ipconfig.exe box just appears a fraction of a second

[Peterwolfe]

when doing the "run"...C:\WINDOWS\system32\ipconfig.exe and disappears right away??!!!
all other stuff via Run goes as usual...regedit is quite ok...
system is clean according to my "defences"...
if its a rootinfection, what software would catch it?
Have Superantispyware, Spybot, AVG 9.0, Malwarebyte on my XP and they say...nothing found..

here's my HiJackThis of today:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:43, on 10.05.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\RapidShareManager_0_1_0_248\RapidShareManager_0_1_0_248\RapidShareManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G DWL-G510] C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 6381 bytes

[Peterwolfe]

Unhack me cant find any rootprblems...

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to remove it!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post
======================================
Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
===========================================
Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
==========================================

P2P - I see you have P2P software installed on your machine. (uTorrent)We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
==============================================
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\RapidShareManager_0_1_0_248\RapidShareManager_0_1_0_248\RapidShareManager.exe
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
==============================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
===============================================

[BC_Programmer]

when doing the "run"...C:\WINDOWS\system32\ipconfig.exe and disappears right away??!!!
all other stuff via Run goes as usual...regedit is quite ok...

ipconfig is a command-line program. if you wish to see the output, run "cmd" and then run ipconfig from the prompt.

[Peterwolfe]

Thanks BC Programmer, it was just a clear "understanding" error...cool...acted too quick on something I was sure I knew...lol...

SuperDave: didn get your answer...was it a general one or was it based on my info? But than ks, my defences are up to date. I am running now as a consequence UnHackMe and it's quite reassuring with a rootkit solution too...but thanks anyway

[SuperDave]

If you don't want my help just let me know and I'll lock this thread.

[Peterwolfe]

I am not THAT cocky...lol...done your stuff and now what? Nothing found!

Have Superantispyware, Spybot, AVG 9.0, Malwarebyte on my XP  and they say...nothing found..

[BC_Programmer]

I am not THAT cocky...lol...done your stuff and now what?

Where are the logs?

[Peterwolfe]

ooops, sorry...will get back at you

[Peterwolfe]

by the way: I use windows live messenger and have never encountered any problems, so...it's ON on a daily basis...lol
Jotti says Rapidshare ok; HiJackThis suggestions executed. logs to follow...Live Messenger stays, never encountered any problems with that....

[BC_Programmer]

by the way: I use windows live messenger and have never encountered any problems, so...it's ON on a daily basis...lol

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

you have confused them. 

[Peterwolfe]

ok, but then why to remove msn messenger if i dont have it..?

Jotti says Rapidshare ok; HiJackThis suggestions executed. logs to follow...Live Messenger stays, never encountered any problems with that....

Use utroorent only for music and movies and they are always checked, because nowadays you cant be sure of anything

[Peterwolfe]

http://virusscan.jotti.org/en/scanresult/1ba370c2e
330fa12f238958ad08d8715b8ad8174/894d1011be
c8516aa5aa617c35314b435dc0f4c7

[Peterwolfe]

hm, they are still there...?...did your thing, checked and said fix...
answer 1:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:35:08, on 13.05.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G DWL-G510] C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 6318 bytes

[Peterwolfe]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/13/2010 at 07:29 AM

Application Version : 4.31.1000

Core Rules Database Version : 4910
Trace Rules Database Version: 2722

Scan type       : Complete Scan
Total Scan Time : 00:51:03

Memory items scanned      : 415
Memory threats detected   : 0
Registry items scanned    : 6360
Registry threats detected : 0
File items scanned        : 22134
Adware.Tracking Cookies found  : 37

