[LØST] HJT-logg + SASlogg. Trenger analysehjelp :)

m0g1e · 11. august 2008

Et lite ekstremtilfellet jeg prøver å rette opp her. Fint med litt hjelp har kjørt Ccleaner, SAS og til slutt HJT.

på forhånd takk

HJT-logg

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:41:21, on 11.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearflix.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://no.intl.acer.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://no.intl.acer.yahoo.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: UrlHelper Class - {A1123C1A-5D52-4df7-B639-6346165FCD58} - C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixIEHelper.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: XBTP01621 - {F6104497-54FD-4688-9162-5115CC8AB0FB} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

O3 - Toolbar: BearFlix MediaBar - {0388BA0C-C7F1-4E6A-BD7A-B59623F33363} - C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixMediaBar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [salestart(1)] "C:\Program Files\Common Files\SecurePCCleaner\stm.exe" dm=http://securepccleaner.com ad=http://securepccleaner.com sd=http://ilp.securepccleaner.com

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BlueSoleil.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Program Files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?d99224a88cf2438eb48f1ae62af7c935

O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Program Files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?d99224a88cf2438eb48f1ae62af7c935

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab

O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O21 - SSODL: bxlrvps - {B0433024-4429-4C05-ABFF-32A6781F5613} - C:\WINDOWS\bxlrvps.dll (file missing)

O21 - SSODL: alofkmn - {C6E685CE-B18D-4B9C-8FC3-C7E6E352B7C3} - C:\WINDOWS\alofkmn.dll (file missing)

O21 - SSODL: ComponentCheck - {cdb30071-b988-4313-b3c6-fb1ac75c2eee} - C:\WINDOWS\Installer\{cdb30071-b988-4313-b3c6-fb1ac75c2eee}\ComponentCheck.dll (file missing)

O21 - SSODL: CDChk - {029a07d1-c264-459d-bb61-723b504237e2} - C:\WINDOWS\Installer\{029a07d1-c264-459d-bb61-723b504237e2}\CDChk.dll

O21 - SSODL: ComponentService - {cbee63a2-ffc8-470a-ad05-6eb68275c936} - C:\WINDOWS\Installer\{cbee63a2-ffc8-470a-ad05-6eb68275c936}\ComponentService.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 12373 bytes

SAS logg nr1

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 08/08/2008 at 02:30 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469

Trace Rules Database Version: 1460

Scan type : Complete Scan

Total Scan Time : 01:05:57

Memory items scanned : 595

Memory threats detected : 5

Registry items scanned : 4802

Registry threats detected : 59

File items scanned : 14049

File threats detected : 53

Trojan.Net-BXL/NMC

C:\WINDOWS\BXLRVPS.DLL

Trojan.Net-ALO/NMC

C:\WINDOWS\ALOFKMN.DLL

Trojan.Downloader-Oreon/Tiny

C:\WINDOWS\INSTALLER\{CDB30071-B988-4313-B3C6-FB1AC75C2EEE}\COMPONENTCHECK.DLL

Rogue.AVSystemCare/Component

C:\PROGRAM FILES\COMMON FILES\MINNESPARERE\STRPMON.EXE

Rogue.StorageProtector/Trace

C:\PROGRAM FILES\COMMON FILES\SECUREPCCLEANER\STM.EXE

Trojan.Unclassified/EGO

HKLM\Software\Classes\CLSID\{13671A38-6AA3-49A1-BDBA-D6FD939FB331}

HKCR\CLSID\{13671A38-6AA3-49A1-BDBA-D6FD939FB331}

HKCR\CLSID\{13671A38-6AA3-49A1-BDBA-D6FD939FB331}\InprocServer32

HKCR\CLSID\{13671A38-6AA3-49A1-BDBA-D6FD939FB331}\InprocServer32#ThreadingModel

HKCR\CLSID\{13671A38-6AA3-49A1-BDBA-D6FD939FB331}\ProgID

HKCR\CLSID\{13671A38-6AA3-49A1-BDBA-D6FD939FB331}\Programmable

HKCR\CLSID\{13671A38-6AA3-49A1-BDBA-D6FD939FB331}\TypeLib

HKCR\CLSID\{13671A38-6AA3-49A1-BDBA-D6FD939FB331}\VersionIndependentProgID

C:\WINDOWS\EKVGSNW.DLL

HKLM\Software\Microsoft\Internet Explorer\Toolbar#{13671A38-6AA3-49A1-BDBA-D6FD939FB331}

