spobster Posted May 15, 2008 ID:18238 Share Posted May 15, 2008 Hi there,hope you can help! I get pop-ups every few minutes, but only when I am using IE. My WinPatrol also reports (every minute) new IE add-Ons, but I did NOT approve them. Examples of these files are:C:\WINDOWS\system32\ddcApqnM.dllC:\WINDOWS\system32\pmnoOGYP.dllMy NOD32 virusscanner sometimes reports threats:Win32/PrivacySet.A trojana variant of Win32/Adware.WinFixer applicationWin32/PrcView applicationWin32/Adware.AVSystemCare applicationWin32/Adware.Virtumonde applicationI always reacted with eather Delete or Connection Terminated.So I came to Malwarebytes and ran Spybot, it found two important threats, but could only delete one (Virtumonde.dll). Than I ran the Malwarebytes'Anti-Malware Tool, which found a number of infected files. Meanwhile I ran the PandaScan. So I believe there are a number of double threats found. The scan took a while, that's why I did not repeat this scan. The logs of both scans down here. Than the restart of the computer, at startup Spybot ran again and could delete the Virtumonde.dll after all.Malwarebytes' Anti-Malware 1.12Database version: 752Scan type: Full Scan (C:\|D:\|E:\|)Objects scanned: 94395Time elapsed: 1 hour(s), 17 minute(s), 51 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 10Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 4Files Infected: 19Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\pmnoOGYP.dll (Trojan.Vundo) -> Unloaded module successfully.Registry Keys Infected:HKEY_CLASSES_ROOT\Typelib\{abcdece2-4b15-11d1-abed-709549c10000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnoogyp (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.C:\WINDOWS\system32\system32 (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\system32\drivers (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\system32\drivers\etc (Trojan.Agent) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\system32\ddcApqnM.dll_old (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\MnqpAcdd.ini (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\MnqpAcdd.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\huggpmkt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\tkmpgguh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ipovawem.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\mewavopi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\rmmjgfsf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\fsfgjmmr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ulbqcpuf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\fupcqblu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Program Files\AntiSpywareMaster\asm.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.E:\Robberts documenten\mijn ontvangen bestanden\klaar\ACDSee.Pro.v8.1.99.Incl.Keymaker-CORE\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\system32\drivers\etc\hosts_Win_Original (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\17PHolmes572.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\system32\jkkLDVno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\pmnoOGYP.dll (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\iifeEWoP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Spobstertje\Local Settings\Temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.;***********************************************************************************************************************************************************************************ANALYSIS: 2008-05-15 22:33:57PROTECTIONS: 1MALWARE: 15SUSPECTS: 0;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================ESET NOD32 antivirus system 2.70 2.70 Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00055471 Application/ServUBased.A HackTools No 0 No No E:\Robberts documenten\Backup\Bureaublad.rar[serv-U\ServUDaemon.exe]00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Spobstertje\Bureaublad\Programma's en shortcuts\myphotobook-Setup.exe[process.exe]00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\myphotobook\xtras\process.exe00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Spobstertje\Cookies\spobstertje@server.iad.liveperson[2].txt00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Spobstertje\Cookies\spobstertje@statse.webtrendslive[2].txt00293079 Spyware/7r7t Spyware No 1 Yes No C:\Documents and Settings\Spobstertje\Local Settings\Temp\snapsnet.exe00505582 Application/ServUBased.DU HackTools No 0 No No E:\Robberts documenten\Backup\Bureaublad.rar[serv-U\ServUTray.exe]01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe02911014 Adware/AntiSpywareMaster Adware No 0 Yes No C:\Program Files\AntiSpywareMaster\asm.exe02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{AC700A1F-ECB2-4C28-8D90-649C14F971F6}\RP385\A0030164.exe02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{AC700A1F-ECB2-4C28-8D90-649C14F971F6}\RP385\A0030162.exe02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{AC700A1F-ECB2-4C28-8D90-649C14F971F6}\RP385\A0030163.exe02951531 Bck/Prorat.HT Virus/Trojan No 1 Yes No E:\Robberts documenten\mijn ontvangen bestanden\klaar\314 Palm Games\__All PalmOS Games Released by AstraWare in (2003) Crack\crack.exe02951531 