Jump to content

Backdoor.Bot infection


Recommended Posts

Hello, I'am new here. I live in Holland and I do my best to read and write in english. A long time ago the www.virushelp.nl advised me to use Mbam because there was a little problem with my PC. Running Windows XP SP3.

Once a week I run Mbam. The last time I got the message that my PC has a backdoor.bot infection.

Is there something more that I have to do or is it a false possitive?

This was the logging:

Malwarebytes' Anti-Malware 1.39

Database versie: 2542

Windows 5.1.2600 Service Pack 3

2-8-2009 1:13:57

mbam-log-2009-08-02 (01-13-57).txt

Scan type: Volledige Scan (C:\|)

Objecten gescand: 196142

Verstreken tijd: 2 hour(s), 14 minute(s), 16 second(s)

Geheugenprocessen ge

Link to post
Share on other sites

  • Root Admin

Well the latest log shows you're ok now. Are you still having an issue with Malware?

Please run the following scanner

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

I only got the message that there was a backdoor.bot infection.

I dont know if there is something wrong, therefor I asked for help.

This is the DDS.txt

DDS (Ver_09-07-30.01) - NTFSx86

Run by Eigenaar at 22:15:27,51 on za 08-08-2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2031.1268 [GMT 2:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe

svchost.exe

C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\PROGRA~1\McAfee\MCAFEE~1\FireTray.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\DATA\Programmas\eMule\eMule.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Eigenaar\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: Aanmeldhulp voor Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [LogitechGalleryRepair] "c:\program files\logitech\video\ISStart.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeFireTray] "c:\progra~1\mcafee\mcafee~1\Firetray.exe"

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

StartupFolder: c:\docume~1\eigenaar\menust~1\progra~1\opstar~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\micros~2.lnk - c:\program files\common files\microsoft shared\works

shared\wkcalrem.exe

StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\quicks~1.lnk - c:\program files\plustek\opticfilm 7200\QuickScan.exe

mPolicies-system: DisableStatusMessages = 1 (0x1)

IE: Converteren naar Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Toevoegen aan bestaande PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: airfrance.com\w3

Trusted Zone: belastingdienst.nl\mijn

Trusted Zone: cocensus.nl\webmail

Trusted Zone: duesseldorf.de\www

Trusted Zone: ing.nl\mijn

Trusted Zone: klm.com\secure

Trusted Zone: live.com\login

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\download.windowsupdate

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\www.update

Trusted Zone: nuon.nl\www

Trusted Zone: postbank.nl\mijn

Trusted Zone: postbank.nl\rentepunten

Trusted Zone: trendmicro.com\housecall65

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-

469358f075a6/OGAControl.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-

1719D1177202/LegitCheckControl.cab

DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-

373c3e5552fc/msSecAdv.cab?1088084614546

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-

ffe15472cabc/WebCleaner.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1249415505734

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

1249413699843

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} - hxxp://www.microsoft.com/security/controls/DoomCln.CAB

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {E2F9D054-D2B5-4CE8-9BDF-8BF3A81DB7E9} - hxxp://download.microsoft.com/download/a/3/7/a377aea1-7b14-4fa1-933c-

43e657b37995/ProductIDGatherer.CAB

Notify: igfxcui - igfxdev.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-14 104000]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-29 72264]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-29 34152]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-29 168776]

S3 PDSched;PDScheduler;c:\program files\raxco\perfectdisk\PDSched.exe [2005-11-29 241731]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]

S4 adiusbae;USB ADSL LAN Adapter;c:\windows\system32\drivers\adiusbae.sys --> c:\windows\system32\drivers\adiusbae.sys [?]

S4 cpuz130;cpuz130;\??\c:\docume~1\eigenaar\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\eigenaar\locals~1\temp\cpuz130

\cpuz_x32.sys [?]

S4 esihdrv;esihdrv;\??\c:\docume~1\eigenaar\locals~1\temp\esihdrv.sys --> c:\docume~1\eigenaar\locals~1\temp\esihdrv.sys [?]

S4 FXKQYLEM;FXKQYLEM;c:\docume~1\eigenaar\locals~1\temp\fxkqylem.exe --> c:\docume~1\eigenaar\locals~1\temp\FXKQYLEM.exe [?]

S4 HZFKBMV;HZFKBMV;c:\docume~1\eigenaar\locals~1\temp\hzfkbmv.exe --> c:\docume~1\eigenaar\locals~1\temp\HZFKBMV.exe [?]

S4 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S4 LJRV;LJRV;c:\docume~1\eigenaar\locals~1\temp\ljrv.exe --> c:\docume~1\eigenaar\locals~1\temp\LJRV.exe [?]

S4 mbr;mbr;\??\c:\docume~1\eigenaar\locals~1\temp\mbr.sys --> c:\docume~1\eigenaar\locals~1\temp\mbr.sys [?]

S4 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]

S4 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys --> c:\windows\system32

\drivers\savonaccesscontrol.sys [?]

S4 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys --> c:\windows\system32

\drivers\savonaccessfilter.sys [?]

S4 ZNK;ZNK;c:\docume~1\eigenaar\locals~1\temp\znk.exe --> c:\docume~1\eigenaar\locals~1\temp\ZNK.exe [?]