HKCR\ekvgsnw.1

HKCR\ekvgsnw

HKCR\TypeLib\{7FFE0905-6EC8-43C7-AA68-54EC8003D222}

HKCR\TypeLib\{7FFE0905-6EC8-43C7-AA68-54EC8003D222}\1.0

HKCR\TypeLib\{7FFE0905-6EC8-43C7-AA68-54EC8003D222}\1.0\win32

HKCR\TypeLib\{7FFE0905-6EC8-43C7-AA68-54EC8003D222}\1.0\FLAGS

HKCR\TypeLib\{7FFE0905-6EC8-43C7-AA68-54EC8003D222}\1.0\HELPDIR

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{6359F22A-40C1-4AF4-BB24-C740237FAE44}

HKCR\CLSID\{6359F22A-40C1-4AF4-BB24-C740237FAE44}

HKCR\CLSID\{6359F22A-40C1-4AF4-BB24-C740237FAE44}\InprocServer32

HKCR\CLSID\{6359F22A-40C1-4AF4-BB24-C740237FAE44}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\CARD.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6359F22A-40C1-4AF4-BB24-C740237FAE44}

Adware.SXGAdvisor

HKLM\Software\Classes\CLSID\{7C3BA9FF-4736-4131-A827-8020825E5070}

HKCR\CLSID\{7C3BA9FF-4736-4131-A827-8020825E5070}

HKCR\CLSID\{7C3BA9FF-4736-4131-A827-8020825E5070}\InprocServer32

HKCR\CLSID\{7C3BA9FF-4736-4131-A827-8020825E5070}\InprocServer32#ThreadingModel

HKCR\CLSID\{7C3BA9FF-4736-4131-A827-8020825E5070}\ProgID

HKCR\CLSID\{7C3BA9FF-4736-4131-A827-8020825E5070}\Programmable

HKCR\CLSID\{7C3BA9FF-4736-4131-A827-8020825E5070}\TypeLib

HKCR\CLSID\{7C3BA9FF-4736-4131-A827-8020825E5070}\VersionIndependentProgID

C:\WINDOWS\DGTXRDFRMW.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C3BA9FF-4736-4131-A827-8020825E5070}

Browser Hijacker.Internet Explorer Settings Hijack

HKU\S-1-5-21-3905120643-2800732308-2734149567-1005\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Trojan.Net-MSV/VPS

HKCR\MSVPS.MSVPSApp

HKCR\MSVPS.MSVPSApp\CLSID

HKCR\MSVPS.MSVPSApp\CurVer

Desktop Hijacker.AboutYourPrivacy

C:\Documents and Settings\Lill Christin\Desktop\Error Cleaner.url

C:\Documents and Settings\Lill Christin\Desktop\Privacy Protector.url

C:\Documents and Settings\Lill Christin\Desktop\Spyware&Malware Protection.url

C:\Documents and Settings\Lill Christin\Favorites\Error Cleaner.url

C:\Documents and Settings\Lill Christin\Favorites\Privacy Protector.url

C:\Documents and Settings\Lill Christin\Favorites\Spyware&Malware Protection.url

Malware.SpyShredder

HKU\S-1-5-21-3905120643-2800732308-2734149567-1005\Software\SpyShredder

C:\Program Files\SpyShredder\SpyShredder.exe

C:\Program Files\SpyShredder\SpyShredder0.ss

C:\Program Files\SpyShredder\SpyShredder1.dll

C:\Program Files\SpyShredder\SpyShredder1.ss

C:\Program Files\SpyShredder\SpyShredder2.dll

C:\Program Files\SpyShredder\SpyShredder3.dll

C:\Program Files\SpyShredder\Uninstall.exe

C:\Program Files\SpyShredder\SpyShredder.lic

C:\Program Files\SpyShredder

C:\Documents and Settings\Lill Christin\Start Menu\Programs\SpyShredder\SpyShredder.lnk