Bck/Prorat.HT Virus/Trojan No 1 Yes No E:\Robberts documenten\mijn ontvangen bestanden\klaar\314 Palm Games\__All PalmOS Games Released by AstraWare in (2003) Crack.zip[crack.exe]02951532 Bck/Prorat.HT Virus/Trojan No 1 Yes No E:\Robberts documenten\mijn ontvangen bestanden\klaar\314 Palm Games\__All PalmOS Games Released by AstraWare in (2003) Crack.zip[setup.exe]02951532 Bck/Prorat.HT Virus/Trojan No 1 Yes No E:\Robberts documenten\mijn ontvangen bestanden\klaar\314 Palm Games\__All PalmOS Games Released by AstraWare in (2003) Crack\setup.exe02971602 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\iifeEWoP.dll02971602 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\jkkLDVno.dll02971602 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\PMNOOGYP.DLL02972595 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\pefxairs.dll02972596 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\wufclbhm.dll02972601 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\ulbqcpuf.dll;===================================================================================================================================================================================SUSPECTSSent Location ;===================================================================================================================================================================================;===================================================================================================================================================================================VULNERABILITIESId Severity Description ;=================================================================================================================================================================================== 184380 MEDIUM MS08-002 184379 MEDIUM MS08-001 182048 HIGH MS07-069 182046 HIGH MS07-067 182043 HIGH MS07-064 179553 HIGH MS07-061 176382 HIGH MS07-057 176383 HIGH MS07-058 170911 HIGH MS07-050 170907 HIGH MS07-046 170906 HIGH MS07-045 170904 HIGH MS07-043 164915 HIGH MS07-035 164913 HIGH MS07-033 164911 HIGH MS07-031 160623 HIGH MS07-027 157262 HIGH MS07-022 157261 HIGH MS07-021 157260 HIGH MS07-020 157259 HIGH MS07-019 156477 HIGH MS07-017 150253 HIGH MS07-016 150249 HIGH MS07-013 150248 HIGH MS07-012 150247 HIGH MS07-011 150243 HIGH MS07-008 150242 HIGH MS07-007 150241 MEDIUM MS07-006 141034 HIGH MS06-076 141033 MEDIUM MS06-075 141030 HIGH MS06-072 137571 HIGH MS06-070 137568 HIGH MS06-067 133387 MEDIUM MS06-065 133386 MEDIUM MS06-064 133385 MEDIUM MS06-063 133379 HIGH MS06-057 131654 HIGH MS06-055 129977 MEDIUM MS06-053 129976 MEDIUM MS06-052 126093 HIGH MS06-051 126092 MEDIUM MS06-050 126087 HIGH MS06-046 126086 MEDIUM MS06-045 126083 HIGH MS06-042 126082 HIGH MS06-041 126081 HIGH MS06-040 123421 HIGH MS06-036 123420 HIGH MS06-035 120825 MEDIUM MS06-032 120823 MEDIUM MS06-030 120818 HIGH MS06-025 120815 HIGH MS06-022 120814 HIGH MS06-021 117384 MEDIUM MS06-018 114666 HIGH MS06-015 114664 HIGH MS06-013 108744 MEDIUM MS06-008 108743 MEDIUM MS06-007 108742 MEDIUM MS06-006 104567 HIGH MS06-002 104237 HIGH MS06-001 96574 HIGH MS05-053 93395 HIGH MS05-051 93394 HIGH MS05-050 93454 MEDIUM MS05-049 ;===================================================================================================================================================================================Than I reran the Malwarebytes' Anti-Malware program. During this, WinPatrol alerted that regedit.exe %1 was changed to regedit.exe%1%*, I said the change was NOT ok. Than WinPatrol alerted %1 /S to be exchanged by %1 %* (.scr files), I also refused. The alerts reappear every now and than (what should I do?!). The final log of the Malwarebytes' Anti-Malware program:Malwarebytes' Anti-Malware 1.12Database version: 752Scan type: Full Scan (C:\|D:\|E:\|)Objects scanned: 94082Time elapsed: 34 minute(s), 57 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Than HijackThis:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:57:55, on 15-5-2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\ATKKBService.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\LVCOMSX.EXEC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Eset\nod32kui.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\BillP Studios\WinPatrol\winpatrol.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download DirectoryR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nlR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = KoppelingenO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXEO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exeO4 - HKLM\..\RunOnce: [spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheckO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914...PSUploader4.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)--End of file - 5828 bytesThanks already for all the help! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 16, 2008 Root Admin ID:18245 Share Posted May 16, 2008 Hello spobsterSorry for the delay. I was busy as heck at work and had spent an all nighter fixing some database issues. Some other the other helpers here are busy as well.Let me take a look at your information and get back to you soon. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 16, 2008 Root Admin ID:18248 Share Posted May 16, 2008 First - disable the Spybot Search & Destroy Tea Timer if it's running as it will interfere with some fixes.Either disable Winpatrol or allow it to make the changes we're going to make below.Go into your Control Panel - Add/Remove and uninstall the following applications - you can get updates later on.All Java versions, All Flash versions, All Shockwave versions, All QuickTime versionsMany of these programs have been recently updated to correct holes that have been found in the programs which helpfacilitate Malware being installed onto your system. Updating to the most recent versions will help to eleviate this method of entry.Software UpdatesHere are links to get the latest versions of the software that you removed once we're all done scanning your system.Don't reinstall them just yet.Java Runtime Environment (JRE) 6 Update 6Since you're using the FULL version of Adobe Acrobat 7 you may not want to update the reader depending on how you use Acrobat - at times having two different versions can cause conflictsAdobe Acrobat Reader 8.12 Full Download EnglishAdobe Reader 8.12 Full Download DutchAdobe Flash Player version 9.0.124.0 uncheck the Free Google ToolbarShockwave Player 11QuickTime 7.4.5 for Windows XP or Vista uncheck the sign upsInstructions on how to disable the Spybot Search & Destroy Tea TimerDisable Spybot Search & Destroys' TEA TIMER:1. Run Spybot-S&D in Advanced Mode. 2. If it is not already set to do this Go to the Mode menu select "Advanced Mode" 3. On the left hand side, Click on Tools 4. Then click on the Resident Icon in the List 5. Uncheck "Resident TeaTimer" and OK any prompts. 6. Restart your computer.Please run the following tasks.Follow these instructions carefully.Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.You can also download it from Majorgeeks.comWhen you run ATF-Cleaner, check the items as shown below for Main.For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFoxNOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignoredThen click on "Empty Selected". . Start HiJackThis and do a Scan Only and place a check mark in the following itemsR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = KoppelingenO4 - HKLM\..\Run: [nwiz] nwiz.exe /installThen click on Fix selectedThe following items are up to you if you want to remove or notO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupIntializes the clock and memory settings on nVidia based graphics cards. Enable if you overclock your cardO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitSystem Tray icon used to manage settings for nVidia based graphics cards. May be required for some 3D applications to recognize your card correctly - such as the game "Everquest". Otherwise, settings can be changed manually via Display PropertiesO4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXEIt provides extra functionality for Logitech multimedia webcam devices. It is non-essential to the running of the system, but should not be terminated unless suspected to be causing problems.O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXERealtek HD Audio Sound Effect ManagerCTFMON.EXE - see the information here to determine if you want to leave it or remove it Frequently asked questions about Ctfmon.exeThis next item is a service that needs to be removed. Let's try it this way first.Click on Start - Run and type in CMD then press the Enter key to start a DOS prompt.Then type in the following exactly as it is. Report back any errors if it's not successful.sc delete alertic.exeIf it says it can not find it then try thissc delete "Windows Alert Service" Don't forget the quotes.Then try thissc delete wscntfy.exeThen try thissc delete nvsvc32.exeIf this gives an error as well then try to remove it from the list in a HJT scan only.O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)Then click on "Fix selected"Finding and using the correct Service name to remove can be difficult at timesUpdate and Scan with MalwarebytesLaunch MB and go to the Update Tab and update the definitionsClick on the Quick Scan and click Next.If any items are found allow it to clean them and then Reboot your computer.Run HiJackThis again and do a Scan and save log and post back that log and the Malwarebytes log.. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 16, 2008 Root Admin ID:18270 Share Posted May 16, 2008 It looks like we might need to get more details. Please run the following.Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts.When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimizedCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply Link to post Share on other sites More sharing options...
spobster Posted May 16, 2008 Author ID:18276 Share Posted May 16, 2008 I also have to work, just came back home and are now busy doing your advices. I'll be back with logs in a sec. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 16, 2008 Root Admin ID:18278 Share Posted May 16, 2008 Okay - just an FYI the Deckard's System Scanner (DSS) will run the HJT for you. Link to post Share on other sites More sharing options...