=============== Created Last 30 ================

2009-08-08 21:23 <DIR> --d-hr-- c:\documents and settings\eigenaar\Onlangs geopend

2009-08-04 21:59 <DIR> --d----- C:\_AcroTemp

2009-08-04 21:39 <DIR> --d----- c:\docume~1\eigenaar\applic~1\Windows Desktop Search

2009-08-04 21:31 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll

2009-08-04 21:31 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll

2009-08-04 21:31 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll

2009-08-04 19:35 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector

2009-08-04 19:21 <DIR> --d----- c:\program files\Windows Live SkyDrive

2009-08-04 18:53 <DIR> --d----- c:\program files\Microsoft

==================== Find3M ====================

2009-08-04 21:34 536,884 a------- c:\windows\system32\perfh013.dat

2009-08-04 21:34 101,106 a------- c:\windows\system32\perfc013.dat

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

2009-07-03 19:00 915,456 a------- c:\windows\system32\wininet.dll

2009-06-17 14:20 12,648 a------- c:\windows\system32\drivers\psi_mf.sys

2009-06-16 16:40 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 16:40 81,920 a------- c:\windows\system32\fontsub.dll

2009-06-03 21:11 1,295,360 a------- c:\windows\system32\quartz.dll

2009-06-02 18:11 85,504 a------- c:\windows\system32\ff_vfw.dll

2009-05-29 23:37 205,824 a------- c:\windows\system32\xvidvfw.dll

2009-05-29 23:31 881,664 a------- c:\windows\system32\xvidcore.dll

2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll

2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe

2008-09-16 22:59 47,360 a------- c:\docume~1\eigenaar\applic~1\pcouffin.sys

2007-11-30 00:19 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

2006-06-20 21:53 817 a---h--- c:\documents and settings\eigenaar\hpothb07.dat

2005-05-11 13:32 42,648 a------- c:\docume~1\eigenaar\applic~1\GDIPFONTCACHEV1.DAT

2002-07-26 17:02 153,088 a------- c:\program files\UNWISE.EXE

2009-01-22 12:48 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys

2008-05-14 15:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5

\mshist012008051420080515\index.dat

============= FINISH: 22:16:02,56 ===============

And this is the Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 8-6-2004 14:23:47

System Uptime: 8-8-2009 15:26:38 (7 hours ago)

Motherboard: Intel Corporation | | D865GBF

Processor: Intel® Pentium® 4 CPU 2.80GHz | J2E1 | 2793/200mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 81,65 GiB free.

D: is CDROM ()

E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}

Description: Intel® 537EP Modem

Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10008086&REV_04\4&2E98101C&0&28F0

Manufacturer: Intel Corporation

Name: Intel® 537EP Modem

PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10008086&REV_04\4&2E98101C&0&28F0

Service: Modem

==== System Restore Points ===================

RP37: 8-7-2009 17:25:39 - Controlepunt van systeem

RP38: 8-8-2009 16:08:49 - Software Distribution Service 3.0

RP39: 8-8-2009 16:09:37 - Controlepunt van systeem

RP40: 8-8-2009 16:09:46 - Software Distribution Service 3.0

RP41: 8-8-2009 16:09:51 - Software Distribution Service 3.0

RP42: 28-7-2009 22:38:42 - Controlepunt van systeem

RP43: 8-8-2009 16:10:04 - Software Distribution Service 3.0

RP44: 8-8-2009 16:10:11 - Software Distribution Service 3.0

RP45: 8-8-2009 16:10:16 - Software Distribution Service 3.0

RP46: 29-7-2009 9:54:13 - Ge

DDS.txt

Attach.txt

DDS.txt

Attach.txt

Link to post
Share on other sites

  • Root Admin

Yes you're still infected with something. Please disable your Anti-Virus and run the following.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Thanks for helping. Here is the Combofix.log

ComboFix 09-08-07.09 - Eigenaar 08-08-2009 23:48.25.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2031.1524 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Installer\14fd51.msi

c:\windows\Installer\1a595c.msi

c:\windows\Installer\2f16df.msi

c:\windows\Installer\7568a.msp

c:\windows\Installer\8a2b89.msi

c:\windows\Installer\bc089c.msi

c:\windows\Installer\bc08a1.msi

c:\windows\Installer\bc08a6.msi

c:\windows\Installer\bc08ab.msi

c:\windows\Installer\bc08b0.msi

c:\windows\Installer\bc08b5.msi

c:\windows\Installer\bc08ba.msi

c:\windows\Installer\bc08bf.msi

c:\windows\Installer\bc08c4.msi

c:\windows\Installer\bc08c9.msi

c:\windows\Installer\bc08ce.msi

c:\windows\Installer\bc08d3.msi

c:\windows\Installer\bc08d8.msi

c:\windows\Installer\bc08dd.msi

c:\windows\Installer\bc08e3.msi

c:\windows\Installer\bc08e8.msi

c:\windows\Installer\bc08fb.msi

c:\windows\Installer\bc0900.msi

c:\windows\Installer\d77f3.msi

c:\windows\Installer\dbc8e8.msi

c:\windows\Installer\fafaf.msi

c:\windows\Installer\WinRMSrv.msi

.

(((((((((((((((((((( Bestanden Gemaakt van 2009-07-08 to 2009-08-08 ))))))))))))))))))))))))))))))

.

2009-08-08 21:19 . 2009-08-08 21:19 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend

2009-08-06 22:54 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll

2009-08-06 22:54 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll

2009-08-06 22:54 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll

2009-08-06 22:54 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll

2009-08-06 22:54 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-08-06 22:54 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll

2009-08-06 22:54 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll

2009-08-06 22:54 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2009-08-06 22:54 . 2009-01-07 18:14 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

2009-08-06 22:50 . 2009-08-06 22:50 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Media Player Classic

2009-08-05 19:21 . 2009-08-05 19:21 152576 ----a-w- c:\documents and settings\Eigenaar\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-04 19:59 . 2009-08-04 20:44 -------- d-----w- C:\_AcroTemp

2009-08-04 19:39 . 2009-08-04 19:39 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Windows Desktop Search

2009-08-04 19:31 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll

2009-08-04 19:31 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll

2009-08-04 19:31 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

2009-08-04 17:35 . 2009-08-04 17:35 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2009-08-04 17:21 . 2009-08-04 17:21 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-08-04 16:53 . 2009-08-04 17:21 -------- d-----w- c:\program files\Microsoft

2009-08-04 15:33 . 2009-08-04 15:33 -------- d-----w- c:\program files\Microsoft.NET

2009-08-04 15:19 . 2009-08-04 15:19 -------- d--h--r- C:\MSOCache

2009-07-31 13:29 . 2009-07-31 13:29 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\program files\NOS

