Jump to content

Skype infection?


Recommended Posts

Hi All,

Yesterday I had this strange call on skype from someone with "..............." as a name. I decided to answer but didnt hear anything. I hang up after about 10 seconds.

I kept playing my game and shutdown my pc after.

The next boot I noticed my login screen for windows was bypassed. Normally I need to select my profile to login but that wasn't necessary anymore. I found that suspicious enough to download process explorer and found that a process "Explorer.exe" was making registry changes and in netstat I found communication to a domain named ********.your-server.de

Everything was suspicious to me but anti malware tools including malware bytes and online scans of the files had no results. Today however I noticed something very weird and found the file responsible. Please see attached screenshot for what I found the the message I got.

So it seems like an infection through skype (unconfirmed but it was a weird call) with some homecalling malware.

Can anybody tell me how I proceed?

P.S. I run this XP image as bootcamp partition on my mac but ALSO as virtual machine in OS-X. Physically the same image.

post-111496-0-18106900-1335660907.png

Link to post
Share on other sites

Hello patjed and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Please follow the instructions here:

http://forums.malwarebytes.org/index.php?showtopic=9573

Post both log files in your next reply.

Link to post
Share on other sites

I have no idea what happens to you. I can't tell you. Try this:

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Link to post
Share on other sites

<p>Hi Maniac,</p>

<p> </p>

<p>In the end the dds.scr did work on my virtual. Some of the behaviour i see occuring on my machine :</p>

<p> </p>

<p>- resolving 4 specific hosts</p>

<p>- doing a version check /ver/ajax.php</p>

<p>- posting encrypted data to the 4 specific hosts to /g.php</p>

<p> </p>

<p>I am a bit hesistant to post the attach.log file because it shows a lot about my systems configuration, please let me know if you really need it.</p>

<p> </p>

<p> </p>

<div>.</div>

<div>DDS (Ver_2011-08-26.01) - NTFSx86 </div>

<div>Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_18</div>

<div>Run by Dittie at 16:30:41 on 2012-05-01</div>

<div>Microsoft Windows XP Professional  5.1.2600.3.1252.31.1043.18.2815.2217 [GMT 2:00]</div>

<div>.</div>

<div>FW: Privatefirewall *Enabled* </div>

<div>.</div>

<div>============== Running Processes ===============</div>

<div>.</div>

<div>C:\WINDOWS\system32\svchost -k DcomLaunch</div>

<div>svchost.exe</div>

<div>C:\WINDOWS\System32\svchost.exe -k netsvcs</div>

<div>svchost.exe</div>

<div>svchost.exe</div>

<div>C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe</div>

<div>C:\Program Files\Privacyware\Privatefirewall 7.0\pfsvc.exe</div>

<div>C:\WINDOWS\system32\spoolsv.exe</div>

<div>svchost.exe</div>

<div>C:\WINDOWS\system32\AppleOSSMgr.exe</div>

<div>C:\WINDOWS\system32\AppleTimeSrv.exe</div>

<div>svchost.exe</div>

<div>C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe</div>

<div>C:\Program Files\Java\jre6\bin\jqs.exe</div>

<div>C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe</div>

<div>C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe</div>

<div>C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe</div>

<div>C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe</div>

<div>C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe</div>

<div>C:\WINDOWS\system32\PnkBstrA.exe</div>

<div>C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe</div>

<div>C:\Program Files\Silk\Shared Files\SgLauncher\sgLauncher.exe</div>

<div>C:\WINDOWS\system32\svchost.exe -k imgsvc</div>

<div>C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe</div>

<div>C:\WINDOWS\system32\vmnat.exe</div>

<div>c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE</div>

<div>C:\Program Files\VMware\VMware Player\vmware-authd.exe</div>

<div>C:\WINDOWS\system32\vmnetdhcp.exe</div>

<div>c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe</div>

<div>C:\WINDOWS\system32\rundll32.exe</div>

<div>C:\Program Files\VMware\VMware Player\hqtray.exe</div>

<div>C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe</div>

<div>C:\Program Files\Parallels\Parallels Tools\prl_cc.exe</div>

<div>C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe</div>

<div>C:\WINDOWS\system32\ctfmon.exe</div>

<div>C:\Program Files\DAEMON Tools Lite\DTLite.exe</div>

<div>C:\Program Files\TechSmith\Snagit 9\Snagit32.exe</div>

<div>C:\WINDOWS\system32\wscntfy.exe</div>

<div>C:\Program Files\TechSmith\Snagit 9\TSCHelp.exe</div>

<div>C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe</div>

<div>C:\Program Files\TechSmith\Snagit 9\snagiteditor.exe</div>

<div>C:\WINDOWS\explorer.exe</div>

<div>C:\Program Files\Privacyware\Privatefirewall 7.0\PFGUI.exe</div>

<div>.</div>

<div>============== Pseudo HJT Report ===============</div>

<div>.</div>

<div>uStart Page = about:blank</div>

<div>uInternet Settings,ProxyServer = </div>

<div>uInternet Settings,ProxyOverride = <local></div>

<div>BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll</div>

<div>BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll</div>

<div>BHO: dynaTrace AJAX Edition Agent: {54ccf170-0056-48d1-b959-055c5b98dc88} - c:\program files\dynatrace\dynatrace ajax edition 3.4\client\lib\dtieagent.dll</div>

<div>BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File</div>

<div>BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll</div>

<div>BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll</div>

<div>BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll</div>

<div>BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll</div>

<div>TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll</div>

<div>TB: dynaTrace AJAX Edition Toolbar: {42ec68ef-4494-4041-9993-a5789bf7750b} - c:\program files\dynatrace\dynatrace ajax edition 3.4\client\lib\dtieagent.dll</div>

<div>TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File</div>

<div>EB: MySpace.MSFast.SysImpl.Win32.InternetExplorer.MSFastBrowserBand: {aae91b90-296a-471e-9926-2d4505f8ef5b} - mscoree.dll</div>

<div>uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe</div>

<div>uRun: [PlayNC Launcher] </div>

<div>uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun</div>

<div>uRun: [ukotyhtyt] "c:\documents and settings\dittie\application data\axaxfo\udwo.exe"</div>

<div>mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent</div>

<div>mRun: [<NO NAME>] </div>

<div>mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit</div>

<div>mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup</div>

<div>mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet</div>

<div>mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"</div>

<div>mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe</div>

<div>mRun: [Parallels Shared Internet Applications] "c:\program files\parallels\parallels tools\sia\SharedIntApp.exe" /start</div>

<div>mRun: [Parallels Tools Center] "c:\program files\parallels\parallels tools\prl_cc.exe"</div>

<div>mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime</div>

<div>mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun</div>

<div>mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray</div>

<div>mRun: [Privatefirewall] c:\program files\privacyware\privatefirewall 7.0\PFGUI.exe</div>

<div>StartupFolder: c:\docume~1\dittie\menust~1\progra~1\opstar~1\dropbox.lnk - c:\documents and settings\dittie\application data\dropbox\bin\Dropbox.exe</div>

<div>StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe</div>

<div>StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\vpncli~1.lnk - c:\windows\installer\{176130bc-99a1-41fe-a78b-56045e33ad70}\Icon3E5562ED7.ico</div>

<div>mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)</div>

<div>IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe</div>

<div>IE: {725EC34E-943C-4df6-B0B2-FBDE7F242276} - c:\documents and settings\dittie\bureaublad\PartyPoker.fr.lnk</div>

<div>IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\dittie\bureaublad\PartyPoker.lnk</div>

<div>IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"</div>

<div>IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe</div>

<div>IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe</div>

<div>IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll</div>

<div>IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll</div>

<div>IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll</div>

<div>IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL</div>

<div>IE: {AAE91B90-296A-471e-9926-2D4505F8EF5A} - {AAE91B90-296A-471e-9926-2D4505F8EF5B} - mscoree.dll</div>

<div>LSP: c:\program files\vmware\vmware player\vsocklib.dll</div>

<div>DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_Calendar.cab</div>

<div>DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab</div>

<div>DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} - hxxp://www.ycenter.nl/qcbin/capicom.dll</div>

<div>DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab</div>

<div>DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://sslnl.vanoord.com/vdesk/terminal/f5tunsrv.cab#version=7000,2011,104,2309</div>

<div>DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://sslnl.vanoord.com/vdesk/terminal/InstallerControl.cab</div>

<div>DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1309616397827</div>

<div>DPF: {6B1EF694-7BCC-4B68-A872-B9F033940922} - hxxp://localhost:20790/i3/Shared/cab/APMFiles_V8.CAB</div>