spobster Posted May 16, 2008 Author ID:18280 Share Posted May 16, 2008 I have removed all software/applications you mentioned.I have fixed all HiJackThis points mentioned. I also removed the microsoft office xp from my computer as I have also microsoft office 2003 running, which I always use. The link you gave for ctfmon.exe is only for office xp, so I guess what I did should be good enough.Than I tried to use the quotes in the command screen. For all codes I received the following:[sC] OpenService FAILED 1060:De opgegeven service is geen ge Link to post Share on other sites More sharing options...
spobster Posted May 16, 2008 Author ID:18282 Share Posted May 16, 2008 And I have to say two more things. Since I ran MB for the first time, most problems seemed to be solved. At this moment the popups from WinPatrol are only about the "regedit.exe %1 change to regedit.exe%1%*" and "%1 /S to be exchanged by %1 %*".The other thing is that I have had JeanInMontana's help earlier: this link. At the end of page one we also worried about the "O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)", I believe we did everything we could to solve this, but nothing worked, even not the killbox program. actually the file alertic.exe does not exist on my computer (I guess that's why the file is missing).Hope this helps, and I don't know for sure, but I think I got an infection with another worm/spyware than that time, although, some things look similar. I am really careful for clicking around on the internet and normally use only trusted sites, except for last week when I was in a hurry. Sorry about that! (for myself too B)) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 16, 2008 Root Admin ID:18296 Share Posted May 16, 2008 Okay first let's try to see if these files still exist on your system and try to upload them so we can review them to see what they really are.Upload MalwareC:\WINDOWS\system32\kadtmtmc.dllC:\WINDOWS\system32\qjqiaocm.dllC:\WINDOWS\system32\rywixfqp.dllC:\WINDOWS\system32\qiddjpkj.dllC:\WINDOWS\system32\pefxairs.dllC:\WINDOWS\system32\wufclbhm.dllC:\WINDOWS\system32\druxasmv.dllC:\WINDOWS\system32\najfgbcp.dllC:\WINDOWS\system32\ddcApqnMThen we need to fix a couple other items. Follow these instructions carefully as it can prevent your system from starting if done wrong.You need to run a couple of Registry updates. Copy the following entries into Notepad - then save the fileand on the drop down selection for Save as type: choose All Files and save the file to your desktopas Repair01.regREGEDIT4[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00There should be no space before REGEDIT4 and there should be a single blank line after the last line.Once saved double-click it and allow it to run and if any program attempts to stop it say it's okay to update it.Then same thing for this one - copy and save as Repair02.regREGEDIT4[HKEY_CLASSES_ROOT\regedit\shell\open\command]@="regedit.exe %1"Once saved double-click it and allow it to run and if any program attempts to stop it say it's okay to update it.Then click on START - RUN and type in REGEDIT and press the Enter Key.Then clicking on the + signs to expand the folders in the Registry and walk down the tree until you get to an entry that should be something like this.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Alert ServiceIf you find it and it has the alertic.exe entry then delete the alertic.exe entry.If you don't find it there then go to the top of the Registry tree and do a search for alertic.exeand remove all the entries for it. Not the PATH AND TREES - ONLY THE alertic.exe Then restart your computer. Hopefully you can upload those files above and we'll check them out and if needed update Malwarebytes to remove them if they're bad items.. Link to post Share on other sites More sharing options...
spobster Posted May 17, 2008 Author ID:18329 Share Posted May 17, 2008 I'm sorry, don't know whether upload worked fine, so I was doing it a second time (same file) and now already a third time because of an error (third time, I do not upload them as a zip, but seperately and indeed that works). The only file I couldn't find was the one that was C:\WINDOWS\system32\ddcApqnM. The najfgbcp.dll and druxasmv.dll files are created at the time-point where the problems started. The others are created later on apparantly.I updated the registry.The search in the registry for alertic.exe gave me one entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winalert and I deleted that one, there are some entries left in this path, I did not touch them. Furthermore I got an entry in HKEY_USERS\S-1-5-21-329068152-1383384898-682003330-1003\Software\Microsoft\Search Assistant\ACMru\5603 but not the .exe file, only alertic, but I believe this is not harmful, because of my search in my windows-folders yesterday, is it? I can of course delete it, I didn't delete it yet.Thanks for all your help! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 17, 2008 Root Admin ID:18363 Share Posted May 17, 2008 Great - thanks for the submissions. They should get checked out tonight some time.Tomorrow please update your MB application and do a new Quick Scan and clean anything it finds.Then reboot and run a new HJT scan and post back both of those logs. Link to post Share on other sites More sharing options...