2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Eigenaar\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-07 18:07 . 2004-06-13 09:32 79248 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-07 14:54 . 2008-05-27 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-06 22:25 . 2005-09-09 14:12 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-08-06 15:43 . 2007-01-06 18:26 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12

2009-08-05 19:47 . 2006-03-04 19:06 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-05 19:23 . 2009-03-26 18:33 -------- d-----w- c:\program files\Java

2009-08-04 20:07 . 2008-05-27 17:02 -------- d-----w- c:\program files\Windows Desktop Search

2009-08-04 19:34 . 2003-04-08 12:00 536884 ----a-w- c:\windows\system32\perfh013.dat

2009-08-04 19:34 . 2003-04-08 12:00 101106 ----a-w- c:\windows\system32\perfc013.dat

2009-08-04 18:57 . 2007-03-28 19:03 -------- d-----w- c:\program files\MSBuild

2009-08-04 16:22 . 2005-05-07 17:14 -------- d-----w- c:\program files\Microsoft Works

2009-08-03 19:30 . 2008-12-27 14:19 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-03 11:36 . 2008-12-27 14:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 11:36 . 2008-12-27 14:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-02 20:40 . 2004-08-21 17:23 -------- d-----w- c:\program files\Common Files\Elecard

2009-08-01 13:45 . 2008-03-04 11:05 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Vso

2009-07-31 13:58 . 2008-01-27 08:13 -------- d-----w- c:\program files\Microsoft Silverlight

2009-07-31 13:23 . 2009-02-20 18:24 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-25 03:23 . 2008-12-03 17:51 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-20 10:29 . 2008-02-28 21:20 264704 ------w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12\oudetect.dll

2009-07-10 12:58 . 2008-12-10 14:47 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Lasersoft Imaging

2009-07-07 15:37 . 2009-07-07 15:37 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Uniblue

2009-07-06 20:52 . 2007-10-09 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-07-06 19:16 . 2009-05-20 18:37 -------- d-----w- c:\program files\Lavasoft

2009-07-06 17:04 . 2008-10-02 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-07-06 15:24 . 2008-09-14 15:14 -------- d-----w- c:\program files\McAfee

2009-07-06 15:24 . 2008-09-29 20:58 -------- d-----w- c:\program files\Common Files\McAfee

2009-07-06 15:24 . 2008-09-14 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-07-06 14:44 . 2008-09-15 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-07-03 17:00 . 2004-02-06 16:09 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-27 19:54 . 2009-06-13 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2009-06-24 18:04 . 2004-06-08 12:37 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-21 12:32 . 2004-10-04 18:36 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Skype

2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys

2009-06-16 14:40 . 2003-04-08 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:40 . 2003-04-08 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:11 . 2004-08-21 16:00 1295360 ----a-w- c:\windows\system32\quartz.dll

2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll

2009-05-12 13:12 . 2004-10-09 18:50 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2002-07-26 15:02 . 2008-10-12 18:52 153088 ----a-w- c:\program files\UNWISE.EXE

2009-01-22 10:48 . 2009-01-22 10:48 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogitechGalleryRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-25 454656]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"McAfeeFireTray"="c:\progra~1\McAfee\MCAFEE~1\Firetray.exe" [2006-07-20 655427]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]

c:\documents and settings\Eigenaar\Menu Start\Programma's\Opstarten\

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Microsoft Works Agenda-herinneringen.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-8-6 53317]

QuickScan (OpticFilm 7200).lnk - c:\program files\Plustek\OpticFilm 7200\QuickScan.exe [2008-12-10 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableStatusMessages"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^Microsoft Office Werkbalk.lnk]

backup=c:\windows\pss\Microsoft Office Werkbalk.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^NaturalColorLoad.lnk]

backup=c:\windows\pss\NaturalColorLoad.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"vsmon"=2 (0x2)

"NProtectService"=2 (0x2)

"CAISafe"=2 (0x2)

"SoundMAX Agent Service (default)"=2 (0x2)

"gusvc"=3 (0x3)

"InCDsrv"=2 (0x2)

"Automatic LiveUpdate Scheduler"=2 (0x2)

"LJRV"=3 (0x3)

"FXKQYLEM"=3 (0x3)

"0008701238501265mcinstcleanup"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"zBrowser Launcher"=c:\program files\Logitech\iTouch\iTouch.exe

"DU Meter"=c:\data\Programmas\Tools\DU Meter 3.0.7+keygen\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\DATA\\Programmas\\eMule\\eMule.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\DATA\\Programmas\\Phone\\Skype.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 19:19 13592]

R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [30-3-2009 16:28 1533808]

S3 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [29-11-2005 12:16 241731]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17-6-2009 14:20 12648]

S4 adiusbae;USB ADSL LAN Adapter;c:\windows\system32\DRIVERS\adiusbae.sys --> c:\windows\system32\DRIVERS\adiusbae.sys [?]

S4 cpuz130;cpuz130;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S4 esihdrv;esihdrv;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys [?]

S4 FXKQYLEM;FXKQYLEM;c:\docume~1\Eigenaar\LOCALS~1\Temp\FXKQYLEM.exe --> c:\docume~1\Eigenaar\LOCALS~1\Temp\FXKQYLEM.exe [?]

S4 HZFKBMV;HZFKBMV;c:\docume~1\Eigenaar\LOCALS~1\Temp\HZFKBMV.exe --> c:\docume~1\Eigenaar\LOCALS~1\Temp\HZFKBMV.exe [?]

S4 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S4 LJRV;LJRV;c:\docume~1\Eigenaar\LOCALS~1\Temp\LJRV.exe --> c:\docume~1\Eigenaar\LOCALS~1\Temp\LJRV.exe [?]

S4 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]

S4 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys --> c:\windows\system32\DRIVERS\savonaccesscontrol.sys [?]

S4 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys --> c:\windows\system32\DRIVERS\savonaccessfilter.sys [?]

