Jump to content

Win32/Alman.NAB / W32/Almanahe.B virus on external harddrive


Igo
 Share

Recommended Posts

Hi,

I recently discoverd a virus on my external harddrive. First I thought my virusscanner would take care of it, but pop-ups kept coming back. After some research on the web I ended up here. I tried everything I know to get rid of the virus, but it's still there. I hope someone here could help me out.

I made some screenshots of the pop-ups that I had:

viruswaarschuwingantivikn6.jpg

viruswaarschuwingnod32mj3.jpg

My normal virusscanner is NOD32 but after I encountered the virus, I downloaded AntiVir as well, but as you can see, the pop-ups still came back.

I have tried to follow the post instructions and I hope I've done this correctly. The logs can be found down here.

The AntiVir log:

Avira AntiVir Personal

Report file date: woensdag 21 januari 2009 15:52

Scanning for 1234460 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 3) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: GENERAAL-IGO

Version information:

BUILD.DAT : 8.2.0.337 16934 Bytes 18-11-2008 13:05:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 18-11-2008 08:21:26

AVSCAN.DLL : 8.1.4.0 40705 Bytes 26-5-2008 07:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 12-6-2008 12:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 26-5-2008 07:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27-10-2008 11:30:36

ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 14-1-2009 20:35:13

ANTIVIR2.VDF : 7.1.1.148 440832 Bytes 20-1-2009 20:35:25

ANTIVIR3.VDF : 7.1.1.149 2048 Bytes 20-1-2009 20:35:25

Engineversion : 8.2.0.57

AEVDF.DLL : 8.1.0.6 102772 Bytes 14-10-2008 10:05:56

AESCRIPT.DLL : 8.1.1.26 340347 Bytes 20-1-2009 20:37:15

AESCN.DLL : 8.1.1.5 123251 Bytes 7-11-2008 15:06:41

AERDL.DLL : 8.1.1.3 438645 Bytes 4-11-2008 13:58:38

AEPACK.DLL : 8.1.3.5 393588 Bytes 20-1-2009 20:37:10

AEOFFICE.DLL : 8.1.0.33 196987 Bytes 20-1-2009 20:37:05

AEHEUR.DLL : 8.1.0.84 1540471 Bytes 20-1-2009 20:36:48

AEHELP.DLL : 8.1.2.0 119159 Bytes 20-1-2009 20:35:38

AEGEN.DLL : 8.1.1.10 323957 Bytes 20-1-2009 20:35:37

AEEMU.DLL : 8.1.0.9 393588 Bytes 14-10-2008 10:05:56

AECORE.DLL : 8.1.5.2 172405 Bytes 20-1-2009 20:35:28

AEBB.DLL : 8.1.0.3 53618 Bytes 14-10-2008 10:05:56

AVWINLL.DLL : 1.0.0.12 15105 Bytes 9-7-2008 08:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 16-5-2008 09:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 31-7-2008 12:02:15

AVREG.DLL : 8.0.0.1 33537 Bytes 9-5-2008 11:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 12-2-2008 08:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12-6-2008 12:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 22-1-2008 17:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12-6-2008 12:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 25-1-2008 12:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12-6-2008 13:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 27-6-2008 13:34:37

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, F:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: woensdag 21 januari 2009 15:52

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'mbam-setup.tmp' - '1' Module(s) have been scanned

Scan process 'mbam-setup.exe' - '1' Module(s) have been scanned

Scan process 'WLLoginProxy.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'usnsvc.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'slserv.exe' - '1' Module(s) have been scanned

Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned

Scan process 'nod32krn.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'iviRegMgr.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'skypePM.exe' - '1' Module(s) have been scanned

Scan process 'rapimgr.exe' - '1' Module(s) have been scanned

Scan process 'Skype.exe' - '1' Module(s) have been scanned

Scan process 'wcescomm.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'ISUSPM.exe' - '1' Module(s) have been scanned

Scan process 'gnotify.exe' - '1' Module(s) have been scanned

Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned

Scan process 'nod32kui.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

48 processes with 48 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'F:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '61' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\Igo\Mijn documenten\Zooi\SETTLERS[1][1].5.HOK.PLUS4TRN.CHEATERS.ZIP

[0] Archive type: ZIP

--> cht-sthk.exe

[DETECTION] Is the TR/Horse.ACH Trojan

[NOTE] The file was moved to '49cb4a44.qua'!

C:\Documents and Settings\Igo\Mijn documenten\Zooi\Setups\UltimateNickpopupz2004.exe

[DETECTION] Is the TR/Flood.VB.IF Trojan

[NOTE] The file was moved to '49eb4b4e.qua'!

C:\Program Files\ESET\infected\1GSZBBDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\1GSZBBDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49ca56f3.qua'!

C:\Program Files\ESET\infected\1V2YKFDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\1V2YKFDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49a95703.qua'!

C:\Program Files\ESET\infected\1ZBR2HBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\1ZBR2HBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49b9570b.qua'!

C:\Program Files\ESET\infected\25LTTRDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\25LTTRDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c356e8.qua'!

C:\Program Files\ESET\infected\2WZYTLBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\2WZYTLBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49d1570a.qua'!

C:\Program Files\ESET\infected\3PQFVGDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\3PQFVGDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c85706.qua'!

C:\Program Files\ESET\infected\3SDRGWCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\3SDRGWCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49bb5709.qua'!

C:\Program Files\ESET\infected\3UZ4V1BA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\3UZ4V1BA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49d1570c.qua'!

C:\Program Files\ESET\infected\3VWWLQCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\3VWWLQCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49ce570e.qua'!

C:\Program Files\ESET\infected\4CNHBHBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\4CNHBHBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c55701.qua'!

C:\Program Files\ESET\infected\4DPEQMCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\4DPEQMCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c75702.qua'!

C:\Program Files\ESET\infected\4YBLAUDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\4YBLAUDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49b95718.qua'!

C:\Program Files\ESET\infected\54UVHYCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\54UVHYCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cc56f3.qua'!

C:\Program Files\ESET\infected\5VZ545BA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\5VZ545BA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49d15716.qua'!

C:\Program Files\ESET\infected\5XWW2RCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\5XWW2RCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49ce5718.qua'!

C:\Program Files\ESET\infected\A540CCBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\A540CCBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49ab56f5.qua'!

C:\Program Files\ESET\infected\AQGVJHDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\AQGVJHDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49be5712.qua'!

C:\Program Files\ESET\infected\BRVWDRAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\BRVWDRAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cd5713.qua'!

C:\Program Files\ESET\infected\C1KL0IBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\C1KL0IBA.NQF

[DETECTION] Is the TR/Crypt.GU.19 Trojan

[NOTE] The file was moved to '49c256f6.qua'!