   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][5].txt
   C:\Documents and Settings\Peter\Cookies\peter@tribalfusion[2].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][5].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\peter@toplist[2].txt
   C:\Documents and Settings\Peter\Cookies\peter@buyalltraffic[2].txt
   C:\Documents and Settings\Peter\Cookies\peter@atdmt[2].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\peter@tradedoubler[1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][3].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\peter@yadro[1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\peter@trafficholder[1].txt
   C:\Documents and Settings\Peter\Cookies\peter@partypoker[1].txt
   C:\Documents and Settings\Peter\Cookies\peter@revsci[1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\peter@toplist[1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][4].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][3].txt
   C:\Documents and Settings\Peter\Cookies\peter@doubleclick[2].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][3].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\peter@revsci[2].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\peter@atdmt[1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][3].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][2].txt
   C:\Documents and Settings\Peter\Cookies\peter@statcounter[2].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][1].txt
   C:\Documents and Settings\Peter\Cookies\[email protected][2].txt

[Peterwolfe]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

13.05.2010 07:31:33
mbam-log-2010-05-13 (07-31-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 174484
Time elapsed: 52 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Peterwolfe]

must be an interesting item with 149 watchers...lol..

by the way, will soon leave XP for W7 and will replace all my other necessary software from XP with freeware...lolworks great

[SuperDave]

I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[Peterwolfe]

well, WHEN the ESET finalizes its findings in a couple of hours (it's have been running for the last 3 hours), I will send the reportlog. I started with C:\ and at the same time had AVG, MBAM, spybot and SuperAS running and only ESET caught 2 sob's within 30 seconds....HTML/lframe.B.Gen Virus og WIN32/Bagle.gen.zip.virus but after that its a quiet run without any sobs....lol...and I have 3 internal HD's, so....

See I have the same type of PC as you have...AMD Athlon 3200+, 2.4Ghz, 3 Gb RAM. It seems the XP Firewall is not good enough, but I had Sygate until it was sold to Symantec and in the end it started to slow down my PC so, with tears in my eyes, I had to uninstall it...so W7, there I have the same W7 firewall and the same defences as in XP, so 100% safe I do not feel...any suggestions?

Hope this little problem will learn the up to now 210 "watchers" something. Guess the name SuperDave is well know in the universe now..hahahahaha....and it shows nobody knows it all or is invulnerable...

[Peterwolfe]

6 hour mark passed....caught 4 which my other defences didnt!!!! WIN32/stuff again....almost ready with my 2d HD, then the 3d coming up, this might take some more hours, but well, we will get rid of ALL sh...I hope

Interest up in 225 "peeping toms...lol"...lol

Screening last HD; found 7(after all was checked by my usual/regular defences), mostly the HTML/lframe.B.Gen Virus stuff and 1 worm...

checkingtime: close to 6 hours and 30 minutes

[BC_Programmer]

6 hour mark passed....caught 4 which my other defences didnt!!!! WIN32/stuff again....almost ready with my 2d HD, then the 3d coming up, this might take some more hours, but well, we will get rid of ALL sh...I hope

Interest up in 215 "watchers"...lol

Views != watchers.

[Peterwolfe]

here is the eset-log....found some of the real "buggers" my above mentioned defences didnt report!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
***********************************************************************************************
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d7c9fc2dfb25154ab02c44cda6fe90e6
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-14 02:25:56
# local_time=2010-05-14 04:25:56 (+0100, W. Europe Daylight Time)
# country="Norway"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 18873029 18873029 0 0
# compatibility_mode=1024 16777175 100 0 16580740 16580740 0 0
# compatibility_mode=8192 67108863 100 0 145 145 0 0
# scanned=152373
# found=8
# cleaned=0
# scan_time=33441
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip   Win32/Bagle.gen.zip worm   00000000000000000000000000000000   I
C:\Documents and Settings\Peter\Favorites\Sex and the Single Man\Action36 free mature women sex movies and older women sex pictures!.url:favicon   HTML/Iframe.B.Gen virus   00000000000000000000000000000000   I
E:\Downloads\Warez from 090310\unlocker1.8.8.rar   Win32/Adware.ADON application   00000000000000000000000000000000   I
E:\Downloads\Warez from 090310\Nero 9 AIO Pack (2010MULTI)\Nero BackItUp And Burn 1.2.17b.exe   Win32/Toolbar.AskSBar application   00000000000000000000000000000000   I
E:\FavoritesIE\Sex and the Single Man\Action36 free mature women sex movies and older women sex pictures!.url:favicon   HTML/Iframe.B.Gen virus   00000000000000000000000000000000   I
F:\Favorites\Sex and the Single Man\Action36 free mature women sex movies and older women sex pictures!.url:favicon   HTML/Iframe.B.Gen virus   00000000000000000000000000000000   I
F:\Favorites\specials\Action36 free mature women sex movies and older women sex pictures!.url:favicon   HTML/Iframe.B.Gen virus   00000000000000000000000000000000   I
G:\Users\Peter\FavoritesIE\Sex and the Single Man\Action36 free mature women sex movies and older women sex pictures!.url:favicon   HTML/Iframe.B.Gen virus   00000000000000000000000000000000   I