S4 ZNK;ZNK;c:\docume~1\Eigenaar\LOCALS~1\Temp\ZNK.exe --> c:\docume~1\Eigenaar\LOCALS~1\Temp\ZNK.exe [?]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Inhoud van de 'Gedeelde Taken' map

2008-09-19 c:\windows\Tasks\Hotmail.job

- c:\progra~1\INTERN~1\iexplore.exe [2004-06-08 12:09]

2009-08-08 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-08-08 c:\windows\Tasks\Update McAfee.job

- c:\program files\McAfee\VirusScan Enterprise\mcupdate.exe [2006-11-30 06:50]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{DD39BDB4-132C-4682-8166-8AB6CB2956B9}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

2009-07-31 c:\windows\Tasks\Windows Defender.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2008-09-30 c:\windows\Tasks\Windows Defrag.job

- c:\documents and settings\Eigenaar\Mijn documenten\defrag.bat [2008-09-29 19:25]

.

.

------- Bijkomende Scan -------

.

IE: Converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

Trusted Zone: airfrance.com\w3

Trusted Zone: belastingdienst.nl\mijn

Trusted Zone: cocensus.nl\webmail

Trusted Zone: duesseldorf.de\www

Trusted Zone: ing.nl\mijn

Trusted Zone: klm.com\secure

Trusted Zone: live.com\login

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\download.windowsupdate

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\www.update

Trusted Zone: nuon.nl\www

Trusted Zone: postbank.nl\mijn

Trusted Zone: postbank.nl\rentepunten

Trusted Zone: trendmicro.com\housecall65

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-08 23:58

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\6.tmp"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:04,8d,55,e6,54,b8,6d,22,bb,a6,1a,3d,09,4a,51,60,84,fd,5b,41,01,

8c,25,05,59,bd,9e,3f,68,70,81,06,0d,da,8e,0d,50,9b,b8,1c,f9,67,32,85,48,ea,\

.

Voltooingstijd: 2009-08-08 0:03

ComboFix-quarantined-files.txt 2009-08-08 22:03

Pre-Run: 87.619.952.640 bytes beschikbaar

Post-Run: 87.538.450.432 bytes beschikbaar

274 --- E O F --- 2009-08-06 15:39

and here the HJT.log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 0:16:20, on 9-8-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MCAFEE~1\FireTray.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\DATA\Programmas\VeiligEnAnderen\6.HyackThisVersie2.02\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Aanmeldhulp voor Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\Video\ISStart.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeFireTray] "C:\PROGRA~1\McAfee\MCAFEE~1\Firetray.exe"

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Agenda-herinneringen.lnk = ?

O4 - Global Startup: QuickScan (OpticFilm 7200).lnk = C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe

O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Doel van koppeling converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Doel van koppeling toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O15 - Trusted Zone: http://www.duesseldorf.de

O15 - Trusted Zone: http://onecare.live.com

O15 - Trusted Zone: http://housecall65.trendmicro.com

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1249415505734

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1249413699843

O23 - Service: McAfee Desktop Firewall Service (FireSvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

--

End of file - 7047 bytes

ComboFix.txt

hijackthis.txt

ComboFix.txt

hijackthis.txt

Link to post
Share on other sites

  • Root Admin

The logs show that you have McAfee AV and Sophos AV running, you need to chose one and FULLY remove the other one.

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
FXKQYLEM
HZFKBMV
MEMSWEEP2
LJRV
ZNK
File::
c:\docume~1\Eigenaar\LOCALS~1\Temp\FXKQYLEM.exe
c:\docume~1\Eigenaar\LOCALS~1\Temp\HZFKBMV.exe
c:\docume~1\Eigenaar\LOCALS~1\Temp\LJRV.exe
c:\windows\system32\6.tmp
c:\docume~1\Eigenaar\LOCALS~1\Temp\ZNK.exe
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Thanks again for the help.

I only have McAfee and I don't use Sophos. Within the Add/Remove programs or with Revo uninstaller, I cannot see Sophos. How can I remove it anyway?

Here is the log of Combofix:

ComboFix 09-08-08.04 - Eigenaar 09-08-2009 9:25.29.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2031.1493 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\Eigenaar\Bureaublad\CFscript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::

"c:\docume~1\Eigenaar\LOCALS~1\Temp\FXKQYLEM.exe"

"c:\docume~1\Eigenaar\LOCALS~1\Temp\HZFKBMV.exe"

"c:\docume~1\Eigenaar\LOCALS~1\Temp\LJRV.exe"

"c:\docume~1\Eigenaar\LOCALS~1\Temp\ZNK.exe"

"c:\windows\system32\6.tmp"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FXKQYLEM

-------\Legacy_HZFKBMV

-------\Legacy_LJRV

-------\Legacy_MEMSWEEP2

-------\Legacy_ZNK

-------\Service_FXKQYLEM

-------\Service_HZFKBMV

-------\Service_LJRV

-------\Service_MEMSWEEP2

-------\Service_ZNK

(((((((((((((((((((( Bestanden Gemaakt van 2009-07-09 to 2009-08-09 ))))))))))))))))))))))))))))))

.