C:\Documents and Settings\Lill Christin\Start Menu\Programs\SpyShredder\Uninstall.lnk

C:\Documents and Settings\Lill Christin\Start Menu\Programs\SpyShredder

C:\Documents and Settings\Lill Christin\Desktop\SpyShredder.lnk

Rogue.XP AntiVirus

HKU\S-1-5-21-3905120643-2800732308-2734149567-1005\Software\XP antivirus

C:\Documents and Settings\Lill Christin\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk

C:\Documents and Settings\Lill Christin\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk

C:\Documents and Settings\Lill Christin\Start Menu\XP Antivirus 2008

Trojan.Net-MU/Gen

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#uninstallString

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo#DisplayName

Malware.LocusSoftware Inc/ConfidentSurf

HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Salestart [ "C:\Program Files\Common Files\MinneSparere\strpmon.exe" dm=http://minnesparere.com ad=http://minnesparere.com sd=http://gehrig.minnesparere.com ]

Malware.LocusSoftware Inc/PCPrivacyTool

HKLM\Software\Purchased Products

HKLM\Software\Purchased Products\System Error Repair

HKLM\Software\Purchased Products\System Error Repair#domain

HKLM\Software\Purchased Products\System Error Repair#pname

HKLM\Software\Purchased Products\System Error Repair#cname

Rogue.ErrorFighter

HKLM\Software\ugac

HKLM\Software\ugac#DomainName

Rogue.TrustedAntiVirus

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP#NextInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHLP000#DeviceDesc

Trojan.Unknown Origin

C:\WINDOWS\SYSTEM32\LSFML.BMP

C:\WINDOWS\SYSTEM32\KRMLKRED.BMP

C:\WINDOWS\SYSTEM32\GRILOFMH.BMP

C:\WINDOWS\SYSTEM32\NIDCFMLSB.BMP

C:\WINDOWS\SYSTEM32\OJEHSBED.BMP

C:\WINDOWS\SYSTEM32\SRMDKN.BMP

C:\WINDOWS\SYSTEM32\DSJMTORIL.BMP

C:\WINDOWS\SYSTEM32\JMHKN.BMP

C:\WINDOWS\SYSTEM32\DSBALSFQH.BMP

C:\WINDOWS\SYSTEM32\JMTOJADGJQL.BMP

C:\WINDOWS\SYSTEM32\HSNQDGNEPCFAP.BMP

C:\WINDOWS\SYSTEM32\ORIDGRALCB.BMP

C:\WINDOWS\SYSTEM32\TGREPOBQPKRQT.BMP

C:\WINDOWS\SYSTEM32\MLSFMLSRILGR.BMP

C:\WINDOWS\SYSTEM32\CNQTGFAHOFQHKB.BMP

C:\WINDOWS\SYSTEM32\RALSFIPSRQP.BMP

C:\WINDOWS\SYSTEM32\SRMHCJQLKFELSF.BMP

C:\WINDOWS\SYSTEM32\TSRMHKNIHKN.BMP

C:\WINDOWS\SYSTEM32\QTOBELKJIH.BMP

C:\WINDOWS\SYSTEM32\RATSJQPORMP.BMP

C:\WINDOWS\SYSTEM32\DCNMHSNMTGF.BMP

C:\WINDOWS\SYSTEM32\APSBQTKREDSJ.BMP

Trojan.Unclassified/CTFMONA

C:\WINDOWS\SYSTEM32\CTFMONA.EXE

SAS logg nr2

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 08/08/2008 at 04:18 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469

Trace Rules Database Version: 1460

Scan type : Complete Scan

Total Scan Time : 01:37:49

Memory items scanned : 152

Memory threats detected : 0

Registry items scanned : 4822

Registry threats detected : 1

File items scanned : 25255

File threats detected : 13

Browser Hijacker.Internet Explorer Settings Hijack

HKU\S-1-5-21-3905120643-2800732308-2734149567-1005\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Rogue.LocusSoftware-Installer