Its most stuff from my man-hobby...lol...and some from downloaded software I wanted to test and will remove that right away. Almost any pirate-software with keygenes is infected in the keygen...
But......look!!!!!!!!!! Spybot contains bad stuff too....maybe I need to remove Spybot S&D!!!!! and thats unexpected

[SuperDave]

I'll have to admit the that I know nothing about the Windows 7 firewall. I don't know if it protects out-going traffic which is very important.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

====================================================

* Go to Start > Run and type mrt.exe then press Enter on the keyboard).
* (Vista and Windows 7 users go to Start and type mrt.exe in the search box then press Enter on the keyboard.
* Click Next.
* Choose Full Scan and click Next.
* Once the scan is finished click View detailed results of the scan.

Look through the list and let me know if anything was found infected.

This tool will take at least 2 hrs. to run. If anything is found, it should produce a report. I'v never seen a report from this tool. If it is txt format, just copy and paste it. If in another format, copy and paste it in Notepad and send it to me. BTW, those 200 plus watchers may be a lot of hackers looking for ways to devise new infections.

[Peterwolfe]

wow, I learn more and more....will certainly do the mrt stuff.... ...I really want W7 the only MS-stuff on my PC until I have learned Linux...my next phase...lol

any comments on the ESET result? 9 hours of scanning was a real thorough effort...lol. My concern is that the 2 real bugs werent discovered by my defences(part of them are also yours in your system...)...

Hope the 286 viewers have learned a thing or 2...lol

[Peterwolfe]

and of course...THANK YOU SuperDave...you're my heroe

[SuperDave]

The ESET scan did what it's supposed to do but 9 hrs. is a bit too long.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
=========================================
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[Peterwolfe]

well, it had to plow through 1HD 250gigs and 2 others of 500gigs...lol

any reason why you advise to use the Securitycheck and the Combofix? Just a question on behalf of the 340 viewers traveling  "along"...lol ...and me of course

[SuperDave]

The Security Check is to look at what you have on your computer for security. You said that you were concerned how the malware was getting in. This will give me a better idea and the ComboFix is to make sure everything is clean.

[Peterwolfe]

ok, boss..lololol...will perform...

[Peterwolfe]

 Results of screen317's Security Check version 0.99.4 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 AVG Free 9.0   
 ESET Online Scanner v3   
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 CCleaner     
 Wise Registry Cleaner Professional V5.12
 Java(TM) 6 Update 20 
 Java(TM) 6 Update 18 
 Out of date Java installed!
 Adobe Flash Player 10.0.45.2 
Adobe Reader 8.2.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
****************
and now I own a Recovery Console...lol?? and yes it showed at the next restart!!!!!!
Old Java removed and new Adobe installed...

[Peterwolfe]

OOOP, see it is in Norwegian??? There wasnt a question for the language!!!! Sorry

ComboFix 10-05-15.03 - Peter 16.05.2010  16:54:50.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.47.1033.18.3071.2483 [GMT 2:00]
Kjører fra: c:\documents and settings\Peter\Desktop\commy.exe
.