2009-08-08 21:19 . 2009-08-08 21:19 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend

2009-08-06 22:54 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll

2009-08-06 22:54 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll

2009-08-06 22:54 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll

2009-08-06 22:54 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll

2009-08-06 22:54 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-08-06 22:54 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll

2009-08-06 22:54 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll

2009-08-06 22:54 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2009-08-06 22:54 . 2009-01-07 18:14 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

2009-08-06 22:50 . 2009-08-06 22:50 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Media Player Classic

2009-08-05 19:21 . 2009-08-05 19:21 152576 ----a-w- c:\documents and settings\Eigenaar\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-04 19:59 . 2009-08-04 20:44 -------- d-----w- C:\_AcroTemp

2009-08-04 19:39 . 2009-08-04 19:39 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Windows Desktop Search

2009-08-04 19:31 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll

2009-08-04 19:31 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll

2009-08-04 19:31 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

2009-08-04 17:35 . 2009-08-04 17:35 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2009-08-04 17:21 . 2009-08-04 17:21 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-08-04 16:53 . 2009-08-04 17:21 -------- d-----w- c:\program files\Microsoft

2009-08-04 15:33 . 2009-08-04 15:33 -------- d-----w- c:\program files\Microsoft.NET

2009-08-04 15:19 . 2009-08-04 15:19 -------- d--h--r- C:\MSOCache

2009-07-31 13:29 . 2009-07-31 13:29 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\program files\NOS

2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Eigenaar\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-07 18:07 . 2004-06-13 09:32 79248 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-07 14:54 . 2008-05-27 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-06 22:25 . 2005-09-09 14:12 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-08-06 15:43 . 2007-01-06 18:26 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12

2009-08-05 19:47 . 2006-03-04 19:06 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-05 19:23 . 2009-03-26 18:33 -------- d-----w- c:\program files\Java

2009-08-04 20:07 . 2008-05-27 17:02 -------- d-----w- c:\program files\Windows Desktop Search

2009-08-04 19:34 . 2003-04-08 12:00 536884 ----a-w- c:\windows\system32\perfh013.dat

2009-08-04 19:34 . 2003-04-08 12:00 101106 ----a-w- c:\windows\system32\perfc013.dat

2009-08-04 18:57 . 2007-03-28 19:03 -------- d-----w- c:\program files\MSBuild

2009-08-04 16:22 . 2005-05-07 17:14 -------- d-----w- c:\program files\Microsoft Works

2009-08-03 19:30 . 2008-12-27 14:19 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-03 11:36 . 2008-12-27 14:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 11:36 . 2008-12-27 14:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-02 20:40 . 2004-08-21 17:23 -------- d-----w- c:\program files\Common Files\Elecard

2009-08-01 13:45 . 2008-03-04 11:05 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Vso

2009-07-31 13:58 . 2008-01-27 08:13 -------- d-----w- c:\program files\Microsoft Silverlight

2009-07-31 13:23 . 2009-02-20 18:24 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-25 03:23 . 2008-12-03 17:51 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-20 10:29 . 2008-02-28 21:20 264704 ------w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12\oudetect.dll

2009-07-10 12:58 . 2008-12-10 14:47 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Lasersoft Imaging

2009-07-07 15:37 . 2009-07-07 15:37 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Uniblue

2009-07-06 20:52 . 2007-10-09 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-07-06 19:16 . 2009-05-20 18:37 -------- d-----w- c:\program files\Lavasoft

2009-07-06 17:04 . 2008-10-02 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-07-06 15:24 . 2008-09-14 15:14 -------- d-----w- c:\program files\McAfee

2009-07-06 15:24 . 2008-09-29 20:58 -------- d-----w- c:\program files\Common Files\McAfee

2009-07-06 15:24 . 2008-09-14 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-07-06 14:44 . 2008-09-15 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-07-03 17:00 . 2004-02-06 16:09 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-27 19:54 . 2009-06-13 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2009-06-24 18:04 . 2004-06-08 12:37 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-21 12:32 . 2004-10-04 18:36 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Skype

2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys

2009-06-16 14:40 . 2003-04-08 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:40 . 2003-04-08 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:11 . 2004-08-21 16:00 1295360 ----a-w- c:\windows\system32\quartz.dll

2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll

2009-05-12 13:12 . 2004-10-09 18:50 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2002-07-26 15:02 . 2008-10-12 18:52 153088 ----a-w- c:\program files\UNWISE.EXE

2009-01-22 10:48 . 2009-01-22 10:48 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-08-08_21.59.02 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-09 07:39 . 2009-08-09 07:39 16384 c:\windows\temp\Perflib_Perfdata_7c4.dat

+ 2009-08-09 07:33 . 2009-08-09 07:33 8192 c:\windows\erdnt\subs\Users\00000004\UsrClass.dat

+ 2009-08-09 07:33 . 2009-08-09 07:33 8192 c:\windows\erdnt\subs\Users\00000002\UsrClass.dat

+ 2009-08-09 07:33 . 2009-08-09 07:33 237568 c:\windows\erdnt\subs\Users\00000006\UsrClass.dat

+ 2009-08-09 07:33 . 2009-08-09 07:33 1609728 c:\windows\erdnt\subs\Users\00000003\NTUSER.DAT

+ 2009-08-09 07:33 . 2009-08-09 07:33 1605632 c:\windows\erdnt\subs\Users\00000001\NTUSER.DAT

+ 2009-08-09 07:33 . 2009-08-09 07:33 16891904 c:\windows\erdnt\subs\Users\00000005\ntuser.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogitechGalleryRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-25 454656]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"McAfeeFireTray"="c:\progra~1\McAfee\MCAFEE~1\Firetray.exe" [2006-07-20 655427]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Microsoft Works Agenda-herinneringen.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-8-6 53317]

QuickScan (OpticFilm 7200).lnk - c:\program files\Plustek\OpticFilm 7200\QuickScan.exe [2008-12-10 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableStatusMessages"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^Microsoft Office Werkbalk.lnk]

backup=c:\windows\pss\Microsoft Office Werkbalk.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^NaturalColorLoad.lnk]

backup=c:\windows\pss\NaturalColorLoad.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"vsmon"=2 (0x2)

"NProtectService"=2 (0x2)

"CAISafe"=2 (0x2)

"SoundMAX Agent Service (default)"=2 (0x2)

"gusvc"=3 (0x3)

"InCDsrv"=2 (0x2)

"Automatic LiveUpdate Scheduler"=2 (0x2)

"LJRV"=3 (0x3)

"FXKQYLEM"=3 (0x3)

"0008701238501265mcinstcleanup"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"zBrowser Launcher"=c:\program files\Logitech\iTouch\iTouch.exe

"DU Meter"=c:\data\Programmas\Tools\DU Meter 3.0.7+keygen\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\DATA\\Programmas\\eMule\\eMule.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\DATA\\Programmas\\Phone\\Skype.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 19:19 13592]

R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [30-3-2009 16:28 1533808]

S3 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [29-11-2005 12:16 241731]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17-6-2009 14:20 12648]

S4 adiusbae;USB ADSL LAN Adapter;c:\windows\system32\DRIVERS\adiusbae.sys --> c:\windows\system32\DRIVERS\adiusbae.sys [?]