C:\DOCUMENTS AND SETTINGS\LILL CHRISTIN\MY DOCUMENTS\INSTALL_SBD_EN.EXE

C:\DOCUMENTS AND SETTINGS\LILL CHRISTIN\MY DOCUMENTS\INSTALLER_EN.EXE

C:\DOCUMENTS AND SETTINGS\LILL CHRISTIN\MY DOCUMENTS\SETUP_EN.EXE

C:\DOCUMENTS AND SETTINGS\LILL CHRISTIN\APPLICATION DATA\INSTALLER_EN[1].EXE

C:\DOCUMENTS AND SETTINGS\LILL CHRISTIN\APPLICATION DATA\SETUP_EN[1].EXE

BearShare File Sharing Client

C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE

Malware.LocusSoftware Inc/StorageProtector

C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC86E74B-A348-4C69-90AE-B7FA83432220}\RP194\A0031879.EXE

Rogue.LocusSoftware-Filter

C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC86E74B-A348-4C69-90AE-B7FA83432220}\RP201\A0032255.SYS

Rogue.StorageProtector/Trace

C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC86E74B-A348-4C69-90AE-B7FA83432220}\RP201\A0032304.EXE

Malware.LocusSoftware Inc/Gen

C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC86E74B-A348-4C69-90AE-B7FA83432220}\RP208\A0041850.EXE

Malware.MalwareStopper

C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC86E74B-A348-4C69-90AE-B7FA83432220}\RP208\A0043883.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC86E74B-A348-4C69-90AE-B7FA83432220}\RP208\A0043885.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{CC86E74B-A348-4C69-90AE-B7FA83432220}\RP208\A0043886.DLL

Endret 13. august 2008 av mogie

r2d290 · 11. august 2008

Det er fortsatt litt igjen.

Gjør følgende:

Last ned Combofix (av sUBs), og legg det på Skrivebordet.

Kjør combofix.exe, og følg veiledningen. Du får et spørsmål om at "Roughly 1/100 machines failed to make it through the disinfection process!! Are you sure you want to do this??" - Svar Yes

Du må ikke klikke på vinduet mens programmet kjører. Dette kan føre til at programmet fryser.

Post loggfilen fra Combofix (c:\combofix.txt)

Post deretter en ny HijackThis-logg

m0g1e · 12. august 2008

Combo fix logg:

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-08-11.01 - Lill Christin 2008-08-12 8:35:24.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.418 [GMT 2:00]

Running from: C:\Documents and Settings\Lill Christin\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Lill Christin\ResErrors.log

C:\WINDOWS\Installer\{029a07d1-c264-459d-bb61-723b504237e2}

C:\WINDOWS\Installer\{029a07d1-c264-459d-bb61-723b504237e2}\CDChk.dll

C:\WINDOWS\Installer\{cbee63a2-ffc8-470a-ad05-6eb68275c936}

C:\WINDOWS\Installer\{cbee63a2-ffc8-470a-ad05-6eb68275c936}\ComponentService.dll

C:\WINDOWS\Installer\{cdb30071-b988-4313-b3c6-fb1ac75c2eee}\ComponentCheck.dll

C:\WINDOWS\rs.txt

.

((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))

.

2008-08-11 08:03 . 2008-08-11 08:03 <DIR> d-------- C:\WINDOWS\LastGood

2008-08-08 13:23 . 2008-08-08 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-08-08 13:22 . 2008-08-08 13:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-08-08 13:22 . 2008-08-08 13:22 <DIR> d-------- C:\Documents and Settings\Lill Christin\Application Data\SUPERAntiSpyware.com

2008-08-08 12:40 . 2008-08-08 12:41 <DIR> d-------- C:\Program Files\Trend Micro

2008-08-08 12:40 . 2008-08-08 12:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-08-08 12:40 . 2008-08-08 12:40 <DIR> d-------- C:\Program Files\CCleaner