(((((((((((((((((((((((((((((((((((((((   Andre slettinger   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Peter\Application Data\Desktopicon
c:\documents and settings\Peter\Application Data\inst.exe
c:\program files\eMule\lang\ar_AE.dll
c:\program files\eMule\lang\ba_BA.dll
c:\program files\eMule\lang\bg_BG.dll
c:\program files\eMule\lang\ca_ES.dll
c:\program files\eMule\lang\cz_CZ.dll
c:\program files\eMule\lang\da_DK.dll
c:\program files\eMule\lang\de_DE.dll
c:\program files\eMule\lang\el_GR.dll
c:\program files\eMule\lang\es_AS.dll
c:\program files\eMule\lang\es_ES_T.dll
c:\program files\eMule\lang\et_EE.dll
c:\program files\eMule\lang\fa_IR.dll
c:\program files\eMule\lang\fi_FI.dll
c:\program files\eMule\lang\fr_BR.dll
c:\program files\eMule\lang\fr_FR.dll
c:\program files\eMule\lang\gl_ES.dll
c:\program files\eMule\lang\he_IL.dll
c:\program files\eMule\lang\hu_HU.dll
c:\program files\eMule\lang\it_IT.dll
c:\program files\eMule\lang\jp_JP.dll
c:\program files\eMule\lang\ko_KR.dll
c:\program files\eMule\lang\lt_LT.dll
c:\program files\eMule\lang\lv_LV.dll
c:\program files\eMule\lang\mt_MT.dll
c:\program files\eMule\lang\nb_NO.dll
c:\program files\eMule\lang\nl_NL.dll
c:\program files\eMule\lang\nn_NO.dll
c:\program files\eMule\lang\pl_PL.dll
c:\program files\eMule\lang\pt_BR.dll
c:\program files\eMule\lang\pt_PT.dll
c:\program files\eMule\lang\ro_RO.dll
c:\program files\eMule\lang\ru_RU.dll
c:\program files\eMule\lang\sl_SI.dll
c:\program files\eMule\lang\sq_AL.dll
c:\program files\eMule\lang\sv_SE.dll
c:\program files\eMule\lang\tr_TR.dll
c:\program files\eMule\lang\ua_UA.dll
c:\program files\eMule\lang\ug_CN.dll
c:\program files\eMule\lang\va_ES.dll
c:\program files\eMule\lang\va_ES_RACV.dll
c:\program files\eMule\lang\vi_VN.dll
c:\program files\eMule\lang\zh_CN.dll
c:\program files\eMule\lang\zh_TW.dll
C:\Thumbs.db

.
(((((((((((((((((((((((((((   Filer Opprettet Fra 2010-04-16 til 2010-05-16  )))))))))))))))))))))))))))))))))
.

2010-05-15 12:37 . 2010-05-15 12:37   503808   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1807a956-n\msvcp71.dll
2010-05-15 12:37 . 2010-05-15 12:37   499712   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1807a956-n\jmc.dll
2010-05-15 12:37 . 2010-05-15 12:37   348160   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1807a956-n\msvcr71.dll
2010-05-15 12:37 . 2010-05-15 12:37   61440   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5f522b00-n\decora-sse.dll
2010-05-15 12:37 . 2010-05-15 12:37   12800   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5f522b00-n\decora-d3d.dll
2010-05-14 05:06 . 2010-05-14 05:06   --------   d-----w-   c:\program files\ESET
2010-05-10 10:20 . 2010-05-10 10:20   37600   ----a-w-   c:\windows\system32\Partizan.exe
2010-05-10 10:20 . 2010-05-10 10:20   35816   ----a-w-   c:\windows\system32\drivers\Partizan.sys
2010-05-10 10:19 . 2010-05-10 10:19   2   --shatr-   c:\windows\winstart.bat
2010-05-10 10:19 . 2010-05-06 11:44   12752   ----a-w-   c:\windows\system32\drivers\UnHackMeDrv.sys
2010-05-10 10:18 . 2010-05-10 12:46   --------   d-----w-   c:\program files\UnHackMe
2010-05-06 05:26 . 2010-05-06 05:26   --------   d-----w-   c:\program files\JRE
2010-05-03 18:46 . 2010-05-03 18:47   --------   d-----w-   c:\documents and settings\Peter\Application Data\vlc
2010-05-02 12:24 . 2010-04-12 15:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-04-29 12:24 . 2010-04-29 12:29   --------   d-----w-   c:\program files\Ask.com