C:\Program Files\ESET\infected\CJIQUSBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\CJIQUSBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c0570f.qua'!

C:\Program Files\ESET\infected\DFXXT0CA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\DFXXT0CA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cf570c.qua'!

C:\Program Files\ESET\infected\DRDOAIDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\DRDOAIDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49bb5718.qua'!

C:\Program Files\ESET\infected\FUUOVJCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\FUUOVJCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cc571c.qua'!

C:\Program Files\ESET\infected\G53OBJBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\G53OBJBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49aa56fc.qua'!

C:\Program Files\ESET\infected\GIPMDJBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\GIPMDJBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c75711.qua'!

C:\Program Files\ESET\infected\HANIATCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\HANIATCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c5570a.qua'!

C:\Program Files\ESET\infected\HIP5K3DA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\HIP5K3DA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c75712.qua'!

C:\Program Files\ESET\infected\HITDKRDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\HITDKRDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cb5712.qua'!

C:\Program Files\ESET\infected\HZQ1K1CA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\HZQ1K1CA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c85724.qua'!

C:\Program Files\ESET\infected\IMCAOFCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\IMCAOFCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49ba5717.qua'!

C:\Program Files\ESET\infected\J0G0MOCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\J0G0MOCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49be56fa.qua'!

C:\Program Files\ESET\infected\JUPAS5CA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\JUPAS5CA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c75720.qua'!

C:\Program Files\ESET\infected\KC4DWGAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\KC4DWGAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49ab570f.qua'!

C:\Program Files\ESET\infected\KN0XUUCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\KN0XUUCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49a7571a.qua'!

C:\Program Files\ESET\infected\KWGXJKAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\KWGXJKAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49be5724.qua'!

C:\Program Files\ESET\infected\L0ADVUAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\L0ADVUAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49b856fd.qua'!

C:\Program Files\ESET\infected\LMYGNSDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\LMYGNSDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49d0571b.qua'!

C:\Program Files\ESET\infected\LR1K4RAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\LR1K4RAA.NQF

[DETECTION] Is the TR/PSW.Stealer.NA.1 Trojan

[NOTE] The file was moved to '49a85720.qua'!

C:\Program Files\ESET\infected\LUTPJKBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\LUTPJKBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cb5724.qua'!

C:\Program Files\ESET\infected\M2EXK4DA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\M2EXK4DA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49bc5701.qua'!

C:\Program Files\ESET\infected\MBEGCDCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\MBEGCDCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49bc5711.qua'!

C:\Program Files\ESET\infected\MZPT13CA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\MZPT13CA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c7572a.qua'!

C:\Program Files\ESET\infected\N3JEGFCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\N3JEGFCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c15703.qua'!

C:\Program Files\ESET\infected\NDTVROAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\NDTVROAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cb5714.qua'!

C:\Program Files\ESET\infected\NPB0V5DA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\NPB0V5DA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49b95721.qua'!

C:\Program Files\ESET\infected\O0IGRZCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\O0IGRZCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c05702.qua'!

C:\Program Files\ESET\infected\O0IL12BA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\O0IL12BA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '484236e3.qua'!

C:\Program Files\ESET\infected\PXB1S5CA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\PXB1S5CA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49b9572a.qua'!

C:\Program Files\ESET\infected\RLEHAABA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\RLEHAABA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49bc5729.qua'!

C:\Program Files\ESET\infected\RXMK2KBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\RXMK2KBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c45736.qua'!

C:\Program Files\ESET\infected\SBLRCSAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\SBLRCSAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c35722.qua'!

C:\Program Files\ESET\infected\SL4IKWBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\SL4IKWBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49ab572d.qua'!

C:\Program Files\ESET\infected\SMIEUNAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\SMIEUNAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c0572e.qua'!

C:\Program Files\ESET\infected\TDW2R0DA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\TDW2R0DA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49ce5725.qua'!

C:\Program Files\ESET\infected\TGDM3IAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\TGDM3IAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49bb5729.qua'!

C:\Program Files\ESET\infected\TW0RKODA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\TW0RKODA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49a7573a.qua'!

C:\Program Files\ESET\infected\TYRTXLBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\TYRTXLBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c9573c.qua'!

C:\Program Files\ESET\infected\UQCLDKBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\UQCLDKBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49ba5735.qua'!

C:\Program Files\ESET\infected\VIB1ORDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\VIB1ORDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49b9572e.qua'!

C:\Program Files\ESET\infected\VJQLUPBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\VJQLUPBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c8572f.qua'!

C:\Program Files\ESET\infected\WGT2XWBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\WGT2XWBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cb572d.qua'!

C:\Program Files\ESET\infected\WHKBERDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\WHKBERDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c2572e.qua'!

C:\Program Files\ESET\infected\XCVIGWAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\XCVIGWAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cd572a.qua'!

C:\Program Files\ESET\infected\XDRKCZAA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\XDRKCZAA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c9572c.qua'!

C:\Program Files\ESET\infected\XIF2ALCA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\XIF2ALCA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49bd5731.qua'!

C:\Program Files\ESET\infected\Y3XPIADA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\Y3XPIADA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49cf571c.qua'!

C:\Program Files\ESET\infected\YGGHGVBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\YGGHGVBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49be5730.qua'!

C:\Program Files\ESET\infected\YXPIGHDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\YXPIGHDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c75741.qua'!

C:\Program Files\ESET\infected\YYYRGWBA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\YYYRGWBA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49d05743.qua'!

C:\Program Files\ESET\infected\ZFMIT5CA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\ZFMIT5CA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49c45730.qua'!

C:\Program Files\ESET\infected\ZH1EZBDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\ZH1EZBDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49a85732.qua'!

C:\Program Files\ESET\infected\ZIYXW2BA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\ZIYXW2BA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49d05734.qua'!

C:\Program Files\ESET\infected\ZVDEHIDA.NQF

[0] Archive type: HIDDEN

--> FIL\\\?\C:\Program Files\ESET\infected\ZVDEHIDA.NQF

[DETECTION] Contains code of the W32/Almanahe.B Windows virus

[NOTE] The file was moved to '49bb5743.qua'!

C:\WINDOWS\system32\mi1.exe

[DETECTION] Contains recognition pattern of the DR/Softomate.E.8 dropper

[NOTE] The file was moved to '49a869ff.qua'!

C:\WINDOWS\system32\drivers\atapi.sys

[WARNING] The file could not be opened!

C:\WINDOWS\system32\drivers\sptd.sys

[WARNING] The file could not be opened!