S4 cpuz130;cpuz130;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S4 esihdrv;esihdrv;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys [?]

S4 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S4 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys --> c:\windows\system32\DRIVERS\savonaccesscontrol.sys [?]

S4 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys --> c:\windows\system32\DRIVERS\savonaccessfilter.sys [?]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Inhoud van de 'Gedeelde Taken' map

2008-09-19 c:\windows\Tasks\Hotmail.job

- c:\progra~1\INTERN~1\iexplore.exe [2004-06-08 12:09]

2009-08-09 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-08-08 c:\windows\Tasks\Update McAfee.job

- c:\program files\McAfee\VirusScan Enterprise\mcupdate.exe [2006-11-30 06:50]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{DD39BDB4-132C-4682-8166-8AB6CB2956B9}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

2009-07-31 c:\windows\Tasks\Windows Defender.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2008-09-30 c:\windows\Tasks\Windows Defrag.job

- c:\documents and settings\Eigenaar\Mijn documenten\defrag.bat [2008-09-29 19:25]

.

.

------- Bijkomende Scan -------

.

IE: Converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

Trusted Zone: airfrance.com\w3

Trusted Zone: belastingdienst.nl\mijn

Trusted Zone: cocensus.nl\webmail

Trusted Zone: duesseldorf.de\www

Trusted Zone: ing.nl\mijn

Trusted Zone: klm.com\secure

Trusted Zone: live.com\login

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\download.windowsupdate

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\www.update

Trusted Zone: nuon.nl\www

Trusted Zone: postbank.nl\mijn

Trusted Zone: postbank.nl\rentepunten

Trusted Zone: trendmicro.com\housecall65

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-09 09:42

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

c:\windows\TEMP\TMP00000015F649214A84BE6D2B 524288 bytes executable

Scan succesvol afgerond

verborgen bestanden: 1

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:04,8d,55,e6,54,b8,6d,22,bb,a6,1a,3d,09,4a,51,60,84,fd,5b,41,01,

8c,25,05,59,bd,9e,3f,68,70,81,06,0d,da,8e,0d,50,9b,b8,1c,f9,67,32,85,48,ea,\

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(3476)

c:\windows\system32\webcheck.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\progra~1\McAfee\MCAFEE~1\FireSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\UPHClean\uphclean.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\windows\system32\searchindexer.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

c:\windows\system32\searchprotocolhost.exe

c:\program files\McAfee\Common Framework\Mctray.exe

c:\windows\system32\searchfilterhost.exe

c:\windows\system32\taskmgr.exe

.

**************************************************************************

.

Voltooingstijd: 2009-08-09 9:51 - machine werd herstart

ComboFix-quarantined-files.txt 2009-08-09 07:51

ComboFix2.txt 2009-08-09 07:03

ComboFix3.txt 2009-08-09 06:37

ComboFix4.txt 2009-08-08 23:27

Pre-Run: 87.479.775.232 bytes beschikbaar

Post-Run: 87.236.927.488 bytes beschikbaar

276 --- E O F --- 2009-08-06 15:39

Here is the log of Mbam:

Malwarebytes' Anti-Malware 1.40

Database versie: 2583

Windows 5.1.2600 Service Pack 3

9-8-2009 10:14:44

mbam-log-2009-08-09 (10-14-44).txt

Scan type: Snelle Scan

Objecten gescand: 97253

Verstreken tijd: 15 minute(s), 3 second(s)

Geheugenprocessen ge

mbam_log_2009_08_09__10_14_44_.txt

Combofix.txt

hijackthis.20090809.10.16.txt

mbam_log_2009_08_09__10_14_44_.txt

Combofix.txt

hijackthis.20090809.10.16.txt

Link to post
Share on other sites

  • Root Admin

STEP 01

Please click on START - RUN and type in MSCONFIG

Go to the SERVICES tab and click on the ENABLE ALL button and restart the computer.

STEP 02

When it restarts again click on START - RUN and type in MSCONFIG and set it to NORMAL STARTUP and restart the computer again if necessary

If it already on NORMAL STARTUP just quit it.

STEP 03

This will remove the driver portions of the Sophos AV for you as well.

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
esihdrv
SAVOnAccessControl
SAVOnAccessFilter
File::
c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys
c:\windows\system32\DRIVERS\savonaccesscontrol.sys
c:\windows\system32\DRIVERS\savonaccessfilter.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 04

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

    VArestorepolicies.INF
  • Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  • Unzip or open the file VArestorepolicies.zip
  • Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install
    FixPolicies.exe
  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close
  • These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

STEP 05

Temporarily disable your current Anti-Virus and run the following Online AV scanner please.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Link to post
Share on other sites

Hello again and thanks again.

I followed all the advices and here are the results.

Step 01: after applying the changes in MSCONFIG, the message came that access was denied because I have not the right privileges.

After the restart, I saw that the changes were made. The same occured at step 2.

Step 03: Combofix started to run and after a while the message came that combofix must make a restart. The shutdown started, all my desktop icons disapperead and I only saw my "wallpaper". And that last for about 90 minutes and there was no processor activity. Therefor I restarted my computer myself and combofix continued with scanning.

In the Combofix log I saw that there are registry keys containing something about Symantec. A few years ago I had indeed Symantec and are these keys a problem?

Step 04 and 05 also started.