<div>DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1309616389124</div>

<div>DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.127.0.cab</div>

<div>DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab</div>

<div>DPF: {BE166F56-3D04-4E4A-8782-B898BCE3C426} - hxxp://xc001wec:20790/i3/Shared/cab/APMFiles.CAB</div>

<div>DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF}</div>

<div>DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab</div>

<div>DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab</div>

<div>DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab</div>

<div>DPF: {D8AC8CB7-7EF3-4B76-83BF-0008C9D38A9F} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_Gantt_Chart.cab</div>

<div>DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_HI_Client.cab</div>

<div>DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://precise.webex.com/client/T26L/webex/ieatgpc.cab</div>

<div>DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://sslnl.vanoord.com/vdesk/terminal/urxhost.cab#version=7000,2011,124,911</div>

<div>DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab</div>

<div>DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab</div>

<div>DPF: {FCADE536-93F5-4577-80A3-E7C32FAC4C7D} - hxxp://www.ycenter.nl/qcbin/Spider10.cab</div>

<div>DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=724</div>

<div>TCP: DhcpNameServer = 10.211.55.1</div>

<div>TCP: Interfaces\{0066A990-356F-47EC-9CBC-AC11FDA3F05A} : DhcpNameServer = 10.211.55.1</div>

<div>TCP: Interfaces\{1553E44B-4B3B-4618-A4D4-FD52D0B992DB} : NameServer = 127.0.0.1</div>

<div>TCP: Interfaces\{222E7459-A2A0-4F57-9C42-FF0408F28EC6} : NameServer = 127.0.0.1</div>

<div>TCP: Interfaces\{3450FBC3-D9CA-4DAE-BE45-ADC034DDC591} : NameServer = 127.0.0.1</div>

<div>TCP: Interfaces\{7BAE8FD0-312F-423E-A301-B82213C49B7A} : NameServer = 127.0.0.1</div>

<div>TCP: Interfaces\{808E07B9-0DC9-4DD3-B73D-859B3253953C} : NameServer = 127.0.0.1</div>

<div>TCP: Interfaces\{E5301618-6258-4417-A389-9FA87D530BBB} : NameServer = 127.0.0.1</div>

<div>TCP: Interfaces\{FD14765F-371F-4BE1-96E8-9284BFCD642F} : NameServer = 127.0.0.1</div>

<div>Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - </div>

<div>Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll</div>

<div>Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL</div>

<div>Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - </div>

<div>Notify: AutorunsDisabled - c:\program files\stardock\mycolors\fastload.dll</div>

<div>Notify: LMIinit - LMIinit.dll</div>

<div>Notify: OdysseyClient - odyEvent.dll</div>

<div>AppInit_DLLs: qaphooks.dll</div>

<div>SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll</div>

<div>Hosts: 0.0.0.0 .psf</div>

<div>Hosts: 0.0.0.0 psf</div>

<div>.</div>

<div>================= FIREFOX ===================</div>

<div>.</div>

<div>FF - ProfilePath - c:\documents and settings\dittie\application data\mozilla\firefox\profiles\up5iz0qr.default\</div>

<div>FF - prefs.js: network.proxy.ftp - iproxy.office.intern</div>

<div>FF - prefs.js: network.proxy.ftp_port - 8080</div>

<div>FF - prefs.js: network.proxy.gopher - iproxy.office.intern</div>

<div>FF - prefs.js: network.proxy.gopher_port - 8080</div>

<div>FF - prefs.js: network.proxy.http - iproxy.office.intern</div>

<div>FF - prefs.js: network.proxy.http_port - 8080</div>

<div>FF - prefs.js: network.proxy.socks - iproxy.office.intern</div>

<div>FF - prefs.js: network.proxy.socks_port - 8080</div>

<div>FF - prefs.js: network.proxy.ssl - iproxy.office.intern</div>

<div>FF - prefs.js: network.proxy.ssl_port - 8080</div>

<div>FF - prefs.js: network.proxy.type - 0</div>

<div>FF - plugin: c:\documents and settings\dittie\local settings\application data\unity\webplayer\loader\npUnity3D32.dll</div>

<div>FF - plugin: c:\program files\battlelog web plugins\0.80.0\npesnlaunch.dll</div>

<div>FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.0\npesnsonar.dll</div>

<div>FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll</div>

<div>FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll</div>

<div>FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13113.dll</div>

<div>FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll</div>

<div>FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll</div>

<div>.</div>

<div>---- FIREFOX POLICIES ----</div>

<div>FF - user.js: network.cookie.cookieBehavior - 0</div>

<div>FF - user.js: privacy.clearOnShutdown.cookies - false</div>

<div>FF - user.js: security.warn_viewing_mixed - false</div>

<div>FF - user.js: security.warn_viewing_mixed.show_once - false</div>

<div>FF - user.js: security.warn_submit_insecure - false</div>

<div>FF - user.js: security.warn_submit_insecure.show_once - false</div>

<div>.</div>

<div>============= SERVICES / DRIVERS ===============</div>

<div>.</div>

<div>R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [2008-2-12 254208]</div>

<div>R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [2009-6-24 23880]</div>

<div>R0 prl_strg;Parallels paravirt disk filter;c:\windows\system32\drivers\prl_strg.sys [2011-3-25 29640]</div>

<div>R0 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [2009-6-24 24008]</div>

<div>R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-22 65584]</div>

<div>R1 prl_boot;Parallels BootCamp Helper;c:\windows\system32\drivers\prl_boot.sys [2011-9-7 38600]</div>

<div>R1 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [2008-11-8 149448]</div>

<div>R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2009-5-11 136496]</div>

<div>R2 AppleTimeSrv;Apple tijdvoorziening;c:\windows\system32\AppleTimeSrv.exe [2009-5-11 99632]</div>

<div>R2 inpout32;inpout32;c:\windows\system32\drivers\inpout32.sys [2009-11-6 11936]</div>

<div>R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-12-20 83320]</div>

<div>R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2009-11-15 5760]</div>

<div>R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]</div>

<div>R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]</div>

<div>R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-10-21 47640]</div>

<div>R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2009-5-11 6784]</div>

<div>R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-12 654408]</div>

<div>R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2010-4-8 11107]</div>

<div>R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\parallels\parallels tools\services\coherence.exe [2011-9-7 28488]</div>

<div>R2 Parallels Tools Service;Parallels Tools Service;c:\program files\parallels\parallels tools\services\prl_tools_service.exe [2011-9-7 186696]</div>

<div>R2 PFNet;Privacyware network service;c:\program files\privacyware\privatefirewall 7.0\pfsvc.exe [2012-4-5 374120]</div>

<div>R2 prl_memdev;Parallels Memdev Driver;c:\windows\system32\drivers\prl_memdev.sys [2011-10-30 15176]</div>

<div>R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [2011-10-30 15816]</div>

<div>R2 Silk Launcher Service;Silk Launcher Service;c:\program files\silk\shared files\sglauncher\sgLauncher.exe [2012-4-26 2270424]</div>

<div>R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2011-3-25 70768]</div>

<div>R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-3-25 539248]</div>

<div>R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-2-2 218688]</div>

<div>R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [2007-10-5 390528]</div>

<div>R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [2007-10-5 29312]</div>

<div>R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-12 22344]</div>

<div>R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [2009-6-24 18376]</div>

<div>R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [2009-6-24 16200]</div>

<div>R3 prl_sound;Parallels Audio Controller;c:\windows\system32\drivers\prl_sound.sys [2011-3-25 45896]</div>

<div>R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [2009-6-24 25928]</div>

<div>R3 pwipf6;Privacyware Filter Driver;c:\windows\system32\drivers\pwipf6.sys [2012-5-1 131896]</div>

<div>S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]</div>

<div>S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-15 158856]</div>

<div>S2 StackTrace;StackTrace;c:\program files\stacktrace\jetty\service\win32\Wrapper.exe [2011-6-17 110592]</div>

<div>S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-4 253088]</div>

<div>S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\drivers\applemtm.sys [2009-6-24 10496]</div>

<div>S3 applemtp;Apple Multitouch;c:\windows\system32\drivers\applemtp.sys [2009-6-24 29696]</div>

<div>S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\common files\juniper networks\tnc client\jTnccService.exe [2008-2-13 116008]</div>

<div>S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2009-6-24 16512]</div>

<div>S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-6-24 23552]</div>

<div>S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]</div>

<div>S3 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]</div>

<div>S3 ServiceEmulation;HP ServiceEmulation;c:\program files\hp\loadrunner\apache-tomcat-5.5.17\bin\tomcat5.exe [2009-1-14 102400]</div>

<div>S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]</div>

<div>S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]</div>

<div>S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-15 14336]</div>

<div>S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]</div>

<div>S4 LMIRfsClientNP;LMIRfsClientNP; [x]</div>

<div>S4 SiteScope;SiteScope;c:\progra~1\sitescope\tools\sitescopeservice.exe [2009-7-23 48640]</div>

<div>.</div>

<div>=============== Created Last 30 ================</div>

<div>.</div>

<div>2012-05-01 13:00:13<span class="Apple-tab-span" style="white-space:pre"> </span>96784<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\WPRO_41_1879woem.tmp</div>

<div>2012-05-01 13:00:13<span class="Apple-tab-span" style="white-space:pre"> </span>109072<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\WPRO_41_1879woem_nm.tmp</div>

<div>2012-05-01 11:27:38<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\local settings\application data\Privatefirewall</div>

<div>2012-05-01 11:24:41<span class="Apple-tab-span" style="white-space:pre"> </span>131896<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\pwipf6.sys</div>

<div>2012-05-01 11:24:35<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\all users\application data\Privacyware</div>

<div>2012-05-01 11:24:34<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Privacyware</div>

<div>2012-04-29 15:37:56<span class="Apple-tab-span" style="white-space:pre"> </span>58880<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\WSPDll.dll</div>

<div>2012-04-29 15:37:32<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\fn</div>

<div>2012-04-27 12:25:44<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\NeoLoad 4.0</div>

<div>2012-04-27 10:31:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\application data\Ywak</div>

<div>2012-04-27 10:31:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\application data\Ekwosy</div>

<div>2012-04-27 10:31:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\application data\Axaxfo</div>

<div>2012-04-26 13:09:22<span class="Apple-tab-span" style="white-space:pre"> </span>247992<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\qaphooks.dll</div>

<div>2012-04-26 13:06:49<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\application data\Silk</div>

<div>2012-04-26 12:22:01<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\dittie\local settings\application data\Silk</div>

<div>2012-04-26 12:21:28<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\all users\application data\Silk</div>

<div>2012-04-26 12:19:41<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-s---w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Silk</div>

<div>2012-04-26 12:14:43<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSXML 4.0</div>

<div>2012-04-26 12:11:30<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d--h--w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Zero G Registry</div>

<div>2012-04-04 10:13:40<span class="Apple-tab-span" style="white-space:pre"> </span>418464<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerApp.exe</div>

<div>2012-04-02 14:48:52<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\popclient</div>

<div>.</div>

<div>==================== Find3M  ====================</div>

<div>.</div>

<div>2012-04-13 18:49:05<span class="Apple-tab-span" style="white-space:pre"> </span>70304<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerCPLApp.cpl</div>

<div>2012-04-04 13:56:40<span class="Apple-tab-span" style="white-space:pre"> </span>22344<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\mbam.sys</div>

<div>.</div>

<div>============= FINISH: 16:33:40.37 ===============</div>

<div> </div>

<div> </div>

<div> </div>

<p> </p>

<p> </p>

<p> </p>

<div id="myEventWatcherDiv" style="display:none;"> </div>

Link to post
Share on other sites

I just recreated the logs :

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Run by myuser at 15:42:28 on 2012-05-02

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2815.2213 [GMT 2:00]

.

FW: Privatefirewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Juniper Networks\Odyssey Access Client\odClientService.exe

C:\Program Files\Privacyware\Privatefirewall 7.0\pfsvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\AppleOSSMgr.exe

C:\WINDOWS\system32\AppleTimeSrv.exe

svchost.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe

C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe

C:\Program Files\Silk\Shared Files\SgLauncher\sgLauncher.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

C:\WINDOWS\system32\vmnat.exe

c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe

C:\Program Files\Parallels\Parallels Tools\prl_cc.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe

C:\Program Files\Privacyware\Privatefirewall 7.0\PFGUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DAEMON Tools Lite\DTLite.exe

C:\Program Files\TechSmith\Snagit 9\Snagit32.exe

C:\Program Files\TechSmith\Snagit 9\TSCHelp.exe

C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe

C:\Program Files\TechSmith\Snagit 9\snagiteditor.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Settings,ProxyServer =

uInternet Settings,ProxyOverride = <local>

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll

BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll

BHO: dynaTrace AJAX Edition Agent: {54ccf170-0056-48d1-b959-055c5b98dc88} - c:\program files\dynatrace\dynatrace ajax edition 3.4\client\lib\dtieagent.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll

TB: dynaTrace AJAX Edition Toolbar: {42ec68ef-4494-4041-9993-a5789bf7750b} - c:\program files\dynatrace\dynatrace ajax edition 3.4\client\lib\dtieagent.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

EB: MySpace.MSFast.SysImpl.Win32.InternetExplorer.MSFastBrowserBand: {aae91b90-296a-471e-9926-2d4505f8ef5b} - mscoree.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [PlayNC Launcher]

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun

uRun: [ukotyhtyt] "c:\documents and settings\myuser\application data\axaxfo\udwo.exe"

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [<NO NAME>]

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe

mRun: [Parallels Shared Internet Applications] "c:\program files\parallels\parallels tools\sia\SharedIntApp.exe" /start

mRun: [Parallels Tools Center] "c:\program files\parallels\parallels tools\prl_cc.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Privatefirewall] c:\program files\privacyware\privatefirewall 7.0\PFGUI.exe

StartupFolder: c:\docume~1\myuser\menust~1\progra~1\opstar~1\dropbox.lnk - c:\documents and settings\myuser\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe

StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\vpncli~1.lnk - c:\windows\installer\{176130bc-99a1-41fe-a78b-56045e33ad70}\Icon3E5562ED7.ico

mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {725EC34E-943C-4df6-B0B2-FBDE7F242276} - c:\documents and settings\myuser\bureaublad\PartyPoker.fr.lnk

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\myuser\bureaublad\PartyPoker.lnk

IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL

IE: {AAE91B90-296A-471e-9926-2D4505F8EF5A} - {AAE91B90-296A-471e-9926-2D4505F8EF5B} - mscoree.dll

LSP: c:\program files\vmware\vmware player\vsocklib.dll

DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_Calendar.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} - hxxp://www.ycenter.nl/qcbin/capicom.dll

DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://sslnl.vanoord.com/vdesk/terminal/f5tunsrv.cab#version=7000,2011,104,2309

DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://sslnl.vanoord.com/vdesk/terminal/InstallerControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1309616397827

DPF: {6B1EF694-7BCC-4B68-A872-B9F033940922} - hxxp://localhost:20790/i3/Shared/cab/APMFiles_V8.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1309616389124

DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.127.0.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {BE166F56-3D04-4E4A-8782-B898BCE3C426} - hxxp://xc001wec:20790/i3/Shared/cab/APMFiles.CAB

DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D8AC8CB7-7EF3-4B76-83BF-0008C9D38A9F} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_Gantt_Chart.cab

DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} - hxxp://sonar.cwinet.nl:8080/epublicsector_nld/19221/applets/SiebelAx_HI_Client.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://precise.webex.com/client/T26L/webex/ieatgpc.cab

DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://sslnl.vanoord.com/vdesk/terminal/urxhost.cab#version=7000,2011,124,911

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

DPF: {FCADE536-93F5-4577-80A3-E7C32FAC4C7D} - hxxp://www.ycenter.nl/qcbin/Spider10.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=724

TCP: DhcpNameServer = 10.211.55.1

TCP: Interfaces\{0066A990-356F-47EC-9CBC-AC11FDA3F05A} : DhcpNameServer = 10.211.55.1

TCP: Interfaces\{1553E44B-4B3B-4618-A4D4-FD52D0B992DB} : NameServer = 127.0.0.1

TCP: Interfaces\{222E7459-A2A0-4F57-9C42-FF0408F28EC6} : NameServer = 127.0.0.1

TCP: Interfaces\{3450FBC3-D9CA-4DAE-BE45-ADC034DDC591} : NameServer = 127.0.0.1

TCP: Interfaces\{4B2BDFF9-6A65-4009-9423-DEE117FCE36B} : DhcpNameServer = 192.168.123.1 192.168.123.1

TCP: Interfaces\{7BAE8FD0-312F-423E-A301-B82213C49B7A} : NameServer = 127.0.0.1

TCP: Interfaces\{808E07B9-0DC9-4DD3-B73D-859B3253953C} : NameServer = 127.0.0.1

TCP: Interfaces\{E5301618-6258-4417-A389-9FA87D530BBB} : NameServer = 127.0.0.1

TCP: Interfaces\{FD14765F-371F-4BE1-96E8-9284BFCD642F} : NameServer = 127.0.0.1

Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -

Notify: AutorunsDisabled - c:\program files\stardock\mycolors\fastload.dll

Notify: LMIinit - LMIinit.dll

Notify: OdysseyClient - odyEvent.dll

AppInit_DLLs: qaphooks.dll

SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll

Hosts: 0.0.0.0 .psf

Hosts: 0.0.0.0 psf

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\myuser\application data\mozilla\firefox\profiles\up5iz0qr.default\