Begin scan in 'F:\' <Igo's Externe Harde Schijf>

F:\Images\Autocad 2009\x86\Content\ADT_Base\templates.cab

[0] Archive type: CAB (Microsoft)

--> Evaluation Templates\Space Evaluation Template.txt

[WARNING] No further files can be extracted from this archive. The archive will be closed

F:\Images\Autocad 2009\x86\support\DirectX\dxdllreg_x86.cab

[0] Archive type: CAB (Microsoft)

--> dxdllreg_x86.inf

[WARNING] No further files can be extracted from this archive. The archive will be closed

F:\Images\Autocad 2009\x86\support\DirectX\dxnt.cab

[0] Archive type: CAB (Microsoft)

--> ddraw.dll

[WARNING] No further files can be extracted from this archive. The archive will be closed

F:\Images\C&C Generals\Generals Tools\EA.Games.Multi.Keygen.exe

[DETECTION] Contains a recognition pattern of the (harmful) BDS/IRCBot.CBV back-door program

[NOTE] The file was moved to '49a56f20.qua'!

F:\System Volume Information\_restore{5B23268E-DF89-40AB-8589-61183501AD30}\RP422\A0053331.exe

[DETECTION] Contains a recognition pattern of the (harmful) BDS/IRCBot.CBV back-door program

[NOTE] The file was moved to '49a76f79.qua'!

F:\System Volume Information\_restore{66A1FEC3-0AEE-4977-9244-EE256444359D}\RP2\A0000207.exe

[DETECTION] Is the TR/Flood.VB.IF Trojan

[NOTE] The file was moved to '49a76f96.qua'!

F:\System Volume Information\_restore{66A1FEC3-0AEE-4977-9244-EE256444359D}\RP4\A0000836.exe

[DETECTION] Is the TR/ATRAPS.Gen Trojan

[NOTE] The file was moved to '49a76fae.qua'!

F:\System Volume Information\_restore{B5F0783A-14B9-42CF-AE4E-8A4DBE6BE39D}\RP188\A0060749.exe

[0] Archive type: RSRC

--> Object

[1] Archive type: CAB (Microsoft)

--> install.res.1049.dll

[WARNING] No further files can be extracted from this archive. The archive will be closed

F:\System Volume Information\_restore{B5F0783A-14B9-42CF-AE4E-8A4DBE6BE39D}\RP188\A0060750.exe

[0] Archive type: RSRC

--> Object

[1] Archive type: CAB (Microsoft)

--> netfx.bmp

[WARNING] No further files can be extracted from this archive. The archive will be closed

F:\System Volume Information\_restore{B5F0783A-14B9-42CF-AE4E-8A4DBE6BE39D}\RP188\A0060756.exe

[0] Archive type: RSRC

--> Object

[1] Archive type: CAB (Microsoft)

--> install.res.1038.dll

[WARNING] No further files can be extracted from this archive. The archive will be closed

F:\Zooi\PokerOffice\bin\PokerHook.dll

[DETECTION] Is the TR/Spy.Gen Trojan

[NOTE] The file was moved to '49e273c2.qua'!

F:\Zooi\PokerOffice\pn\pn.exe

[WARNING] The file could not be opened!

F:\Zooi\Troep Laptop\pztrain.exe

[DETECTION] Is the TR/Crypt.MWPM.Gen Trojan

[NOTE] The file was moved to '49eb7427.qua'!

F:\Zooi\XpThemes\dido\views\Views.zip

[0] Archive type: ZIP

--> Views/viewgui.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

--> Views/views.zip

[1] Archive type: ZIP

--> views.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[NOTE] The file was moved to '49dc7438.qua'!

F:\Zooi\XpThemes\TomTom\TOMTOMOS-Install.zip

[0] Archive type: ZIP

--> TOMTOMOS-Install/6-Views/Views.zip

[1] Archive type: ZIP

--> Views/viewgui.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

--> Views/views.zip

[2] Archive type: ZIP

--> views.exe

[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

[NOTE] The file was moved to '49c47445.qua'!

End of the scan: woensdag 21 januari 2009 20:14

Used time: 4:22:07 Hour(s)

The scan has been done completely.

15152 Scanning directories

792233 Files were scanned

86 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

84 files were moved to quarantine

0 files were renamed

4 Files cannot be scanned

792143 Files not concerned

3183 Archives were scanned

10 Warnings

84 Notes

The Anit-Malware log:

Malwarebytes' Anti-Malware 1.33

Database versie: 1674

Windows 5.1.2600 Service Pack 3

22-1-2009 19:31:15

mbam-log-2009-01-22 (19-31-15).txt

Scan type: Volledige Scan (C:\|F:\|)

Objecten gescand: 277646

Verstreken tijd: 6 hour(s), 18 minute(s), 19 second(s)

Geheugenprocessen ge

Link to post
Share on other sites

Something that I forgot to say in the opening post, was that when I did the scan with Malwarebytes Anti Malware (both a quick and complete scan) it could not find any malware on my computer or external harddrive. I'm not sure if the external harddrive was actually scanned, but I assume it was, because I could not find anything where to select drives.

Anyway, the virus is getting really annoying and I'm pretty desperate in trying to get rid of it. Formatting the drive would not work for me, because I do not want to lose the files. Please help!

Link to post
Share on other sites

  • Root Admin

Please do not use any Quote or Code tags when posting. Just copy/paste all logs unless otherwise requested.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

First of all, thank you very much for your help so far! Sorry that I posted in codeboxes, I was unaware of that.

Here are the ComboFix log and the HijackThis log and I hope it will provide sufficient information:

ComboFix 09-01-21.04 - Igo 2009-01-27 21:11:40.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.1023.633 [GMT 1:00]

Gestart vanuit: c:\documents and settings\Igo\Bureaublad\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

AV: ESET NOD32 antivirus systeem 2.70 *On-access scanning enabled* (Updated)

* Nieuw herstelpunt werd aangemaakt

* Resident AV is active

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-12-27 to 2009-01-27 ))))))))))))))))))))))))))))))

.