.
((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 07:25 . 2009-07-20 01:59   --------   d-----w-   c:\program files\uTorrent
2010-05-15 22:29 . 2009-07-20 01:58   --------   d-----w-   c:\documents and settings\Peter\Application Data\uTorrent
2010-05-10 05:10 . 2009-11-09 10:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-09 19:33 . 2009-11-27 00:32   117760   ----a-w-   c:\documents and settings\Peter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-09 02:43 . 2009-09-06 11:12   1   ----a-w-   c:\documents and settings\Peter\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-06 05:43 . 2009-07-14 15:15   75440   ----a-w-   c:\documents and settings\Peter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-06 05:26 . 2009-07-14 18:03   --------   d-----w-   c:\program files\OpenOffice.org 3
2010-05-06 05:24 . 2009-11-12 22:30   --------   d-----w-   c:\program files\Java
2010-05-04 20:01 . 2009-07-14 16:19   --------   d-----w-   c:\program files\Opera
2010-05-04 12:29 . 2009-07-14 18:18   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-01 21:02 . 2009-08-11 17:06   --------   d-----w-   c:\program files\VideoLAN
2010-04-30 13:12 . 2009-07-14 19:05   --------   d-----w-   c:\program files\Opera 10 Beta
2010-04-29 13:39 . 2009-07-14 18:18   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-07-14 18:18   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-21 07:09 . 2009-07-15 15:49   242896   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-04-20 17:06 . 2009-11-27 00:31   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-04-12 16:28 . 2009-11-10 08:55   --------   d-----w-   c:\documents and settings\Peter\Application Data\dvdcss
2010-04-12 16:27 . 2009-08-30 20:56   --------   d-----w-   c:\documents and settings\Peter\Application Data\Vso
2010-04-12 00:49 . 2010-04-12 00:49   --------   d-----w-   c:\documents and settings\Peter\Application Data\ImTOO Software Studio
2010-04-12 00:49 . 2010-04-12 00:49   --------   d-----w-   c:\program files\ImTOO
2010-04-11 13:05 . 2009-10-25 23:50   --------   d-----w-   c:\documents and settings\Peter\Application Data\Skype
2010-04-11 10:57 . 2009-07-31 16:43   --------   d-----w-   c:\documents and settings\Peter\Application Data\skypePM
2010-04-11 08:00 . 2010-04-11 07:55   --------   d-----w-   c:\documents and settings\All Users\Application Data\RegCure
2010-04-11 07:59 . 2010-04-11 07:55   --------   d-----w-   c:\program files\RegCure
2010-04-11 06:50 . 2010-04-11 06:45   --------   d-----w-   c:\program files\Wise Registry Cleaner
2010-04-11 06:39 . 2009-08-01 15:57   --------   d-----w-   c:\documents and settings\Peter\Application Data\Uniblue
2010-04-02 13:10 . 2010-02-22 11:35   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-03-30 17:48 . 2009-07-14 15:36   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-03-30 17:28 . 2010-03-30 17:28   503808   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62f2f14c-n\msvcp71.dll
2010-03-30 17:28 . 2010-03-30 17:28   499712   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62f2f14c-n\jmc.dll
2010-03-30 17:28 . 2010-03-30 17:28   348160   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-62f2f14c-n\msvcr71.dll
2010-03-30 17:28 . 2010-03-30 17:28   61440   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c2341e5-n\decora-sse.dll
2010-03-30 17:28 . 2010-03-30 17:28   12800   ----a-w-   c:\documents and settings\Peter\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4c2341e5-n\decora-d3d.dll
2010-03-30 17:28 . 2010-03-30 17:28   --------   d-----w-   c:\program files\Common Files\Java
2010-03-29 23:54 . 2009-09-28 11:08   --------   d-----w-   c:\program files\CCleaner
2010-03-25 11:41 . 2010-03-25 11:41   --------   d-----w-   c:\program files\Smart Projects
2010-03-13 06:04 . 2010-03-13 06:04   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-03-13 06:04 . 2009-07-15 15:49   29512   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 06:03 . 2009-07-15 15:49   216200   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15 . 2008-04-14 12:00   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-14 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 16:20 . 2010-02-22 16:20   1   ----a-w-   c:\windows\system32\Eztoo AVI Video Converter.dat
2010-02-17 07:10 . 2008-04-14 12:00   2189952   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01   2066816   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2009-05-01 21:02 . 2009-05-01 21:02   1044480   -c--a-w-   c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   -c--a-w-   c:\program files\opera\program\plugins\ssldivx.dll
2009-11-09 06:49 . 2009-11-09 06:49   107520   --sha-r-   c:\windows\system32\GBPKIGMR.dll
.

