DaniWeb IT Discussion Community

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Viruses, Spyware and other Nasties (http://www.daniweb.com/forums/forum64.html)
-   -   KillAV.KL (http://www.daniweb.com/forums/thread153239.html)

piscescorner Oct 24th, 2008 5:46 am
KillAV.KL
 
Last Saturday my kids where on internet while I were at work. After a while they phoned me and complained that every time they were open firefox computer re-booted. So when I came home for lunch I checked it up and phoned support, but they couldn't help me:@ Through my internetprovider I have F-secure security pack with both antivirusprogram and firewall. But about a month ago Windows securitycenter told me that I didn't have an antivirusprogram. And it haven't searched for virus either, program is scheeduled to scan every Friday.

This Saturday F-secure couldn't download the latest definitions and I couldn't do an onlinescan. On all these pages it showed up that I didn't had any connection to internet, but I did. So using a laptop I downloaded other antivirusprograms, started with AVG and then F-Secure Internet Security 2009 with latest definitions. First I ran AVG and it found some virus, most on keygen-files that were stored on my computer. After uninstalled AVG and then installed F-secure I ran a new scan and find one trojan, didn't wrote down the name, on the computer but F-secure couldn't delete the file so I did that manually.

I still have plenty of problems with internet, both Incredimail and Firefox freezes for a few seconds when pages are loading. I can't update F-secure, can't get a connections it says, and can't go to pages to download programs like HiJackAll. For that I have downloaded them on the laptop and burned it and the back to this computer.

Every now and then I get a popup that says something about sysvxd.exe that doesn't work.

I have updatedt F-secure manually now and it ran into KillAV.KL on my computer. Found this info on it:

Name KillAV.KL
Status - Danger Items that have this flag are generally malware such as viruses, trojans, hijackers, spyware but could also be programs that are not desirable to run on your computer.

This is known to be dangerous in almost all cases.
How to remove KillAV.KL Removing KillAV.KL manually is hard. You never know how many files it has infected.

So I would appreciate any help to get rid of all this! I have downloaded HiJackAll, Combofix and Malwarebytes' Anti-Malware. Do I need anything more and which one will I start with?

Hugs, Susanne

crunchie Oct 24th, 2008 7:52 am
Re: KillAV.KL
 
Let's start with an hijackthis log. Combofix as a last resort. It may also be outdated if/when we need to use it, so if you have not run it yet (I hope not), then delete it.

piscescorner Oct 24th, 2008 10:39 am
Re: KillAV.KL
 
Here's my Hijacklog.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38:36, on 2008-10-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program\F-Secure Internet Security\FSPC\fspc.exe
C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\HP\HP Software Update\HPwuSchd2.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\Program\CyberLink\PowerCinema\PCMService.exe
C:\HP\KBD\KBD.EXE
C:\Program\HP\Digital Imaging\bin\hpqSRMon.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program\F-Secure Internet Security\Common\FSM32.EXE
C:\Program\Delade filer\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program\Pando Networks\Pando\Pando.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Magentic\bin\MgApp.exe
C:\Program\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program\INCRED~1\bin\IMApp.exe
c:\windows\system\hpsysdrv.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsus.exe
c:\Program\Mozilla Firefox\firefox.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program\Delade filer\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Program\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [ussshreg] C:\Program\ULEADS~1\Ussshreg.exe /r
O4 - HKLM\..\Run: [PPFW] c:\program\panda software\panda platinum 2005 internet security\firewall\PPFW.EXE PPFW.EXE /cmd:allowpandarules /prod:platinum /mod:7 /flg:2 /ver:11.1.0
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpqSRMon] C:\Program\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program\Delade filer\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [Magentic] C:\Program\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Pando] "C:\Program\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sticky Pad] C:\Program\StickyPad\StickyPad.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sticky Pad] C:\Program\StickyPad\StickyPad.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Skärmurklipp och start för OneNote 2007.lnk = C:\Program\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Translate Page - http://www.geocities.com/mockba80/translate1.0.txt
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart markering - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra button: Start PostSmile - {F596B4DB-835A-4b2f-9BCF-F44FD9705E87} - C:\Program\PostSmile\postsmile.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start PostSmile - {F596B4DB-835A-4b2f-9BCF-F44FD9705E87} - C:\Program\PostSmile\postsmile.exe (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab50997.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.postfoto.se/aurigma/ImageUploader4.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://81.233.44.86/activex/AMC.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://83.227.230.63/plugin/h263ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program\Delade filer\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 16935 bytes

crunchie Oct 24th, 2008 6:06 pm
Re: KillAV.KL
 
Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Program\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log.

===============

Run MBAM and update it online. Scan your pc and have MBAM remove what it finds.
Post the log produced.

piscescorner Oct 26th, 2008 5:53 am
Re: KillAV.KL
 
First I did the changes and booted the computer and ran HiJackThis again and here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:19:23, on 2008-10-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program\Delade filer\LightScribe\LSSrvc.exe
C:\Program\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Delade filer\NMSAccessU.exe
C:\Program\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program\HP\HP Software Update\HPwuSchd2.exe
C:\Program\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\CyberLink\PowerCinema\PCMService.exe
C:\Program\F-Secure Internet Security\FSPC\fspc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program\F-Secure Internet Security\Common\FSM32.EXE
C:\Program\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program\Delade filer\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program\Pando Networks\Pando\Pando.exe
C:\Program\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Magentic\bin\MgApp.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\F-Secure Internet Security\FSAUA\program\fsus.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [VolPanel] "C:\Program\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [ussshreg] C:\Program\ULEADS~1\Ussshreg.exe /r
O4 - HKLM\..\Run: [PPFW] c:\program\panda software\panda platinum 2005 internet security\firewall\PPFW.EXE PPFW.EXE /cmd:allowpandarules /prod:platinum /mod:7 /flg:2 /ver:11.1.0
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpqSRMon] C:\Program\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program\Delade filer\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [Magentic] C:\Program\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [IncrediMail] C:\Program\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Pando] "C:\Program\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sticky Pad] C:\Program\StickyPad\StickyPad.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sticky Pad] C:\Program\StickyPad\StickyPad.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Skärmurklipp och start för OneNote 2007.lnk = C:\Program\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Translate Page - http://www.geocities.com/mockba80/translate1.0.txt
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Föräldra-... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart markering - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra button: Start PostSmile - {F596B4DB-835A-4b2f-9BCF-F44FD9705E87} - C:\Program\PostSmile\postsmile.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start PostSmile - {F596B4DB-835A-4b2f-9BCF-F44FD9705E87} - C:\Program\PostSmile\postsmile.exe (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab50997.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.postfoto.se/aurigma/ImageUploader4.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://81.233.44.86/activex/AMC.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://83.227.230.63/plugin/h263ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program\Delade filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program\Delade filer\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 16053 bytes

Then I installed MBAM but wasn't able to update, program says I had no connection. After 5 hours of scanning it wasn't ready when I went to bed, so it had scanned all night. Here's the log:

Malwarebytes' Anti-Malware 1.30
Databasversion: 1306
Windows 5.1.2600 Service Pack 3

2008-10-26 07:56:26
mbam-log-2008-10-26 (07-56-15).txt

Skanningstyp: Fullständig skanning (C:\|D:\|E:\|)
Antal skannade objekt: 805487
Förfluten tid: 8 hour(s), 45 minute(s), 10 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 8
Infekterade registervärden: 1
Infekterade registerdataposter: 2
Infekterade mappar: 6
Infekterade filer: 19

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> No action taken.

Infekterade registervärden:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program\Delade filer\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.

Infekterade registerdataposter:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> No action taken.

Infekterade mappar:
C:\Program\RegistrySmart (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\Log (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> No action taken.
C:\Documents and Settings\HP_Ägaren\Application Data\RegistrySmart (Rogue.RegistrySmart) -> No action taken.
C:\Documents and Settings\HP_Ägaren\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> No action taken.
C:\Documents and Settings\HP_Ägaren\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> No action taken.

Infekterade filer:
C:\Program\Delade filer\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.
C:\Program\RegistrySmart\Errors.stg (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\Launcher.exe (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\license.txt (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\RegistrySmart.url (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\Results.stg (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\unins000.dat (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\unins000.exe (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\Log\log_2008_10_20_03_30_00.eklog (Rogue.RegistrySmart) -> No action taken.
C:\Program\RegistrySmart\Registry Backups\2007-05-17_20-38-00.reg (Rogue.RegistrySmart) -> No action taken.
C:\Documents and Settings\HP_Ägaren\Application Data\RegistrySmart\Errors.stg (Rogue.RegistrySmart) -> No action taken.
C:\Documents and Settings\HP_Ägaren\Application Data\RegistrySmart\Results.stg (Rogue.RegistrySmart) -> No action taken.
C:\Documents and Settings\HP_Ägaren\Application Data\RegistrySmart\Log\log_2007_05_14_16_09_31.log (Rogue.RegistrySmart) -> No action taken.
C:\Documents and Settings\HP_Ägaren\Application Data\RegistrySmart\Log\log_2007_05_14_16_09_32.log (Rogue.RegistrySmart) -> No action taken.
C:\Documents and Settings\HP_Ägaren\Application Data\RegistrySmart\Registry Backups\2007-05-14_16-21-26.reg (Rogue.RegistrySmart) -> No action taken.
C:\WINDOWS\system32\ (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> No action taken.
C:\Documents and Settings\HP_Ägaren\Skrivbord\RegistrySmart.lnk (Rogue.RegistrySmart) -> No action taken.

Then I deleted the files which maybe was a mistake, because after booted the computer it freezes up every time I tried to close a window. So I started computer in safe mood and installed CCleander and let it clean the computer and check the registry. Did some changes on startup program, use to have a message from LastFM about a file missing, so I stoped that program on startup. Then I booted the computer and now I can open windows again withoug computer freezing and I noticed that my antivirusprogram finally have updated :)
Is there anything else I should check or is my computer free from virus?

Hugs, Susanne

crunchie Oct 26th, 2008 6:13 am
Re: KillAV.KL
 
Just so that I understand correctly. You have deleted all the files that MBAM found, yes?
Your log from hijackthis looks clean, so if your pc is behaving like a good child again, I see no point in running combofix :).

piscescorner Oct 26th, 2008 10:35 am
Re: KillAV.KL
 
Yes I deleted all files that MBAM found and yes my computer acts much better now:) even the antivirusprogram could update by itself!:)

Thank you so much for your help!:icon_biggrin:

Hugs, Susanne

crunchie Oct 26th, 2008 4:38 pm
Re: KillAV.KL
 
No Worries :)


All times are GMT -4. The time now is 1:27 pm.

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC