Msn virus - possibly attached to svchost.exe

Dark Fire · 26. november 2007

Ok, skrev titellen på engelsk, siden jeg ikke orket å oversette *spare tid*

Jeg bruker S & D - spyware program

Avast - Antivirus

Task manager - task manager1

og Advanced task manager - task manager2.

Jeg har altså fått en msn-worm (med sansynlig), som har koblet seg oppimot svchost.exe - siden alle svchost-prossesene stammer fra C:/windows/system32/svchost.exe

Det som skjer - er at etter cirka 20min etter at jeg har slått på PC-en, og har msn oppe, begynner msn-chat-vinduer å flashe, musen/tastatur-funksjonene fryser mellom 10-40 secs før jeg får tilgang til taskmngr - ctrl+alt+del, og da ligger en av svchost-prossesene helt på topp på CPU-lista.

Jeg har prøvd Symantecs w32.welchia.worm-remove-tool, hijackme, avast, s&d, SmithFraudfix, og manuelt prøvd å funnet noe mistenkelig i %system32%.

Hva mer kan jeg gjøre?

Selvin · 26. november 2007

Sett i gang og formater! Det er alltid det beste!

norbat · 26. november 2007

Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.

Dark Fire · 26. november 2007

Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.
Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.

Hei.

Takk for at du (ikke) leste hele inlegget mitt.

Jeg har prøvd Symantecs w32.welchia.worm-remove-tool, hijackme, avast, s&d, SmithFraudfix, og manuelt prøvd å funnet noe mistenkelig i %system32%.

Glemte forresten å nevne TuneUp og CCleaner

På tross av at jeg allerede HAR HIJACKME, er dette rapporten:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:49:21, on 26.11.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Acunetix\Web Vulnerability Scanner 4\WVSScheduler.exe

C:\Programfiler\TortoiseSVN\bin\TSVNCache.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\Telenor\Online Start\Telenor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe

C:\Programfiler\BitTorrent\bittorrent.exe

C:\xampp\mysql\bin\mysqld-nt.exe

C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe

c:\Programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\Mozilla Firefox\firefox.exe

C:\Programfiler\Windows Live\Messenger\usnsvc.exe

C:\Programfiler\Innovative Solutions\Advanced Task Manager 4\atm.exe

C:\WINDOWS\system32\mspaint.exe

C:\WINDOWS\SYSTEM32\taskmgr.exe

C:\WINDOWS\system32\cmd.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe

O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O23 - Service: Acunetix WVS Scheduler (AcuWVSScheduler) - Acunetix Ltd. - C:\Programfiler\Acunetix\Web Vulnerability Scanner 4\WVSScheduler.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: AutoMate 6 (AutoMate6) - Network Automation, Inc. - C:\Programfiler\AutoMate 6\AMTS.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe

O23 - Service: MCPop3 Service (MCPop3) - Unknown owner - C:\Programfiler\Macallan\Macallan Mail Solution\MCPop3.exe (file missing)

O23 - Service: MCSmtp Service (MCSmtp) - Unknown owner - C:\Programfiler\Macallan\Macallan Mail Solution\MCSmtp.exe (file missing)

O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe

O23 - Service: ManageEngine OpManager (OpManager) - Unknown owner - C:\PROGRA~1\ADVENT~1\ME\OPMANA~1\wrapper.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\pavsrv51.exe

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programfiler\WinPcap\rpcapd.exe

O23 - Service: Steganos Live Encryption Engine (Version 401) [service] (SLEE_401_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE401.exe (file missing)

O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Programfiler\xampp\service.exe (file missing)

--

End of file - 4579 bytes

norbat · 26. november 2007

Hei,

Var litt usikker på hva du mente med Hijackme og det var loggen som var av interesse

Start HJT, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe

O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe

Hent MSNFix, pakk det ut på skrivebordet og kjør MSNFix.bat fila.