spobster Posted May 18, 2008 Author ID:18392 Share Posted May 18, 2008 Malwarebytes' Anti-Malware 1.12Database version: 760Scan type: Quick ScanObjects scanned: 36445Time elapsed: 3 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 5Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 8Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{1dc21177-f099-4369-ba8e-eda8c1573723} (Trojan.Vundo) -> No action taken.HKEY_CLASSES_ROOT\CLSID\{c97007e2-bc21-4d9d-9bf8-b37d08b3d6e7} (Trojan.Vundo) -> No action taken.HKEY_CLASSES_ROOT\CLSID\{85013b75-2320-4ec9-ab3d-141ea3dd1bac} (Trojan.Vundo) -> No action taken.HKEY_CLASSES_ROOT\CLSID\{b7b6375a-4828-408b-a86a-bf75e2ca9394} (Trojan.Vundo) -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winalert (Trojan.FakeAlert) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\druxasmv.dll (Trojan.Vundo) -> No action taken.C:\WINDOWS\system32\kadtmtmc.dll (Trojan.Vundo) -> No action taken.C:\WINDOWS\system32\najfgbcp.dll (Trojan.Vundo) -> No action taken.C:\WINDOWS\system32\pefxairs.dll (Trojan.Vundo) -> No action taken.C:\WINDOWS\system32\qiddjpkj.dll (Trojan.Vundo) -> No action taken.C:\WINDOWS\system32\qjqiaocm.dll (Trojan.Vundo) -> No action taken.C:\WINDOWS\system32\rywixfqp.dll (Trojan.Vundo) -> No action taken.C:\WINDOWS\system32\wufclbhm.dll (Trojan.Vundo) -> No action taken.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:42:15, on 18-5-2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\ATKKBService.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Eset\nod32kui.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\BillP Studios\WinPatrol\winpatrol.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download DirectoryR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nlO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914...PSUploader4.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 5080 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 18, 2008 Root Admin ID:18394 Share Posted May 18, 2008 Well the log you posted shows you did not allow or have Malwarebytes remove the infected items.You need to scan and then choose to fix the infected items. Link to post Share on other sites More sharing options...
spobster Posted May 18, 2008 Author ID:18418 Share Posted May 18, 2008 sorry, posted wrong log in my hurry this morning.Malwarebytes' Anti-Malware 1.12Database version: 760Scan type: Quick ScanObjects scanned: 36445Time elapsed: 3 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 5Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 8Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{1dc21177-f099-4369-ba8e-eda8c1573723} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{c97007e2-bc21-4d9d-9bf8-b37d08b3d6e7} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{85013b75-2320-4ec9-ab3d-141ea3dd1bac} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{b7b6375a-4828-408b-a86a-bf75e2ca9394} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winalert (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\druxasmv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\kadtmtmc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\najfgbcp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\pefxairs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\qiddjpkj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\qjqiaocm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\rywixfqp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\wufclbhm.dll (Trojan.Vundo) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
spobster Posted May 18, 2008 Author ID:18421 Share Posted May 18, 2008 I think most problems are solved, but still I get the WinPatrol Alerts, to which I have answered no till now. I have attached a picture of the alerts, wondering what I should do with this.Thanks! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 19, 2008 Root Admin ID:18446 Share Posted May 19, 2008 No, do not allow the change. They are already using a default setting.Once you tell it no and reboot your computer does it still alert to the change? Link to post Share on other sites More sharing options...
spobster Posted May 19, 2008 Author ID:18478 Share Posted May 19, 2008 yes it does, every ten minutes or so I get the alert. also after rebooting the computer. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 19, 2008 Root Admin ID:18480 Share Posted May 19, 2008 If you click on INFO does it say what application is attempting to make this change? Link to post Share on other sites More sharing options...