FF - prefs.js: network.proxy.ftp - iproxy.office.intern

FF - prefs.js: network.proxy.ftp_port - 8080

FF - prefs.js: network.proxy.gopher - iproxy.office.intern

FF - prefs.js: network.proxy.gopher_port - 8080

FF - prefs.js: network.proxy.http - iproxy.office.intern

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.socks - iproxy.office.intern

FF - prefs.js: network.proxy.socks_port - 8080

FF - prefs.js: network.proxy.ssl - iproxy.office.intern

FF - prefs.js: network.proxy.ssl_port - 8080

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\myuser\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\battlelog web plugins\0.80.0\npesnlaunch.dll

FF - plugin: c:\program files\battlelog web plugins\sonar\0.70.0\npesnsonar.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13113.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R0 odFips;odFips;c:\windows\system32\drivers\odFIPS.sys [2008-2-12 254208]

R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [2009-6-24 23880]

R0 prl_strg;Parallels paravirt disk filter;c:\windows\system32\drivers\prl_strg.sys [2011-3-25 29640]

R0 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [2009-6-24 24008]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-22 65584]

R1 prl_boot;Parallels BootCamp Helper;c:\windows\system32\drivers\prl_boot.sys [2011-9-7 38600]

R1 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [2008-11-8 149448]

R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2009-5-11 136496]

R2 AppleTimeSrv;Apple tijdvoorziening;c:\windows\system32\AppleTimeSrv.exe [2009-5-11 99632]

R2 inpout32;inpout32;c:\windows\system32\drivers\inpout32.sys [2009-11-6 11936]

R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-12-20 83320]

R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2009-11-15 5760]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-10-21 47640]

R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2009-5-11 6784]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-12 654408]

R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2010-4-8 11107]

R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\parallels\parallels tools\services\coherence.exe [2011-9-7 28488]

R2 Parallels Tools Service;Parallels Tools Service;c:\program files\parallels\parallels tools\services\prl_tools_service.exe [2011-9-7 186696]

R2 PFNet;Privacyware network service;c:\program files\privacyware\privatefirewall 7.0\pfsvc.exe [2012-4-5 374120]

R2 prl_memdev;Parallels Memdev Driver;c:\windows\system32\drivers\prl_memdev.sys [2011-10-30 15176]

R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [2011-10-30 15816]

R2 Silk Launcher Service;Silk Launcher Service;c:\program files\silk\shared files\sglauncher\sgLauncher.exe [2012-4-26 2270424]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2011-3-25 70768]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-3-25 539248]

R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-2-2 218688]

R3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\drivers\jnprna.sys [2007-10-5 390528]

R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\drivers\jnprvamgr.sys [2007-10-5 29312]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-12 22344]

R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [2009-6-24 18376]

R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [2009-6-24 16200]

R3 prl_sound;Parallels Audio Controller;c:\windows\system32\drivers\prl_sound.sys [2011-3-25 45896]

R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [2009-6-24 25928]

R3 pwipf6;Privacyware Filter Driver;c:\windows\system32\drivers\pwipf6.sys [2012-5-1 131896]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-15 158856]

S2 StackTrace;StackTrace;c:\program files\stacktrace\jetty\service\win32\Wrapper.exe [2011-6-17 110592]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-4 253088]

S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\drivers\applemtm.sys [2009-6-24 10496]

S3 applemtp;Apple Multitouch;c:\windows\system32\drivers\applemtp.sys [2009-6-24 29696]

S3 EacService;Juniper TNC Endpoint Assessment;c:\program files\common files\juniper networks\tnc client\jTnccService.exe [2008-2-13 116008]

S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2009-6-24 16512]

S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2009-6-24 23552]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

S3 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]

S3 ServiceEmulation;HP ServiceEmulation;c:\program files\hp\loadrunner\apache-tomcat-5.5.17\bin\tomcat5.exe [2009-1-14 102400]

S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-15 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

S4 SiteScope;SiteScope;c:\progra~1\sitescope\tools\sitescopeservice.exe [2009-7-23 48640]

.

=============== Created Last 30 ================

.

2012-05-02 10:14:05 96784 ----a-w- c:\windows\system32\WPRO_41_1879woem.tmp

2012-05-02 10:14:05 109072 ----a-w- c:\windows\system32\WPRO_41_1879woem_nm.tmp

2012-05-01 11:27:38 -------- d-----w- c:\documents and settings\myuser\local settings\application data\Privatefirewall

2012-05-01 11:24:41 131896 ----a-w- c:\windows\system32\drivers\pwipf6.sys

2012-05-01 11:24:35 -------- d-----w- c:\documents and settings\all users\application data\Privacyware

2012-05-01 11:24:34 -------- d-----w- c:\program files\Privacyware

2012-04-29 15:37:56 58880 ----a-w- c:\windows\system32\WSPDll.dll

2012-04-29 15:37:32 -------- d-----w- C:\fn

2012-04-27 12:25:44 -------- d-----w- c:\program files\NeoLoad 4.0

2012-04-27 10:31:47 -------- d-----w- c:\documents and settings\myuser\application data\Ywak

2012-04-27 10:31:47 -------- d-----w- c:\documents and settings\myuser\application data\Ekwosy

2012-04-27 10:31:47 -------- d-----w- c:\documents and settings\myuser\application data\Axaxfo

2012-04-26 13:09:22 247992 ----a-w- c:\windows\system32\qaphooks.dll

2012-04-26 13:06:49 -------- d-----w- c:\documents and settings\myuser\application data\Silk

2012-04-26 12:22:01 -------- d-----w- c:\documents and settings\myuser\local settings\application data\Silk

2012-04-26 12:21:28 -------- d-----w- c:\documents and settings\all users\application data\Silk

2012-04-26 12:19:41 -------- d-s---w- c:\program files\Silk

2012-04-26 12:14:43 -------- d-----w- c:\program files\MSXML 4.0

2012-04-26 12:11:30 -------- d--h--w- c:\program files\Zero G Registry

2012-04-04 10:13:40 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-02 14:48:52 -------- d-----w- C:\popclient

.

==================== Find3M ====================

.

2012-04-13 18:49:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 13:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 15:44:38.17 ===============

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log file

Link to post
Share on other sites

<div>Hi Maniac,</div>

<div> </div>

<div>Sorry it took a while! To busy with work to reply earlier...</div>

<div> </div>

<div> </div>

<div>Malwarebytes Anti-Malware (-evaluatieversie-) 1.61.0.1400</div>

<div>www.malwarebytes.org</div>

<div> </div>

<div>Databaseversie: v2012.05.11.05</div>

<div> </div>

<div>Windows XP Service Pack 3 x86 NTFS</div>

<div>Internet Explorer 8.0.6001.18702</div>

<div>Dittie :: PATRICK [administrator]</div>

<div> </div>

<div>Realtime bescherming: Uitgeschakeld</div>

<div> </div>

<div>11-5-2012 19:03:00</div>

<div>mbam-log-2012-05-11 (19-03-00).txt</div>

<div> </div>

<div>Scantype: Snelle scan</div>

<div>Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM</div>

<div>Uitgeschakelde scanopties: P2P</div>

<div>Objecten gescand: 418322</div>

<div>Verstreken tijd: 47 minuut/minuten, 3 seconde(n)</div>

<div> </div>

<div>Geheugenprocessen gedetecteerd: 0</div>

<div>(Geen kwaadaardige objecten gedetecteerd)</div>

<div> </div>

<div>Geheugenmodulen gedetecteerd: 0</div>

<div>(Geen kwaadaardige objecten gedetecteerd)</div>

<div> </div>

<div>Registersleutels gedetecteerd: 0</div>

<div>(Geen kwaadaardige objecten gedetecteerd)</div>

<div> </div>

<div>Registerwaarden gedetecteerd: 0</div>

<div>(Geen kwaadaardige objecten gedetecteerd)</div>

<div> </div>

<div>Registerdata gedetecteerd: 0</div>

<div>(Geen kwaadaardige objecten gedetecteerd)</div>

<div> </div>

<div>Mappen gedetecteerd: 0</div>

<div>(Geen kwaadaardige objecten gedetecteerd)</div>

<div> </div>

<div>Bestanden gedetecteerd: 0</div>

<div>(Geen kwaadaardige objecten gedetecteerd)</div>

<div> </div>

<div>(einde)</div>

<div> </div>

<div> </div>

<div>BTW : Sometimes my firewall gets loaded before the mallware and than I am able to block it. It does not hook into Explorer.exe when I do.</div>

<div id="myEventWatcherDiv" style="display:none;"> </div>

Link to post
Share on other sites

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.