This is the combofix log:

ComboFix 09-08-09.04 - Eigenaar 10-08-2009 17:50.30.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2031.1382 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\Eigenaar\Bureaublad\CFscript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::

"c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys"

"c:\windows\system32\DRIVERS\savonaccesscontrol.sys"

"c:\windows\system32\DRIVERS\savonaccessfilter.sys"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ESIHDRV

-------\Legacy_SAVONACCESSCONTROL

-------\Legacy_SAVONACCESSFILTER

-------\Service_esihdrv

-------\Service_SAVOnAccessControl

-------\Service_SAVOnAccessFilter

(((((((((((((((((((( Bestanden Gemaakt van 2009-07-10 to 2009-08-10 ))))))))))))))))))))))))))))))

.

2009-08-09 09:14 . 2009-08-09 09:14 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend

2009-08-06 22:54 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll

2009-08-06 22:54 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll

2009-08-06 22:54 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll

2009-08-06 22:54 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll

2009-08-06 22:54 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll

2009-08-06 22:54 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll

2009-08-06 22:54 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll

2009-08-06 22:54 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2009-08-06 22:54 . 2009-01-07 18:14 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

2009-08-06 22:50 . 2009-08-06 22:50 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Media Player Classic

2009-08-05 19:21 . 2009-08-05 19:21 152576 ----a-w- c:\documents and settings\Eigenaar\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-04 19:59 . 2009-08-04 20:44 -------- d-----w- C:\_AcroTemp

2009-08-04 19:39 . 2009-08-04 19:39 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Windows Desktop Search

2009-08-04 19:31 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll

2009-08-04 19:31 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll

2009-08-04 19:31 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

2009-08-04 17:35 . 2009-08-04 17:35 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2009-08-04 17:21 . 2009-08-04 17:21 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-08-04 16:53 . 2009-08-04 17:21 -------- d-----w- c:\program files\Microsoft

2009-08-04 15:33 . 2009-08-04 15:33 -------- d-----w- c:\program files\Microsoft.NET

2009-08-04 15:19 . 2009-08-04 15:19 -------- d--h--r- C:\MSOCache

2009-07-31 13:29 . 2009-07-31 13:29 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\program files\NOS

2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Eigenaar\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-10 15:43 . 2004-10-04 18:36 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Skype

2009-08-07 18:07 . 2004-06-13 09:32 79248 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-07 14:54 . 2008-05-27 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-06 22:25 . 2005-09-09 14:12 -------- d-----w- c:\program files\K-Lite Codec Pack

2009-08-06 15:43 . 2007-01-06 18:26 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12

2009-08-05 19:47 . 2006-03-04 19:06 -------- d-----w- c:\program files\Windows Live Safety Center

2009-08-05 19:23 . 2009-03-26 18:33 -------- d-----w- c:\program files\Java

2009-08-04 20:07 . 2008-05-27 17:02 -------- d-----w- c:\program files\Windows Desktop Search

2009-08-04 19:34 . 2003-04-08 12:00 536884 ----a-w- c:\windows\system32\perfh013.dat

2009-08-04 19:34 . 2003-04-08 12:00 101106 ----a-w- c:\windows\system32\perfc013.dat

2009-08-04 18:57 . 2007-03-28 19:03 -------- d-----w- c:\program files\MSBuild

2009-08-04 16:22 . 2005-05-07 17:14 -------- d-----w- c:\program files\Microsoft Works

2009-08-03 19:30 . 2008-12-27 14:19 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-03 11:36 . 2008-12-27 14:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 11:36 . 2008-12-27 14:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-02 20:40 . 2004-08-21 17:23 -------- d-----w- c:\program files\Common Files\Elecard

2009-08-01 13:45 . 2008-03-04 11:05 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Vso

2009-07-31 13:58 . 2008-01-27 08:13 -------- d-----w- c:\program files\Microsoft Silverlight

2009-07-31 13:23 . 2009-02-20 18:24 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-25 03:23 . 2008-12-03 17:51 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-20 10:29 . 2008-02-28 21:20 264704 ------w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12\oudetect.dll

2009-07-10 12:58 . 2008-12-10 14:47 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Lasersoft Imaging

2009-07-07 15:37 . 2009-07-07 15:37 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Uniblue

2009-07-06 20:52 . 2007-10-09 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-07-06 19:16 . 2009-05-20 18:37 -------- d-----w- c:\program files\Lavasoft

2009-07-06 17:04 . 2008-10-02 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-07-06 15:24 . 2008-09-14 15:14 -------- d-----w- c:\program files\McAfee

2009-07-06 15:24 . 2008-09-29 20:58 -------- d-----w- c:\program files\Common Files\McAfee

2009-07-06 15:24 . 2008-09-14 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-07-06 14:44 . 2008-09-15 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2009-07-03 17:00 . 2004-02-06 16:09 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-27 19:54 . 2009-06-13 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2009-06-24 18:04 . 2004-06-08 12:37 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys

2009-06-16 14:40 . 2003-04-08 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:40 . 2003-04-08 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:11 . 2004-08-21 16:00 1295360 ----a-w- c:\windows\system32\quartz.dll

2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll

2002-07-26 15:02 . 2008-10-12 18:52 153088 ----a-w- c:\program files\UNWISE.EXE

2009-01-22 10:48 . 2009-01-22 10:48 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-08-08_21.59.02 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-10 17:08 . 2009-08-10 17:08 16384 c:\windows\temp\Perflib_Perfdata_88.dat

+ 2009-08-10 15:59 . 2009-08-10 15:59 8192 c:\windows\erdnt\subs\Users\00000004\UsrClass.dat

+ 2009-08-10 15:59 . 2009-08-10 15:59 8192 c:\windows\erdnt\subs\Users\00000002\UsrClass.dat

+ 2009-08-10 15:59 . 2009-08-10 15:59 237568 c:\windows\erdnt\subs\Users\00000006\UsrClass.dat

+ 2009-08-10 15:59 . 2009-08-10 15:59 1609728 c:\windows\erdnt\subs\Users\00000003\NTUSER.DAT