((((((((((((((((((((((((((((((((   Oppstartspunkter I Registeret   )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2010-05-06 594144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"D-Link AirPlus G DWL-G510"="c:\program files\D-Link\AirPlus G DWL-G510\AirGCFG.exe" [2007-10-24 1552384]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2002-06-10 102400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-15 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 06:04   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0Partizan\0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\sbase.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\scalc.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\sdraw.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\simpress.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\smath.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\swriter.exe"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\7-Zip\\7zFM.exe"=
"c:\\Program Files\\D-Link\\AirPlus G DWL-G510\\D-Link Wizard.exe"=
"c:\\Program Files\\D-Link\\AirPlus G DWL-G510\\AirGCFG.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\RapidShareManager_0_1_0_248\\RapidShareManager_0_1_0_248\\RapidShareManager.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"50488:TCP"= 50488:TCP:TCP
"23090:UDP"= 23090:UDP:UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [15.07.2009 17:49 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [15.07.2009 17:49 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [13.03.2010 08:04 308064]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [10.05.2010 12:20 35816]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Peter\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Peter\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Peter\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Peter\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17.06.2009 14:20 12648]
S3 SASENUM;SASENUM;\??\c:\docume~1\Peter\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\Peter\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]

--- Andre tjenester/drivere lastet i minnet ---

*Deregistered* - UnHackMeDrv
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)

2010-05-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-02-23 19:29]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://www.sol.no/
.
- - - - TOMME PEKERE FJERNET - - - -

Toolbar-Locked - (no file)
WebBrowser-{7C5C0F58-E061-457D-9033-77307F5ED00C} - (no file)
HKCU-Run-WebCamRT.exe - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 16:58
Windows 5.1.2600 Service Pack 3 NTFS

skanner skjulte prosesser ... 

skanner skjulte autostart-oppføringer ...

skanner skjulte filer ... 

skanning vellykket
skjulte filer: 0

**************************************************************************
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Tidspunkt ferdig: 2010-05-16  17:00:07
ComboFix-quarantined-files.txt  2010-05-16 14:59

Pre-Run: 151 593 795 584 bytes free
Post-Run: 151 586 959 360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-NOR.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

- - End Of File - - 5CF9E0C24A01DA5106BD130A83ABCF1D

[SuperDave]

Use utroorent only for music and movies and they are always checked, because nowadays you cant be sure of anything

As you can see from this latest scan, a lot of bad stuff is getting in from P2P programs, specifically emule. Evidently, a lot of infections are getting through. Some other forums will not start cleaning computers until the P2P programs are all removed. All we do here is caution the user.

