]

This is the resulting log:

 Results of screen317's Security Check version 0.99.1    
 Windows 7  (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:
 AVG Free 9.0   
 WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
 SUPERAntiSpyware Free Edition   
 CCleaner     
 Java(TM) 6 Update 18 
 Java Auto Updater   
 Out of date Java installed!
 Adobe Flash Player 10 
Adobe Reader 9.1 MUI
``````````````````````````````
Process Check: 
objlist.exe by Laurent
 AVG avgwdsvc.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
 AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[evilfantasy]

Looks good.

If there are no more malware issues we can finish up now.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.

* Click START then RUN
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter.

The above procedure will:
* Delete: ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Use the Secunia Software Inspector to check for out of date software.

* Click Start Now
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Andrimner]

Thank you very much

[evilfantasy]

Your welcome.

Safe surfing...