2009-01-25 13:30 . 2009-01-25 13:30 <DIR> d-------- c:\program files\Trend Micro

2009-01-24 22:31 . 2009-01-24 22:31 10 --a------ c:\windows\VDFN.bkm

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\documents and settings\Igo\Application Data\Malwarebytes

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-21 15:51 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 15:51 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-20 21:29 . 2009-01-20 21:29 <DIR> d-------- c:\program files\Avira

2009-01-20 21:29 . 2009-01-20 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-01-20 18:22 . 2009-01-20 18:22 <DIR> d-------- c:\documents and settings\Igo\Application Data\dvdcss

2009-01-16 16:48 . 2009-01-16 16:48 <DIR> d-------- c:\program files\iPod

2009-01-16 16:47 . 2009-01-16 16:49 <DIR> d-------- c:\program files\iTunes

2009-01-16 16:47 . 2009-01-16 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-01-16 16:34 . 2009-01-16 16:36 <DIR> d-------- c:\program files\QuickTime

2009-01-16 16:28 . 2009-01-16 16:28 <DIR> d-------- c:\program files\Apple Software Update

2009-01-16 16:26 . 2009-01-16 16:48 <DIR> d-------- c:\program files\Common Files\Apple

2009-01-16 16:26 . 2009-01-16 16:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-27 19:49 --------- d-----w c:\documents and settings\Igo\Application Data\Skype

2009-01-27 15:03 --------- d-----w c:\documents and settings\Igo\Application Data\skypePM

2009-01-16 15:39 --------- d-----w c:\program files\Bonjour

2009-01-16 13:57 --------- d-----w c:\program files\Google

2008-12-27 18:42 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-19 21:44 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-19 21:44 --------- d-----w c:\program files\Java

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-02 16:36 --------- d-----w c:\program files\Common Files\Adobe

2008-11-30 11:53 --------- d-----w c:\program files\TVAnts

2008-11-29 15:55 --------- d-----w c:\program files\Camelsystem Power-Post

2008-11-27 16:32 --------- d-----w c:\program files\Overhoor

2008-09-15 10:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008091520080916\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-08 68856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe" [2005-07-15 479232]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 172032]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i420vfw.dll

"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Igo^Menu Start^Programma's^Opstarten^hamachi.lnk]

path=c:\documents and settings\Igo\Menu Start\Programma's\Opstarten\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Igo^Menu Start^Programma's^Opstarten^Webshots.lnk]

path=c:\documents and settings\Igo\Menu Start\Programma's\Opstarten\Webshots.lnk

backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-05-16 09:27 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2006-09-14 21:09 157592 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

--a------ 2006-11-13 17:34 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 18:03 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]

--a------ 2007-10-27 18:06 949376 c:\program files\ESET\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine]

--a------ 2007-02-22 16:17 475136 c:\program files\PokerOffice\POEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]

--a------ 2006-11-03 10:19 544768 c:\program files\Sprite Software\Sprite Backup\SpriteService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

--a------ 2007-03-14 15:52 3770024 c:\program files\TomTom HOME\TomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NOD32krn"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\PokerOffice\\bin\\javaw.exe"=

"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=

"c:\\Program Files\\Hamachi\\hamachi.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Graphisoft\\ArchiCAD 11\\ArchiCAD.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Sprite Software\\Sprite Backup\\SpriteService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-10-27 15424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25661222-d642-11dc-b399-0012f04e9cf4}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

Inhoud van de 'Gedeelde Taken' map

2009-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS VERWIJDERD - - - -

MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

MSConfigStartUp-PCSuiteTrayApplication - c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

MSConfigStartUp-VoipBuster - c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://icanhascheezburger.com/

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = 192.168.2.102:2144

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

LSP: c:\windows\system32\imon.dll

Trusted Zone: hanze.nl

TCP: {06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF} = 195.67.199.33,195.67.199.34

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-27 21:16:33

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

  • Root Admin

Please remove ALL versions of Java unless you only have version 6 build 11

Did you set this Proxy setting yourself? If not then we need to remove it.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.102:2144

Did you add this site as a Trusted site in IE?

O15 - Trusted Zone: http://*.hanze.nl

Did you set these DNS Server lists? If not we need to remove them.

O17 - HKLM\System\CCS\Services\Tcpip\..\{06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF}: NameServer = 195.67.199.33,195.67.199.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF}: NameServer = 195.67.199.33,195.67.199.34

O17 - HKLM\System\CS3\Services\Tcpip\..\{06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF}: NameServer = 195.67.199.33,195.67.199.34

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

OK, I did what you asked.

I checked my Java version and it was the one you named, so I didn't remove it.

The secured domain was added by me, so I left it there.

The proxy was once added by me, but I am not currently using it, so I removed that.

The DNS server addresses were added by me, so I left them in place.

Here are the MBAM log and the HJT log:

Malwarebytes' Anti-Malware 1.33

Database versie: 1701

Windows 5.1.2600 Service Pack 3

28-1-2009 15:08:14

mbam-log-2009-01-28 (15-08-14).txt

Scan type: Snelle Scan

Objecten gescand: 57800

Verstreken tijd: 15 minute(s), 59 second(s)

Geheugenprocessen ge

Link to post
Share on other sites

  • Root Admin

The logs show that you're running 2 different Anti-Virus programs at the same time. This causes problems and only 1 Anti-Virus program can be installed and running at one time.

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

Please choose either NOD32 or Avira and FULLY remove the other version.

What symptoms of infection are you having?

Link to post
Share on other sites

Well, the virus is infecting all the executable files on my external harddrive. I get popups from my virusscanner like I posted in the opening post. It will give a warning for all the executable files on my external harddrive, until I all clicked them away (put them in quarantine or something like that). Then normally it will do the same thing again a few hours after that and when I did the whole thing again (clicking my way through the warnings) it will stay put for like 2 days.

I did not have any problems with it since I opened this post, but it started again somewhere before this post.

Link to post
Share on other sites

  • Root Admin

Please run the following

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

  • Root Admin

Did you download Messenger Plus! Live from a Torrent site?

Please download Avenger 2.0 from here

Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

Drivers to delete:
c:\windows\system32\Drivers\aqjkvfl2.SYS
aqjkvfl2

Files to delete:
c:\windows\system32\Drivers\aqjkvfl2.SYS
  • Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  • Close all other running applications
  • After pasting the text into the main window, click on Execute

Post back the log file C:\avenger.txt

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.

Link to post
Share on other sites

No, I did not download Messenger Plus! Live from a torrent site. I never download anything from a torrent site.

Here are all the logs as requested:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\c:\windows\system32\Drivers\aqjkvfl2.SYS" not found!

Deletion of driver "c:\windows\system32\Drivers\aqjkvfl2.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\aqjkvfl2" not found!

Deletion of driver "aqjkvfl2" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\Drivers\aqjkvfl2.SYS" not found!

Deletion of file "c:\windows\system32\Drivers\aqjkvfl2.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Malwarebytes' Anti-Malware 1.33

Database versie: 1712

Windows 5.1.2600 Service Pack 3

1-2-2009 14:10:24

mbam-log-2009-02-01 (14-10-24).txt

Scan type: Snelle Scan

Objecten gescand: 62858

Verstreken tijd: 15 minute(s), 6 second(s)

Geheugenprocessen ge

Link to post
Share on other sites

  • Root Admin

Please run the following to remove GMER.

Click on START - RUN and type in %windir%\gmer_uninstall.cmd and press the ENTER key.

Then run this to remove your current copy of Combofix

To uninstall ComboFix.exe
  • Click
    START
    then
    RUN
  • Now type
    Combofix /u
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox\LastRun if the uninstall instructions don't work.

Then download and run this tool: RootRepeal and provide me the logs from it please.

Link to post
Share on other sites

Both GMER and ComboFix are removed and here's the log of RootRepeal:

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/02/02 12:56

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name:

Image Path:

Address: 0xF7430000 Size: 98304 File Visible: No

Status: -

Name:

Image Path:

Address: 0x00000000 Size: 0 File Visible: No

Status: -

Name: 00000135

Image Path: \Driver\00000135

Address: 0x00000000 Size: 0 File Visible: No

Status: -

Name: 1394BUS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS

Address: 0xF760E000 Size: 57344 File Visible: -

Status: -

Name: a347bus.sys

Image Path: a347bus.sys

Address: 0xF74C5000 Size: 160640 File Visible: -

Status: -

Name: a347scsi.sys

Image Path: a347scsi.sys

Address: 0xF7AF4000 Size: 5248 File Visible: -

Status: -

Name: a4dyogih.SYS

Image Path: C:\WINDOWS\System32\Drivers\a4dyogih.SYS

Address: 0xF6CE6000 Size: 303104 File Visible: No

Status: -

Name: ACPI.sys

Image Path: ACPI.sys

Address: 0xF7496000 Size: 188544 File Visible: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x804D7000 Size: 2193536 File Visible: -

Status: -

Name: ACPIEC.sys

Image Path: ACPIEC.sys

Address: 0xF7A0A000 Size: 12032 File Visible: -

Status: -

Name: afd.sys

Image Path: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xAAEDC000 Size: 138496 File Visible: -

Status: -

Name: agp440.sys

Image Path: agp440.sys

Address: 0xF766E000 Size: 42368 File Visible: -

Status: -

Name: arp1394.sys

Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys

Address: 0xF77DE000 Size: 60800 File Visible: -

Status: -

Name: ati2cqag.dll

Image Path: C:\WINDOWS\System32\ati2cqag.dll

Address: 0xBFA0C000 Size: 229376 File Visible: -

Status: -

Name: ati2dvag.dll

Image Path: C:\WINDOWS\System32\ati2dvag.dll

Address: 0xBF9D5000 Size: 225280 File Visible: -

Status: -

Name: ati2mtag.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

Address: 0xF717E000 Size: 860160 File Visible: -

Status: -

Name: ati3duag.dll

Image Path: C:\WINDOWS\System32\ati3duag.dll

Address: 0xBFA44000 Size: 2158592 File Visible: -

Status: -

Name: ativvaxx.dll

Image Path: C:\WINDOWS\System32\ativvaxx.dll

Address: 0xBFC53000 Size: 520192 File Visible: -

Status: -

Name: ATMFD.DLL

Image Path: C:\WINDOWS\System32\ATMFD.DLL

Address: 0xBFFA0000 Size: 286720 File Visible: -

Status: -

Name: audstub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys

Address: 0xF7CD1000 Size: 3072 File Visible: -

Status: -

Name: avgio.sys

Image Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys

Address: 0xF7B1C000 Size: 6144 File Visible: -

Status: -

Name: avgntflt.sys

Image Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys

Address: 0xAA33C000 Size: 81920 File Visible: -

Status: -

Name: avipbb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys

Address: 0xAAD90000 Size: 69632 File Visible: -

Status: -

Name: BATTC.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS

Address: 0xF7A06000 Size: 16384 File Visible: -

Status: -

Name: Beep.SYS

Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xF7B0C000 Size: 4224 File Visible: -

Status: -

Name: BOOTVID.dll

Image Path: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xF79FE000 Size: 12288 File Visible: -

Status: -

Name: Cdfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xF784E000 Size: 63744 File Visible: -

Status: -

Name: cdrbsdrv.SYS

Image Path: C:\WINDOWS\System32\Drivers\cdrbsdrv.SYS

Address: 0xF76EE000 Size: 33408 File Visible: -

Status: -

Name: cdrom.sys

Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xF76FE000 Size: 62976 File Visible: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xF764E000 Size: 53248 File Visible: -

Status: -

Name: CmBatt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys

Address: 0xF7294000 Size: 13952 File Visible: -

Status: -

Name: compbatt.sys

Image Path: compbatt.sys

Address: 0xF7A02000 Size: 10240 File Visible: -

Status: -

Name: disk.sys

Image Path: disk.sys

Address: 0xF763E000 Size: 36352 File Visible: -

Status: -

Name: drmk.sys

Image Path: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xF771E000 Size: 61440 File Visible: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAAD50000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7B28000 Size: 8192 File Visible: No

Status: -

Name: Dxapi.sys

Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xF72B0000 Size: 12288 File Visible: -

Status: -

Name: dxg.sys

Image Path: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF9C3000 Size: 73728 File Visible: -

Status: -

Name: dxgthk.sys

Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xF7BCB000 Size: 4096 File Visible: -

Status: -

Name: Fips.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xF780E000 Size: 44672 File Visible: -

Status: -

Name: fltmgr.sys

Image Path: fltmgr.sys

Address: 0xF73F8000 Size: 129792 File Visible: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xF7B08000 Size: 7936 File Visible: -

Status: -

Name: ftdisk.sys

Image Path: ftdisk.sys

Address: 0xF7448000 Size: 125696 File Visible: -

Status: -

Name: GEARAspiWDM.sys

Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys

Address: 0xF7AE2000 Size: 9984 File Visible: -

Status: -

Name: hal.dll

Image Path: C:\WINDOWS\system32\hal.dll

Address: 0x806EF000 Size: 81152 File Visible: -

Status: -

Name: hamachi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hamachi.sys

Address: 0xF798E000 Size: 18560 File Visible: -

Status: -

Name: HIDCLASS.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xF77FE000 Size: 36864 File Visible: -

Status: -

Name: HIDPARSE.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF78EE000 Size: 28672 File Visible: -

Status: -

Name: hidusb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xF72A4000 Size: 10368 File Visible: -

Status: -

Name: HPZid412.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HPZid412.sys

Address: 0xF783E000 Size: 50848 File Visible: -

Status: -

Name: HPZipr12.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

Address: 0xF7284000 Size: 16224 File Visible: -

Status: -

Name: HPZius12.sys

Image Path: C:\WINDOWS\system32\DRIVERS\HPZius12.sys

Address: 0xF793E000 Size: 21472 File Visible: -

Status: -

Name: HTTP.sys

Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xA9CA7000 Size: 264832 File Visible: -

Status: -

Name: i8042prt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys

Address: 0xF76CE000 Size: 53504 File Visible: -

Status: -

Name: imapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xF76DE000 Size: 42112 File Visible: -

Status: -

Name: intelide.sys

Image Path: intelide.sys

Address: 0xF7AF2000 Size: 5504 File Visible: -

Status: -

Name: intelppm.sys

Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys

Address: 0xF76AE000 Size: 40448 File Visible: -

Status: -

Name: ipnat.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xAAEFE000 Size: 152832 File Visible: -

Status: -

Name: ipsec.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xAAFA5000 Size: 75264 File Visible: -

Status: -

Name: isapnp.sys

Image Path: isapnp.sys

Address: 0xF75EE000 Size: 37760 File Visible: -

Status: -

Name: kbdclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xF78C6000 Size: 25088 File Visible: -

Status: -

Name: KDCOM.DLL

Image Path: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xF7AEE000 Size: 8192 File Visible: -

Status: -

Name: kmixer.sys

Image Path: C:\WINDOWS\system32\drivers\kmixer.sys

Address: 0xA97B8000 Size: 172416 File Visible: -

Status: -

Name: ks.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xF6DFD000 Size: 143360 File Visible: -

Status: -

Name: KSecDD.sys

Image Path: KSecDD.sys

Address: 0xF73CF000 Size: 92288 File Visible: -

Status: -

Name: mnmdd.SYS

Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xF7B10000 Size: 4224 File Visible: -

Status: -

Name: Modem.SYS

Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS

Address: 0xF78F6000 Size: 30336 File Visible: -

Status: -

Name: MODEMCSA.sys

Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys

Address: 0xF7250000 Size: 16128 File Visible: -

Status: -

Name: mouclass.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xF78CE000 Size: 23552 File Visible: -

Status: -

Name: mouhid.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xF6C07000 Size: 12288 File Visible: -

Status: -

Name: MountMgr.sys

Image Path: MountMgr.sys

Address: 0xF761E000 Size: 42368 File Visible: -

Status: -

Name: mrxdav.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys

Address: 0xAA4A1000 Size: 180608 File Visible: -

Status: -

Name: mrxsmb.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xAADA1000 Size: 455296 File Visible: -

Status: -

Name: Msfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xF79E6000 Size: 19072 File Visible: -

Status: -

Name: msgpc.sys

Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xF775E000 Size: 35072 File Visible: -

Status: -

Name: mssmbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xF7278000 Size: 15488 File Visible: -

Status: -

Name: Mtlmnt5.sys

Image Path: C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys

Address: 0xF6D30000 Size: 126752 File Visible: -

Status: -

Name: Mup.sys

Image Path: Mup.sys

Address: 0xF72E8000 Size: 105344 File Visible: -

Status: -

Name: NDIS.sys

Image Path: NDIS.sys

Address: 0xF7302000 Size: 182656 File Visible: -

Status: -

Name: ndistapi.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xF728C000 Size: 10112 File Visible: -

Status: -

Name: ndisuio.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xAAC60000 Size: 14592 File Visible: -

Status: -

Name: ndiswan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xF6C2F000 Size: 91520 File Visible: -

Status: -

Name: NDProxy.SYS

Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xF777E000 Size: 40576 File Visible: -

Status: -

Name: netbios.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xF77EE000 Size: 34688 File Visible: -

Status: -

Name: netbt.sys

Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xAAF24000 Size: 162816 File Visible: -

Status: -

Name: nic1394.sys

Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys

Address: 0xF76BE000 Size: 61824 File Visible: -

Status: -

Name: Npfs.SYS

Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xF79F6000 Size: 30848 File Visible: -

Status: -

Name: Ntfs.sys

Image Path: Ntfs.sys

Address: 0xF732F000 Size: 574976 File Visible: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\WINDOWS\system32\ntoskrnl.exe

Address: 0x804D7000 Size: 2193536 File Visible: -

Status: -

Name: Null.SYS

Image Path: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xF7D09000 Size: 2944 File Visible: -

Status: -

Name: ohci1394.sys

Image Path: ohci1394.sys

Address: 0xF75FE000 Size: 61696 File Visible: -

Status: -

Name: OPRGHDLR.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

Address: 0xF7BB7000 Size: 4096 File Visible: -

Status: -

Name: PartMgr.sys

Image Path: PartMgr.sys

Address: 0xF7876000 Size: 19712 File Visible: -

Status: -

Name: pci.sys

Image Path: pci.sys

Address: 0xF7485000 Size: 68224 File Visible: -

Status: -

Name: pciide.sys

Image Path: pciide.sys

Address: 0xF7BB6000 Size: 3328 File Visible: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xF786E000 Size: 28672 File Visible: -

Status: -

Name: pcmcia.sys

Image Path: pcmcia.sys

Address: 0xF7467000 Size: 120448 File Visible: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x804D7000 Size: 2193536 File Visible: -

Status: -

Name: portcls.sys

Image Path: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xF6DB2000 Size: 147456 File Visible: -

Status: -

Name: psched.sys

Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xF6BF6000 Size: 69120 File Visible: -

Status: -

Name: ptilink.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xF796E000 Size: 17792 File Visible: -

Status: -

Name: PxHelp20.sys

Image Path: PxHelp20.sys

Address: 0xF765E000 Size: 35712 File Visible: -

Status: -

Name: rasacd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xF72C4000 Size: 8832 File Visible: -

Status: -

Name: rasl2tp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xF772E000 Size: 51328 File Visible: -

Status: -

Name: raspppoe.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xF773E000 Size: 41472 File Visible: -

Status: -

Name: raspptp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xF774E000 Size: 48384 File Visible: -

Status: -

Name: raspti.sys

Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xF797E000 Size: 16512 File Visible: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x804D7000 Size: 2193536 File Visible: -

Status: -

Name: rdbss.sys

Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xAAE11000 Size: 175744 File Visible: -

Status: -

Name: RDPCDD.sys

Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xF7B14000 Size: 4224 File Visible: -

Status: -

Name: RecAgent.sys

Image Path: RecAgent.sys

Address: 0xF7A0E000 Size: 13824 File Visible: -

Status: -

Name: redbook.sys

Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xF770E000 Size: 58112 File Visible: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA987B000 Size: 45056 File Visible: No

Status: -

Name: RTL8139.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

Address: 0xF78AE000 Size: 20992 File Visible: -

Status: -

Name: SCSIPORT.SYS

Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS

Address: 0xF7418000 Size: 98304 File Visible: -

Status: -

Name: SENTINEL.SYS

Image Path: C:\WINDOWS\System32\Drivers\SENTINEL.SYS

Address: 0xAA3C7000 Size: 73728 File Visible: -

Status: -

Name: slntamr.sys

Image Path: C:\WINDOWS\system32\DRIVERS\slntamr.sys

Address: 0xF6D4F000 Size: 405184 File Visible: -

Status: -

Name: SlWdmSup.sys

Image Path: C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys

Address: 0xF72C0000 Size: 13216 File Visible: -

Status: -

Name: sptd.sys

Image Path: sptd.sys

Address: 0xF7505000 Size: 819200 File Visible: -

Status: -

Name: SPTDDRV1.SYS

Image Path: C:\WINDOWS\System32\Drivers\SPTDDRV1.SYS

Address: 0xF74ED000 Size: 98304 File Visible: -

Status: -

Name: sr.sys

Image Path: sr.sys

Address: 0xF73E6000 Size: 73472 File Visible: -

Status: -

Name: srv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xA9FA2000 Size: 333952 File Visible: -

Status: -

Name: ssmdrv.sys

Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

Address: 0xF78DE000 Size: 22656 File Visible: -

Status: -

Name: swenum.sys

Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xF7AFE000 Size: 4352 File Visible: -

Status: -

Name: sysaudio.sys

Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xAA6B1000 Size: 60800 File Visible: -

Status: -

Name: tcpip.sys

Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xAAF4C000 Size: 361600 File Visible: -

Status: -

Name: TDI.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xF795E000 Size: 20480 File Visible: -

Status: -

Name: termdd.sys

Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xF776E000 Size: 40704 File Visible: -

Status: -

Name: update.sys

Image Path: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xF6B98000 Size: 384768 File Visible: -

Status: -

Name: usbccgp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys

Address: 0xF78A6000 Size: 32128 File Visible: -

Status: -

Name: USBD.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xF7B04000 Size: 8192 File Visible: -

Status: -

Name: usbehci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xF789E000 Size: 30208 File Visible: -

Status: -

Name: usbhub.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xF77AE000 Size: 59520 File Visible: -

Status: -

Name: USBPORT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xF7146000 Size: 147456 File Visible: -

Status: -

Name: usbprint.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys

Address: 0xF7926000 Size: 25856 File Visible: -

Status: -

Name: usbscan.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbscan.sys

Address: 0xF6C0F000 Size: 15104 File Visible: -

Status: -

Name: USBSTOR.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

Address: 0xF7916000 Size: 26368 File Visible: -

Status: -

Name: usbuhci.sys

Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xF7896000 Size: 20608 File Visible: -

Status: -

Name: vga.sys

Image Path: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xF79D6000 Size: 20992 File Visible: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xF716A000 Size: 81920 File Visible: -

Status: -

Name: vinyl97.sys

Image Path: C:\WINDOWS\system32\drivers\vinyl97.sys

Address: 0xF6DD6000 Size: 159488 File Visible: -

Status: -

Name: VolSnap.sys

Image Path: VolSnap.sys

Address: 0xF762E000 Size: 53504 File Visible: -

Status: -

Name: w29n51.sys

Image Path: C:\WINDOWS\system32\DRIVERS\w29n51.sys

Address: 0xF6E20000 Size: 3298432 File Visible: -

Status: -

Name: wanarp.sys

Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Address: 0xF77CE000 Size: 34560 File Visible: -

Status: -

Name: watchdog.sys

Image Path: C:\WINDOWS\System32\watchdog.sys

Address: 0xF79A6000 Size: 20480 File Visible: -

Status: -

Name: wdmaud.sys

Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xAA614000 Size: 83072 File Visible: -

Status: -

Name: WibuKey.sys

Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\WibuKey.sys

Address: 0xA9F68000 Size: 72704 File Visible: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0xBF800000 Size: 1847296 File Visible: -

Status: -

Name: win32k.sys

Image Path: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000 Size: 1847296 File Visible: -

Status: -

Name: WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS

Address: 0xF7AF0000 Size: 8192 File Visible: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x804D7000 Size: 2193536 File Visible: -

Status: -

Name: WudfPf.sys

Image Path: WudfPf.sys

Address: 0xF73BC000 Size: 76544 File Visible: -

Status: -

Link to post
Share on other sites

  • Root Admin

You don't need to download Avenger again, just run the script portion and post back the log.

Please download Avenger 2.0 from here

Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

Drivers to delete:
a4dyogih
a4dyogih.SYS

Files to delete:
C:\WINDOWS\System32\Drivers\a4dyogih.SYS
  • Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  • Close all other running applications
  • After pasting the text into the main window, click on Execute

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.

Link to post
Share on other sites

Here are the Avenger, MBAM and HJT logs:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\a4dyogih" not found!

Deletion of driver "a4dyogih" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\a4dyogih.SYS" not found!

Deletion of driver "a4dyogih.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\System32\Drivers\a4dyogih.SYS" not found!

Deletion of file "C:\WINDOWS\System32\Drivers\a4dyogih.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Malwarebytes' Anti-Malware 1.33

Database versie: 1718

Windows 5.1.2600 Service Pack 3

3-2-2009 15:20:14

mbam-log-2009-02-03 (15-20-14).txt

Scan type: Snelle Scan

Objecten gescand: 64370

Verstreken tijd: 16 minute(s), 56 second(s)

Geheugenprocessen ge

Link to post
Share on other sites

  • Root Admin

Well that does not make sense. RootRepeal shows that file being there.

Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.

At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.

Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Link to post
Share on other sites

Ok, I did another ComboFix run.

One thing I might want to add, is that since I explained what kind of problems I had (Jan 29), I haven't had any popups of a virus on any of my drives. That was last thursday and normally I would have the virus warnings at least every 2 days.

Anyhow, here are the logs:

ComboFix 09-02-03.01 - Igo 2009-02-04 14:56:03.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.1023.650 [GMT 1:00]

Gestart vanuit: c:\documents and settings\Igo\Bureaublad\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Nieuw herstelpunt werd aangemaakt

.

(((((((((((((((((((( Bestanden Gemaakt van 2009-01-04 to 2009-02-04 ))))))))))))))))))))))))))))))

.