===========================
Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.

There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners

Wise Registry Cleaner Professional V5.12
c:\program files\RegCure
==================================
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\GBPKIGMR.dll
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

====================================
Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  Folder::
  c:\program files\Ask.com
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

[Peterwolfe]

c:\windows\system32\GBPKIGMR.dll.....Jotti said it couldnt find the file!!!!...Ask.com removed manually(probably a remnant after Limewire or so?);removed RegCure

[SuperDave]

Ok. Please send me another HTJ log.

[Peterwolfe]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:05:03, on 17.05.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\RapidShareManager_0_1_0_248\RapidShareManager_0_1_0_248\RapidShareManager.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G DWL-G510] C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)

--
End of file - 5323 bytes

[SuperDave]

Well, that looks good. Are they any other issues? Please let me know.

[Peterwolfe]

Nope, thanks a lot for all your great efforts and info...will take all this with me when I abandon XP soon and go over to W7 for a while for so to end up with Linux somehow...lol..hope the more than 550 viewers learned a lot too... ...so, lets close the post...you're great

[SuperDave]

you're great

Thank you. Someday, perhaps.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in commy /uninstall
  

(Note: Make sure there's a space between the word commy and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

=================================

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

=========================================
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

===================================

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[Peterwolfe]

wow, didnt expect so much info again...lol..thats why I said you're great....lol...will do as advised....be certain of that..

by the way, I use Ccleaner...is that as good as OTC? Have Secunia running for quite some time and was able to renew/refresh some software with the right drivers But one has to be very careful to change drivers as listed in that type of software, sometimes it ruins your software by advising wrong drivers....(bad experience...lol). But thanks and ciao...

[SuperDave]

by the way, I use Ccleaner...is that as good as OTC?

No. They're not the same. OTC is to remove all the tools we used to clean the computer.

[Peterwolfe]

ah, ok...will use it then..

[Peterwolfe]

didnt expect that it would turn out to such a crusade with so much learning...lol....main answer to my problem was really that I made a small mistake by looking for my ipconfig...lol....but well, when I got a MS alert that I was using a fake/false W7 which I had bloody well paid for, I started to think of more the SuperDave way...lol

Oh and that license issue that several scandinavians got, is solved, ms apologized and thats a miracle in itself!!!!!!!!!

and uh, ESET is now a very invaluable software I am going to use, when just having a suspicion..lol

[Peterwolfe]

by the way, UnHackMe just found malware in the XP-start phase....nice to have a good rootkit ...it included what I might expect if I didnt remove it....lol....cool... ...so I did after checking the net...

[SuperDave]

I wouldn't put too much trust in UnHackMe.

[Peterwolfe]

well, it helped this first time...lol...any other/better suggestions than? Always on the outlook for freeware...lol and then I mean in the rootkit section...

[SuperDave]

http://www.majorgeeks.com/
This is about the only place I would trust for freeware. Sometimes, freeware comes with a hidden cost in the form of malware.

[Peterwolfe]

thanks, will sweep the place...lol

[Peterwolfe]

do I NEED to uninstall all the supportive software you showed me to use?

[SuperDave]

If you already ran OTC, it's probably all gone now. You can download SAS and MBAM. Update them and run them on a regular basis. That should be all you need.

[Peterwolfe]

nope, I didnt....lol...my defences are as said: SAS, Malwarebyte, Spybot, AVG and now i will use the ESET once in a while when I see trange things happen here...hahahahaha . Well, we hope that your actions will help the 916 veiwers too...lol ...and agian: thanks a lot for all your efforts

[SuperDave]

thanks a lot for all your efforts

You're welcome.

[Peterwolfe]

ESET picked out a kind of disguised spyware called "crack. UB" which I cant find anything about, but it stated it was a "presumably dangererous..."..strange thing that neither AVG nor Superantispyware nor Malwarebytes got it right!!!!