+ 2009-08-10 15:59 . 2009-08-10 15:59 1605632 c:\windows\erdnt\subs\Users\00000001\NTUSER.DAT

+ 2009-08-10 15:59 . 2009-08-10 15:59 16891904 c:\windows\erdnt\subs\Users\00000005\ntuser.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\data\Programmas\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogitechGalleryRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-25 454656]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"McAfeeFireTray"="c:\progra~1\McAfee\MCAFEE~1\Firetray.exe" [2006-07-20 655427]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]

"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2004-02-19 147514]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

Microsoft Works Agenda-herinneringen.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-8-6 53317]

QuickScan (OpticFilm 7200).lnk - c:\program files\Plustek\OpticFilm 7200\QuickScan.exe [2008-12-10 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableStatusMessages"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^Microsoft Office Werkbalk.lnk]

backup=c:\windows\pss\Microsoft Office Werkbalk.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^NaturalColorLoad.lnk]

backup=c:\windows\pss\NaturalColorLoad.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"vsmon"=2 (0x2)

"NProtectService"=2 (0x2)

"CAISafe"=2 (0x2)

"Automatic LiveUpdate Scheduler"=2 (0x2)

"LJRV"=3 (0x3)

"FXKQYLEM"=3 (0x3)

"0008701238501265mcinstcleanup"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"zBrowser Launcher"=c:\program files\Logitech\iTouch\iTouch.exe

"DU Meter"=c:\data\Programmas\Tools\DU Meter 3.0.7+keygen\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\DATA\\Programmas\\eMule\\eMule.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\DATA\\Programmas\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 19:19 13592]

R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [30-3-2009 16:28 1533808]

S3 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [29-11-2005 12:16 241731]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17-6-2009 14:20 12648]

S4 adiusbae;USB ADSL LAN Adapter;c:\windows\system32\DRIVERS\adiusbae.sys --> c:\windows\system32\DRIVERS\adiusbae.sys [?]

S4 cpuz130;cpuz130;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S4 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Inhoud van de 'Gedeelde Taken' map

2008-09-19 c:\windows\Tasks\Hotmail.job

- c:\progra~1\INTERN~1\iexplore.exe [2004-06-08 12:09]

2009-08-10 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-08-10 c:\windows\Tasks\Update McAfee.job

- c:\program files\McAfee\VirusScan Enterprise\mcupdate.exe [2006-11-30 06:50]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{DD39BDB4-132C-4682-8166-8AB6CB2956B9}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

2009-07-31 c:\windows\Tasks\Windows Defender.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2008-09-30 c:\windows\Tasks\Windows Defrag.job

- c:\documents and settings\Eigenaar\Mijn documenten\defrag.bat [2008-09-29 19:25]

.

.

------- Bijkomende Scan -------

.

IE: Converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

Trusted Zone: airfrance.com\w3

Trusted Zone: belastingdienst.nl\mijn

Trusted Zone: cocensus.nl\webmail

Trusted Zone: duesseldorf.de\www

Trusted Zone: ing.nl\mijn

Trusted Zone: klm.com\secure

Trusted Zone: live.com\login

Trusted Zone: live.com\onecare

Trusted Zone: microsoft.com\download.windowsupdate

Trusted Zone: microsoft.com\office

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\www.update

Trusted Zone: nuon.nl\www

Trusted Zone: postbank.nl\mijn

Trusted Zone: postbank.nl\rentepunten

Trusted Zone: trendmicro.com\housecall65

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-10 19:09

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

c:\docume~1\Eigenaar\LOCALS~1\Temp\Acrobat Distiller 9\00000AB4

c:\docume~1\Eigenaar\LOCALS~1\Temp\Acrobat Distiller 9\00000AB4\dirlock.tmp 0 bytes

c:\docume~1\Eigenaar\LOCALS~1\Temp\Acrobat Distiller 9\00000AB4\Temp.msg 259 bytes

c:\windows\TEMP\TMP0000001A6D1D023761C5F7A4 524288 bytes

Scan succesvol afgerond

verborgen bestanden: 4

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:04,8d,55,e6,54,b8,6d,22,bb,a6,1a,3d,09,4a,51,60,84,fd,5b,41,01,

8c,25,05,59,bd,9e,3f,68,70,81,06,0d,da,8e,0d,50,9b,b8,1c,f9,67,32,85,48,ea,\

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(2852)

c:\windows\system32\webcheck.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\program files\Ahead\InCD\InCDsrv.exe

c:\progra~1\McAfee\MCAFEE~1\FireSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\searchindexer.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

c:\program files\McAfee\Common Framework\Mctray.exe

c:\windows\system32\searchprotocolhost.exe

c:\windows\system32\searchfilterhost.exe

.

**************************************************************************

.

Voltooingstijd: 2009-08-10 19:18 - machine werd herstart

ComboFix-quarantined-files.txt 2009-08-10 17:18

ComboFix2.txt 2009-08-09 07:51

ComboFix3.txt 2009-08-09 07:03

ComboFix4.txt 2009-08-09 06:37

ComboFix5.txt 2009-08-10 15:49

Pre-Run: 83.610.578.944 bytes beschikbaar

Post-Run: 83.439.570.944 bytes beschikbaar

275 --- E O F --- 2009-08-06 15:39

And this is the ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.5889

# api_version=3.0.2

# EOSSerial=fd889bb8fa918e42b66a0da0e7d9bd83

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-08-10 07:11:33

# local_time=2009-08-10 09:11:33 (+0100, West-Europa (zomertijd))

# country="Netherlands"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5889 61 66 100 744124272343750

# scanned=104712

# found=0

# cleaned=0

# scan_time=5783

Combofix.txt

log.txt

Combofix.txt

log.txt

Link to post
Share on other sites

  • Root Admin

Well luckily for your sake the logs show that you appear to be relatively clean now. Could probably use a little more cleaning but due to evidence of pirated software on the system I'm forced to have to close your post now.

You should do another scan of your system with at least one more AV product.

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.