2008-08-06 17:02 . 1999-02-18 03:01 379,392 --a------ C:\PTEDIT32.EXE

2008-08-06 13:13 . 2008-08-06 13:13 <DIR> d--hs---- C:\FOUND.006

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-31 17:21 190,480 ----a-w C:\Documents and Settings\Lill Christin\Application Data\install_no[1].exe

2008-01-24 14:42 260,624 ----a-w C:\Documents and Settings\Lill Christin\Application Data\setup_no[1].exe

2008-02-22 15:43 6,266 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2008-02-22 15:23 168 --sh--r C:\WINDOWS\system32\1E5DC69011.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1123C1A-5D52-4df7-B639-6346165FCD58}]

2007-11-05 11:52 419256 --a------ C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{0388BA0C-C7F1-4E6A-BD7A-B59623F33363}"= "C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixMediaBar.dll" [2007-11-05 11:52 480696]

[HKEY_CLASSES_ROOT\clsid\{0388ba0c-c7f1-4e6a-bd7a-b59623f33363}]

[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar.1]

[HKEY_CLASSES_ROOT\TypeLib\{FF3A7D74-C160-42c7-BA49-0B6AB56DEAC3}]

[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{0388BA0C-C7F1-4E6A-BD7A-B59623F33363}"= "C:\Program Files\BearFlix Applications\BearFlix MediaBar\BearFlixMediaBar.dll" [2007-11-05 11:52 480696]

[HKEY_CLASSES_ROOT\clsid\{0388ba0c-c7f1-4e6a-bd7a-b59623f33363}]

[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar.1]

[HKEY_CLASSES_ROOT\TypeLib\{FF3A7D74-C160-42c7-BA49-0B6AB56DEAC3}]

[HKEY_CLASSES_ROOT\BearFlixMediaBar.BearFlixStockBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]

"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 22:35 53248]

"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15 45056]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 20:00 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 20:00 455168]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07 761946]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19 52840]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-22 16:36 286720]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-27 23:54 16248320 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-12-25 15:26:04 1167360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

--a------ 2007-08-28 12:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]

--a------ 2006-06-01 14:40 413696 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

--a------ 2004-08-10 20:00 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []

S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys []

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-02-22 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Lill Christin.job

- C:\PROGRA~1\NORTON~1\Navw32.exe [2007-05-23 12:13]

2008-08-12 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-07 17:26]

2008-04-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Salestart(1) - C:\Program Files\Common Files\SecurePCCleaner\stm.exe dm=http://securepccleaner.com ad=http://securepccleaner.com

HKLM-Run-LaunchApp - (no file)

MSConfigStartUp-BearFlix - C:\Program Files\BearFlix\BearFlix.exe

MSConfigStartUp-ctfmona - C:\WINDOWS\system32\ctfmona.exe

MSConfigStartUp-SpyShredder - C:\Program Files\SpyShredder\SpyShredder.exe

MSConfigStartUp-XP Antivirus - C:\Program Files\XP Antivirus\xpa2008pro.exe

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,SearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm022YYNO&fl=0&ptb=Ruj_3HRMBlbUdbiDSn8XNA&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}

R0 -: HKLM-Main,Start Page = hxxp://no.intl.acer.yahoo.com

R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://no.intl.acer.yahoo.com/

R1 -: HKCU-SearchURL,(Default) = hxxp://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR

O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 -: Åpne i ny bakgrunnsflik - C:\Program Files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/229?d99224a88cf2438eb48f1ae62af7c935

O8 -: Åpne i ny forgrunnsflik - C:\Program Files\Windows Live Toolbar\Components\nb-no\msntabres.dll.mui/230?d99224a88cf2438eb48f1ae62af7c935

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-12 08:38:04

Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-08-12 8:38:53

ComboFix-quarantined-files.txt 2008-08-12 06:38:46

Pre-Run: 38,992,183,296 bytes free

Post-Run: 38,972,719,104 byte ledig

147 --- E O F --- 2008-02-14 01:03:04

HJT:

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:42:47, on 12.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb