Win32/Alman.NAB / W32/Almanahe.B virus on external harddrive

[Igo]

Ok, here's the ComboFix log:

ComboFix 09-02-05.02 - Igo 2009-02-06 12:12:35.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.1023.631 [GMT 1:00]

Gestart vanuit: c:\documents and settings\Igo\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\Igo\Bureaublad\CFscript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Nieuw herstelpunt werd aangemaakt

.

(((((((((((((((((((( Bestanden Gemaakt van 2009-01-06 to 2009-02-06 ))))))))))))))))))))))))))))))

.

2009-02-05 15:53 . 2009-02-05 15:53 580,096 --a--c--- c:\windows\system32\dllcache\user32.dll

2009-02-05 15:45 . 2009-02-05 15:46 <DIR> d-------- c:\windows\ERUNT

2009-01-31 14:14 . 2009-01-31 14:14 250 --a------ c:\windows\gmer.ini

2009-01-25 13:30 . 2009-01-25 13:30 <DIR> d-------- c:\program files\Trend Micro

2009-01-24 22:31 . 2009-01-24 22:31 10 --a------ c:\windows\VDFN.bkm

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\documents and settings\Igo\Application Data\Malwarebytes

2009-01-21 15:51 . 2009-01-21 15:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-21 15:51 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 15:51 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-20 21:29 . 2009-01-20 21:29 <DIR> d-------- c:\program files\Avira

2009-01-20 21:29 . 2009-01-20 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-01-20 18:22 . 2009-01-20 18:22 <DIR> d-------- c:\documents and settings\Igo\Application Data\dvdcss

2009-01-16 16:48 . 2009-01-16 16:48 <DIR> d-------- c:\program files\iPod

2009-01-16 16:47 . 2009-01-16 16:49 <DIR> d-------- c:\program files\iTunes

2009-01-16 16:47 . 2009-01-16 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2009-01-16 16:34 . 2009-01-16 16:36 <DIR> d-------- c:\program files\QuickTime

2009-01-16 16:28 . 2009-01-16 16:28 <DIR> d-------- c:\program files\Apple Software Update

2009-01-16 16:26 . 2009-01-16 16:48 <DIR> d-------- c:\program files\Common Files\Apple

2009-01-16 16:26 . 2009-01-16 16:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-06 11:08 --------- d-----w c:\documents and settings\Igo\Application Data\Skype

2009-02-06 08:45 --------- d-----w c:\documents and settings\Igo\Application Data\skypePM

2009-01-29 12:48 --------- d-----w c:\program files\ESET

2009-01-16 15:39 --------- d-----w c:\program files\Bonjour

2009-01-16 13:57 --------- d-----w c:\program files\Google

2008-12-27 18:42 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-19 21:44 410,984 ----a-w c:\windows\system32\deploytk.dll

2008-12-19 21:44 --------- d-----w c:\program files\Java

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-09-15 10:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008091520080916\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-08 68856]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 339968]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe" [2005-07-15 479232]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i420vfw.dll

"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Igo^Menu Start^Programma's^Opstarten^hamachi.lnk]

path=c:\documents and settings\Igo\Menu Start\Programma's\Opstarten\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Igo^Menu Start^Programma's^Opstarten^Webshots.lnk]

path=c:\documents and settings\Igo\Menu Start\Programma's\Opstarten\Webshots.lnk

backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-05-16 09:27 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2006-09-14 21:09 157592 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]

--a------ 2006-11-13 17:34 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-14 18:03 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2007-03-01 15:57 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\POEngine]

--a------ 2007-02-22 16:17 475136 c:\program files\PokerOffice\POEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]

--a------ 2006-11-03 10:19 544768 c:\program files\Sprite Software\Sprite Backup\SpriteService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

--a------ 2007-03-14 15:52 3770024 c:\program files\TomTom HOME\TomTomHOME.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\PokerOffice\\bin\\javaw.exe"=

"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=

"c:\\Program Files\\Hamachi\\hamachi.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\Graphisoft\\ArchiCAD 11\\ArchiCAD.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Sprite Software\\Sprite Backup\\SpriteService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25661222-d642-11dc-b399-0012f04e9cf4}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a

.

Inhoud van de 'Gedeelde Taken' map

2009-02-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://icanhascheezburger.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003

IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002

IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004

IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000

IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001

Trusted Zone: hanze.nl

TCP: {06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF} = 195.67.199.33,195.67.199.34

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-06 12:23:52

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

[AdvancedSetup]

Okay the logs look pretty good now.

How is the system running?

Are there still any signs of an infection?

You might want to go ahead have another scan done using another Anti-Virus product. Please give this a run and let me know if it finds anything or not.

Download to the desktop: Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  
• Back at the main window, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
  

[Igo]

The system is running ok and actually I haven't had problems in over a week now. I haven't had any signs of infection, but when I did the scan with DrWeb, it showed something on my external drive, but ones that I had not seen before.

Anyway, I added the log and also a HJT log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:24:47, on 10-2-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.hanze.nl

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193509625803

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.shareyourstory.nl/picuploader/ImageUploader4.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\..\{06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF}: NameServer = 195.67.199.33,195.67.199.34

O17 - HKLM\System\CS1\Services\Tcpip\..\{06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF}: NameServer = 195.67.199.33,195.67.199.34

O17 - HKLM\System\CS3\Services\Tcpip\..\{06D9A8EC-6FDB-49B5-BBFF-DAF7776F71AF}: NameServer = 195.67.199.33,195.67.199.34

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--

End of file - 11352 bytes

[AdvancedSetup]

Okay then all looks good. If you need the latest Java.

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 12.

• Go to http://java.sun.com/javase/downloads/index.jsp
• Go to Java Runtime Environment (JRE) 6 Update 12 about half way down the page and click on the Download button.
  
• In Platform box choose Windows.
  
• Check the box to Accept License Agreement and click Continue.
  
• Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
  
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  
• Uncheck the Toolbar button (unless you want the toolbar)
  
• Reboot your computer
  

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
  
  
• Click the System Restore tab.
  
  
• Check Turn off System Restore.
  
  
• Click Apply, and then click OK.
  
  
• Reboot.
  
  

Turn ON System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
  
  
• Click the System Restore tab.
  
  
• UN-Check *Turn off System Restore*.
  
  
• Click Apply, and then click OK.
  
  

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from

here

Find here the tutorial on how to use Spyware Blaster

here

Install WinPatrol

Download it from

here

Here you can find information about how WinPatrol works

here

Install FireTrust SiteHound

You can find information and download it from

here

Install hpHosts

Download it from

here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1:

If you are running Windows XP

SP2

, you should upgrade to

SP3

.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend

Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you

Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting

Pre- HJT Post Instructions

Also don't forget that we offer

FREE

assistance with General PC questions and repair here

PC Help

If you're pleased with the product

Malwarebytes

and the service provided you, please let your friends, family, and co-workers know.

http://www.malwarebytes.org

[Igo]

I'm glad things are ok now. I want to thank you very much for your help and I hope I can use it again if I have any problems in the future. I only got one question left: what kind of anti-virus software do you recommend? I have used NOD32 for a while and it worked good, until I encountered the virus. After that I used Avira Antivir, but I'm not so happy with that either. Do you have any suggestions to what would be good software?

I forgot the DrWeb log:

SHELEXEC.EXE F:\Newsleecher Downloads\!RnE - 2009.01.28 19.08.54 - ISO NPR NEN Normen\NEN 1010 [2005 HTML versie] Win32.Alman.1 Gerepareerd.

SHELEXEC.EXE F:\Newsleecher Downloads\!RnE - 2009.01.28 19.08.54 - ISO NPR NEN Normen\NEN 5152 [2004] Win32.Alman.1 Gerepareerd.

Kompldwg.exe F:\Newsleecher Downloads\!RnE - 2009.01.28 19.08.54 - ISO NPR NEN Normen\NEN 5152 [2004]\5152\Overige Win32.Alman.1 Gerepareerd.

SDFix.exe\SDFix\apps\Process.exe C:\Documents and Settings\Igo\Bureaublad\SDFix.exe Tool.Prockill

SDFix.exe C:\Documents and Settings\Igo\Bureaublad Archief bevat ge

[AdvancedSetup]

NOD32 is pretty good AV software. There is NO product out there that on any given day is going to protect you from everything.

Avira isn't too bad for a freebie, but NOD32 is better I'd think. The bigger guys like McAfee, Symantec are so bloated and problematic that I don't recommend them.