2009-01-31 14:14 . 2009-01-31 14:14 250 --a------ c:\windows\gmer.ini

2009-01-25 13:30 . 2009-01-25 13:30 <DIR> d-------- c:\program files\Trend Micro

2009-01-24 22:31 . 2009-01-24 22:31 10 --a------ c:\windows\VDFN.bkm

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\documents and settings\Igo\Application Data\Malwarebytes

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-21 15:51 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 15:51 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-20 21:29 . 2009-01-20 21:29 <DIR> d-------- c:\program files\Avira

2009-01-20 21:29 . 2009-01-20 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-01-20 18:22 . 2009-01-20 18:22 <DIR> d-------- c:\documents and settings\Igo\Application Data\dvdcss

2009-01-16 16:48 . 2009-01-16 16:48 <DIR> d-------- c:\program files\iPod

2009-01-16 16:47 . 2009-01-16 16:49 <DIR> d-------- c:\program files\iTunes

2009-01-16 16:47 . 2009-01-16 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-01-16 16:34 . 2009-01-16 16:36 <DIR> d-------- c:\program files\QuickTime

2009-01-16 16:28 . 2009-01-16 16:28 <DIR> d-------- c:\program files\Apple Software Update

2009-01-16 16:26 . 2009-01-16 16:48 <DIR> d-------- c:\program files\Common Files\Apple

2009-01-16 16:26 . 2009-01-16 16:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-04 13:53 --------- d-----w c:\documents and settings\Igo\Application Data\Skype

2009-02-04 13:16 --------- d-----w c:\documents and settings\Igo\Application Data\skypePM

2009-01-29 12:48 --------- d-----w c:\program files\ESET

2009-01-16 15:39 --------- d-----w c:\program files\Bonjour

2009-01-16 13:57 --------- d-----w c:\program files\Google

2008-12-27 18:42 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-19 21:44 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-19 21:44 --------- d-----w c:\program files\Java

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-09-15 10:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008091520080916\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-08 68856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe" [2005-07-15 479232]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i420vfw.dll

"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Igo^Menu Start^Programma's^Opstarten^hamachi.lnk]

path=c:\documents and settings\Igo\Menu Start\Programma's\Opstarten\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Igo^Menu Start^Programma's^Opstarten^Webshots.lnk]

path=c:\documents and settings\Igo\Menu Start\Programma's\Opstarten\Webshots.lnk

backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-05-16 09:27 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2006-09-14 21:09 157592 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

--a------ 2006-11-13 17:34 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 18:03 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine]

--a------ 2007-02-22 16:17 475136 c:\program files\PokerOffice\POEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]

--a------ 2006-11-03 10:19 544768 c:\program files\Sprite Software\Sprite Backup\SpriteService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

--a------ 2007-03-14 15:52 3770024 c:\program files\TomTom HOME\TomTomHOME.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\PokerOffice\\bin\\javaw.exe"=

"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=

"c:\\Program Files\\Hamachi\\hamachi.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Graphisoft\\ArchiCAD 11\\ArchiCAD.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Sprite Software\\Sprite Backup\\SpriteService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25661222-d642-11dc-b399-0012f04e9cf4}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

Inhoud van de 'Gedeelde Taken' map

2009-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://icanhascheezburger.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

Trusted Zone: hanze.nl

TCP: {06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF} = 195.67.199.33,195.67.199.34

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-04 15:05:22

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

  • Root Admin

STEP 1

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Regnull::

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

It took me more than 2 hours, but I finally got it. Here are the ComboFix, SDFix, MBAM and HJT logs in that order.

ComboFix 09-02-04.04 - Igo 2009-02-05 15:16:05.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.1023.651 [GMT 1:00]

Gestart vanuit: c:\documents and settings\Igo\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\Igo\Bureaublad\CFscript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Nieuw herstelpunt werd aangemaakt

.

(((((((((((((((((((( Bestanden Gemaakt van 2009-01-05 to 2009-02-05 ))))))))))))))))))))))))))))))

.

2009-01-31 14:14 . 2009-01-31 14:14 250 --a------ c:\windows\gmer.ini

2009-01-25 13:30 . 2009-01-25 13:30 <DIR> d-------- c:\program files\Trend Micro

2009-01-24 22:31 . 2009-01-24 22:31 10 --a------ c:\windows\VDFN.bkm

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\documents and settings\Igo\Application Data\Malwarebytes

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-21 15:51 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 15:51 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-20 21:29 . 2009-01-20 21:29 <DIR> d-------- c:\program files\Avira

2009-01-20 21:29 . 2009-01-20 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-01-20 18:22 . 2009-01-20 18:22 <DIR> d-------- c:\documents and settings\Igo\Application Data\dvdcss

2009-01-16 16:48 . 2009-01-16 16:48 <DIR> d-------- c:\program files\iPod

2009-01-16 16:47 . 2009-01-16 16:49 <DIR> d-------- c:\program files\iTunes

2009-01-16 16:47 . 2009-01-16 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-01-16 16:34 . 2009-01-16 16:36 <DIR> d-------- c:\program files\QuickTime

2009-01-16 16:28 . 2009-01-16 16:28 <DIR> d-------- c:\program files\Apple Software Update

2009-01-16 16:26 . 2009-01-16 16:48 <DIR> d-------- c:\program files\Common Files\Apple

2009-01-16 16:26 . 2009-01-16 16:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-05 14:29 --------- d-----w c:\documents and settings\Igo\Application Data\Skype

2009-02-05 13:38 --------- d-----w c:\documents and settings\Igo\Application Data\skypePM

2009-01-29 12:48 --------- d-----w c:\program files\ESET

2009-01-16 15:39 --------- d-----w c:\program files\Bonjour

2009-01-16 13:57 --------- d-----w c:\program files\Google

2008-12-27 18:42 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-19 21:44 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-19 21:44 --------- d-----w c:\program files\Java

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-09-15 10:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008091520080916\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-08 68856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe" [2005-07-15 479232]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i420vfw.dll

"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Igo^Menu Start^Programma's^Opstarten^hamachi.lnk]

path=c:\documents and settings\Igo\Menu Start\Programma's\Opstarten\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Igo^Menu Start^Programma's^Opstarten^Webshots.lnk]

path=c:\documents and settings\Igo\Menu Start\Programma's\Opstarten\Webshots.lnk

backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-05-16 09:27 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2006-09-14 21:09 157592 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

--a------ 2006-11-13 17:34 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 18:03 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine]

--a------ 2007-02-22 16:17 475136 c:\program files\PokerOffice\POEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]

--a------ 2006-11-03 10:19 544768 c:\program files\Sprite Software\Sprite Backup\SpriteService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

--a------ 2007-03-14 15:52 3770024 c:\program files\TomTom HOME\TomTomHOME.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\PokerOffice\\bin\\javaw.exe"=

"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=

"c:\\Program Files\\Hamachi\\hamachi.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Graphisoft\\ArchiCAD 11\\ArchiCAD.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Sprite Software\\Sprite Backup\\SpriteService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25661222-d642-11dc-b399-0012f04e9cf4}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

Inhoud van de 'Gedeelde Taken' map

2009-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://icanhascheezburger.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

Trusted Zone: hanze.nl

TCP: {06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF} = 195.67.199.33,195.67.199.34

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-05 15:26:52

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

  • Root Admin

Please run this one more time. There is a key that has null values in it which prevents normal Windows applications from reading it.

I want to remove that if we can.

STEP 1

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

STEP 2

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

RegLock::

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.