Så Henter du Combofix, legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

Post loggfilen fra combofix (c:\combofix.txt) + ny hjt-logg.

Dark Fire · 26. november 2007

ComboFix 07-11-19.4 - Madzzzz 2007-11-26 13:29:09.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.65 [GMT 1:00]

Running from: C:\Documents and Settings\Madzzzz\Mine dokumenter\OT programs\Awsome\Other\Downloads\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Madzzzz\Programdata\inst.exe

.

((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))

.

2007-11-26 10:37 <DIR> d-------- C:\Programfiler\Innovative Solutions

2007-11-18 07:15 647,219 --a------ C:\WINDOWS\system32\perl.exe

2007-11-17 07:35 <DIR> d-------- C:\Programfiler\MSXML 6.0

2007-11-16 05:46 <DIR> d-------- C:\Programfiler\Microsoft CAPICOM 2.1.0.2

2007-11-15 21:54 <DIR> d-------- C:\Documents and Settings\Madzzzz\Programdata\Tibia

2007-11-15 20:49 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2007-11-15 20:49 207,736 --a------ C:\WINDOWS\system32\muweb.dll

2007-11-15 20:49 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

2007-11-15 02:33 <DIR> d--hsc--- C:\Programfiler\Fellesfiler\WindowsLiveInstaller

2007-11-15 02:32 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\WLInstaller

2007-11-14 20:02 118 --a------ C:\WINDOWS\system32\MRT.INI

2007-11-13 18:11 <DIR> d-------- C:\Documents and Settings\Madzzzz\Programdata\TuneUp Software

2007-11-13 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\TuneUp Software

2007-11-13 18:10 <DIR> d-------- C:\Programfiler\TuneUp Utilities 2007

2007-11-13 17:38 <DIR> dr-h----- C:\Documents and Settings\Madzzzz\Siste

2007-11-10 01:26 6 --a------ C:\WINDOWS\system32\cuatro.ini

2007-11-10 01:25 <DIR> d-------- C:\Programfiler\Liberty BASIC v4.03

2007-11-09 21:27 <DIR> d-------- C:\Programfiler\AnalogX

2007-11-09 16:08 <DIR> d-------- C:\Programfiler\ABBYY FineReader 5.0 Sprint

2007-11-09 16:07 <DIR> d-------- C:\Programfiler\FaxTools

2007-11-09 16:02 1,100,125 --a------ C:\WINDOWS\system32\LXCZLPA.HLP

2007-11-09 16:02 198,144 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL

2007-11-09 16:02 73,728 --a------ C:\WINDOWS\system32\lxczpwr.dll

2007-11-09 16:02 40,960 --a------ C:\WINDOWS\system32\lxczvs.dll

2007-11-09 16:02 40,960 --a------ C:\WINDOWS\system32\INSTMON.EXE

2007-11-09 16:02 2,162 --a------ C:\WINDOWS\system32\LXCZLPA.CNT

2007-11-09 16:02 294 --a------ C:\WINDOWS\system32\LXCZMA.CNT

2007-11-09 16:01 <DIR> d-------- C:\Programfiler\Lexmark 1200 Series

2007-11-09 16:01 983,107 --a------ C:\WINDOWS\system32\LXCZGF.DLL

2007-11-09 16:01 458,752 --a------ C:\WINDOWS\system32\LXCZJSWR.DLL

2007-11-09 16:01 356,352 --a------ C:\WINDOWS\system32\LXCZUTIL.DLL

2007-11-09 16:01 69,632 --a------ C:\WINDOWS\system32\lxczscin.dll

2007-11-08 18:07 <DIR> d-------- C:\Programfiler\Electronic Piano 2.5

2007-11-05 00:01 <DIR> d-------- C:\Programfiler\JitBit

2007-11-04 23:47 <DIR> d-------- C:\Programfiler\Aldo's Macro Recorder

2007-11-04 23:45 <DIR> d-------- C:\Programfiler\AutoHotkey

2007-11-04 23:41 <DIR> d-------- C:\Documents and Settings\Madzzzz\Programdata\Easy Macro Recorder

2007-10-28 22:20 <DIR> d-------- C:\Programfiler\Tibia 7.6

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-25 18:47 --------- d-----w C:\Programfiler\StepMania CVS

2007-11-22 14:50 716,800 ----a-w C:\WINDOWS\system32\NTSpool.exe

2007-11-22 14:11 --------- d-----w C:\Programfiler\LimeWire

2007-11-20 13:36 --------- d-----w C:\Documents and Settings\Madzzzz\Programdata\BitTorrent

2007-11-18 23:52 --------- d-----w C:\Programfiler\Tibia Auto 8.0

2007-11-18 20:38 --------- d-----w C:\Documents and Settings\Madzzzz\Programdata\Dev-Cpp

2007-11-17 18:25 --------- d-----w C:\Programfiler\Tibia 8.0

2007-11-17 06:42 --------- d-----w C:\Programfiler\Microsoft SQL Server

2007-11-16 04:55 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2007-11-15 20:07 --------- d-----w C:\Programfiler\Incomplete

2007-11-15 01:33 --------- d-----w C:\Programfiler\Windows Live

2007-11-15 01:28 --------- d-----w C:\Programfiler\MSN Messenger

2007-11-14 06:10 2,323,584 ----a-w C:\WINDOWS\system32\TUKernel.exe

2007-11-14 06:03 --------- d-----w C:\Programfiler\WarRock

2007-11-14 06:03 --------- d-----w C:\Programfiler\PostCast Server

2007-11-14 06:03 --------- d-----w C:\Programfiler\Net Tools

2007-11-14 06:03 --------- d-----w C:\Programfiler\Microsoft Works

2007-11-14 06:03 --------- d-----w C:\Programfiler\Final Fantasy VII

2007-11-14 06:03 --------- d-----w C:\Programfiler\Cain

2007-11-14 06:03 --------- d-----w C:\Documents and Settings\Madzzzz\Programdata\PHP Designer 2007

2007-11-13 17:06 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2007-11-12 00:35 --------- d-----w C:\Documents and Settings\Madzzzz\Programdata\mIRC

2007-11-12 00:34 --------- d-----w C:\Programfiler\mIRC

2007-11-10 16:13 --------- d-----w C:\Programfiler\Burn4Free

2007-11-10 13:53 --------- d-----w C:\Programfiler\Tibia 7.92

2007-11-09 15:07 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2007-11-07 10:02 --------- d-----w C:\Programfiler\Mail Enable

2007-11-04 10:18 --------- d-----w C:\Programfiler\World of Warcraft

2007-10-31 17:04 --------- d-----w C:\Programfiler\StepMania

2007-10-24 16:17 --------- d-----w C:\Programfiler\PremiumSoft

2007-10-23 20:04 --------- d-----w C:\Programfiler\Telenor

2007-10-23 20:04 --------- d-----w C:\Documents and Settings\All Users\Programdata\Telenor

2007-10-23 19:00 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy

2007-10-23 17:45 --------- d-----w C:\Programfiler\SpywareBlaster

2007-10-23 17:45 --------- d-----w C:\Programfiler\Alwil Software

2007-10-20 17:52 --------- d-----w C:\Programfiler\Tibia Auto

2007-10-18 10:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll

2007-10-17 17:22 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys

2007-10-17 09:41 --------- d-----w C:\Programfiler\SQLPowerInjector

2007-10-16 15:35 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec

2007-10-16 15:22 --------- d-----w C:\Programfiler\Oca History Tool

2007-10-16 15:21 --------- d-----w C:\Programfiler\CyberLink

2007-10-16 15:18 --------- d-----w C:\Programfiler\Yahoo!

2007-10-16 15:05 --------- d-----w C:\Programfiler\Image-Line

2007-10-16 12:29 --------- d-----w C:\Programfiler\CCleaner

2007-10-14 19:12 --------- d-----w C:\Programfiler\Trend Micro

2007-10-13 18:13 --------- d-----w C:\Programfiler\ArGo Software Design

2007-10-13 16:28 --------- d-----w C:\Programfiler\TabMail

2007-10-13 16:26 --------- d-----w C:\Programfiler\Free SMTP Server

2007-10-12 06:07 --------- d-----w C:\Programfiler\BitTorrent

2007-10-10 13:18 --------- d-----w C:\Programfiler\Panda Security

2007-10-10 07:22 4 ----a-w C:\Count.dat

2007-10-10 07:22 --------- d-----w C:\Programfiler\Macallan

2007-10-10 07:07 --------- d-----w C:\Programfiler\Fellesfiler\InfoJoin

2007-10-08 12:44 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys

2007-10-07 01:03 --------- d-----w C:\Documents and Settings\All Users\Programdata\McAfee

2007-10-07 00:52 --------- d-----w C:\Documents and Settings\All Users\Programdata\sentinel

2007-10-07 00:24 --------- d-----w C:\Documents and Settings\All Users\Programdata\sdb

2007-10-07 00:07 --------- d-----w C:\Programfiler\MySQL

2007-10-07 00:02 --------- d-----w C:\Programfiler\RustemSoft

2007-10-05 23:11 --------- d-----w C:\Programfiler\Metasploit

2007-09-28 23:36 --------- d-----w C:\Programfiler\phpDesigner 2007 Professional

2007-09-26 08:19 --------- d-----w C:\Programfiler\File Renamer 2005

2007-09-17 21:15 229,727 ----a-w C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_531.exe

2007-09-17 16:04 82,432 ----a-w C:\WINDOWS\system32\msxml4r.dll

2007-09-11 11:02 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll

2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr

2007-08-28 00:02 2,752,512 ----a-w C:\WINDOWS\Help\LOADER.EXE

2007-08-04 22:48 223 ----a-w C:\Programfiler\INSTALL.LOG

2007-05-08 20:25 47,360 ----a-w C:\Documents and Settings\Madzzzz\Programdata\pcouffin.sys

2006-08-04 09:19 606,208 ----a-w C:\Documents and Settings\Madzzzz\setup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"BitTorrent"="C:\Programfiler\BitTorrent\bittorrent.exe" --force_start_minimized

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6690bdd5-5c9c-11dc-83e6-001558781b42}]

\Shell\AutoRun\command - E:\.\start.bat

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2007-11-23 16:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"

- C:\Programfiler\TuneUp Utilities 2007\SystemOptimizer.exe

"2007-11-21 18:03:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

.

**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-26 13:34:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\erdnt

**************************************************************************

.

Completion time: 2007-11-26 13:35:26

.

--- E O F ---

----------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:38:39, on 26.11.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe

C:\Programfiler\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Programfiler\Acunetix\Web Vulnerability Scanner 4\WVSScheduler.exe

C:\Programfiler\TortoiseSVN\bin\TSVNCache.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Programfiler\Telenor\Online Start\Telenor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe

C:\Programfiler\BitTorrent\bittorrent.exe

C:\xampp\mysql\bin\mysqld-nt.exe

C:\Programfiler\Panda Security\Panda Antivirus 2008\PsImSvc.exe

c:\Programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe

C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe

C:\PROGRA~1\Mozilla Firefox\firefox.exe

C:\Programfiler\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\SYSTEM32\taskmgr.exe

C:\Programfiler\Asprate\Tibia Multi IP Changer\Tibia MULTI-ip changer.exe

C:\WINDOWS\system32\cmd.exe

C:\ComboFix\vfind.cfexe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\explorer.exe

C:\ComboFix\nircmd.cfexe