spobster Posted May 19, 2008 Author ID:18481 Share Posted May 19, 2008 I believe it is regedit.exe, when I click on INFO, I get a page with a lot of advertising to buy the WinPatrol Plus Version. In between it says "Upgrade to WinPatrol PLUS for more info on regedit.exe" Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 19, 2008 Root Admin ID:18482 Share Posted May 19, 2008 It isn't telling what program is trying to make the change it's only telling you that if you bought the program it would tell you more about Regedit which is not what we're looking for.Let's do this for now. Disable or uninstall WinPatrol - then let's look at the registry entries after a reboot.Then I'd like you to run a log from Deckard's System Scanner that will give us more information about what is running on your system.You should already have the DSS.EXE program for Deckard's System Scanner but if not here is the information again below.Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts.When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimizedCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your replyWhat DSS will do:create a new System Restore point in Windows XP and Vista.clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.Notes: The first time that the Deckard scanner is run, the extra.txt is generated in a minimized window. The second time you will not obtain the extra.txt. You must go to Start=>Run and copy the following "%userprofile%\desktop\dss.exe" /config in the line and click OK You will receive a pop-up box with options to check for the Main log and Extra Log and Options.. Link to post Share on other sites More sharing options...
spobster Posted May 19, 2008 Author ID:18483 Share Posted May 19, 2008 I have checked all options in the config. (my windows is dutch so I had to run "%userprofile%\bureaublad\dss.exe" /config B))Deckard's System Scanner v20071014.68Run by Spobstertje on 2008-05-19 22:05:10Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --11: 2008-05-19 20:05:14 UTC - RP391 - Deckard's System Scanner Restore Point10: 2008-05-18 19:38:09 UTC - RP390 - Controlepunt van systeem9: 2008-05-16 19:52:37 UTC - RP389 - Deckard's System Scanner Restore Point8: 2008-05-16 19:21:08 UTC - RP388 - Verwijderd: Microsoft Office XP Professional7: 2008-05-16 17:18:23 UTC - RP387 - Verwijderd: QuickTime-- First Restore Point -- 1: 2008-05-09 13:39:58 UTC - RP381 - Controlepunt van systeemPerformed disk cleanup.System Drive C: has 1.56 GiB (less than 15%) free.-- HijackThis (run as Spobstertje.exe) -----------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:05:18, on 19-5-2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Eset\nod32kui.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\ATKKBService.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\svchost.exeC:\Documents and Settings\Spobstertje\bureaublad\dss.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\SPOBST~1.EXER1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download DirectoryR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nlO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\WINDOWS\system32\shdocvw.dllO9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914...PSUploader4.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 4890 bytes-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------backup-20070930-161138-287 O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exebackup-20070930-161138-507 O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exebackup-20070930-161138-590 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exebackup-20070930-161138-621 O4 - Global Startup: autorun.exebackup-20070930-161138-682 O4 - Startup: system.exebackup-20070930-162742-178 O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exebackup-20070930-162742-199 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exebackup-20070930-162743-159 O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exebackup-20070930-162743-494 O4 - Global Startup: autorun.exebackup-20070930-162743-555 O4 - Startup: system.exebackup-20071001-002436-974 O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.datbackup-20071001-012033-255 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllbackup-20071001-012033-374 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllbackup-20071006-210042-219 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htmbackup-20071006-210042-509 O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)backup-20071006-210042-729 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htmbackup-20071011-202407-115 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')backup-20071011-202407-260 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')backup-20071011-202407-895 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)backup-20071011-202429-199 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)backup-20071011-215354-198 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)backup-20071011-220327-837 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)backup-20071015-175322-216 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)backup-20071015-175322-821 O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exebackup-20071015-214437-857 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)backup-20080516-211131-209 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingenbackup-20080516-211131-658 O4 - HKLM\..\Run: [nwiz] nwiz.exe /installbackup-20080516-212304-154 O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitbackup-20080516-212304-759 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupbackup-20080516-212304-791 O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEbackup-20080516-212304-969 O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXEbackup-20080516-213642-873 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)backup-20080516-213747-904 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)-- File Associations -----------------------------------------------------------.reg - regfile - shell\open\command - regedit.exe "%1" %*.scr - scrfile - shell\open\command - "%1" %*-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R1 AsIO - c:\windows\system32\drivers\asio.sysR1 asuskbnt (Enhanced Display Driver Helper Service) - c:\windows\system32\drivers\atkkbnt.sys <Not Verified; ASUSTeK COMPUTER INC.; ASUS Help driver For Keyboard Service.>R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sysR1 SASKUTIL - c:\program files\superantispyware\saskutil.sysR3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>S1 bdpredir - c:\program files\softwin\bitdefender10\bdpredir.sys (file missing)S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)S2 EIO - c:\windows\system32\drivers\eio.sys (file missing)S3 bdfdll - c:\program files\softwin\bitdefender10\bdfdll.sys (file missing)S3 catchme - c:\docume~1\spobst~1\locals~1\temp\catchme.sys (file missing)S3 CO_Mon - c:\windows\system32\drivers\co_mon.sysS3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>R2 ATKKeyboardService (ATK Keyboard Service) - c:\windows\atkkbservice.exe <Not Verified; ASUSTeK COMPUTER INC.; ASUS Keyboard Service>-- Device Manager: Disabled ----------------------------------------------------Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}Description: Standaardtoetsenbord (101/102 toetsen) of Microsoft Natural PS/2-toetsenbordDevice ID: ACPI\PNP0303\4&1D8E1589&0Manufacturer: (standaardtoetsenbord)Name: Standaardtoetsenbord (101/102 toetsen) of Microsoft Natural PS/2-toetsenbordPNP Device ID: ACPI\PNP0303\4&1D8E1589&0Service: i8042prt-- Process Modules -------------------------------------------------------------C:\WINDOWS\system32\winlogon.exe (pid 608)2007-04-19 13:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>C:\WINDOWS\system32\svchost.exe (pid 976)2007-10-01 20:01:03 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>C:\WINDOWS\explorer.exe (pid 1548)2007-10-01 20:01:03 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>2006-12-20 13:55:48 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>-- Files created between 2008-04-19 and 2008-05-19 -----------------------------2008-05-15 20:46:55 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Malwarebytes2008-05-15 20:46:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-05-15 20:46:42 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-05-15 20:26:25 0 d-------- C:\Program Files\Panda Security2008-05-12 19:56:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer2008-05-05 13:27:03 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Sun2008-05-04 16:56:18 0 dr-h----- C:\Documents and Settings\Spobstertje\Onlangs geopend2008-05-04 16:52:55 0 d-------- C:\Program Files\CCleaner2008-04-30 18:15:55 0 d-------- C:\Program Files\SSC Service Utility-- Find3M Report ---------------------------------------------------------------2008-05-16 21:21:22 0 d-------- C:\Program Files\Microsoft Office22008-05-16 19:18:44 0 d-------- C:\Program Files\QuickTime2008-05-16 19:16:37 0 d-------- C:\Program Files\Java2008-05-16 19:16:36 0 d-------- C:\Program Files\Common Files2008-05-09 16:31:19 0 d-------- C:\Program Files\SUPERAntiSpyware2008-05-09 15:42:29 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Azureus2008-04-30 20:35:59 0 d-------- C:\Program Files\epson2008-04-30 20:29:44 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Adobe2008-04-18 23:27:54 0 d-------- C:\Program Files\Palm2008-04-16 23:21:32 0 d-------- C:\Program Files\Azureus2008-04-12 17:00:42 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Leadertech2008-04-12 15:39:02 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\HotSync2008-03-30 22:06:56 361018 --a----c- C:\WINDOWS\system32\perfh013.dat2008-03-30 22:06:56 51668 --a----c- C:\WINDOWS\system32\perfc013.dat-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NWEReboot"="" []"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [01-10-2007 20:01]"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11-06-2007 11:25]"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01-06-2006 11:22][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableRegistryTools"=0 (0x0)[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoWindowsUpdate"=1 (0x1)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20-12-2006 13:55 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"-- Hosts -----------------------------------------------------------------------127.0.0.1 007guard.com127.0.0.1 www.007guard.com127.0.0.1 008i.com127.0.0.1 008k.com127.0.0.1 www.008k.com127.0.0.1 00hq.com127.0.0.1 www.00hq.com127.0.0.1 010402.com127.0.0.1 032439.com127.0.0.1 www.032439.com6775 more entries in hosts file.-- End of Deckard's System Scanner: finished at 2008-05-19 22:05:59 ------------Deckard's System Scanner v20071014.68Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft Windows XP Professional (build 2600) SP 2.0Architecture: X86; Language: DutchCPU 0: AMD Athlon 64 X2 Dual Core Processor 4200+CPU 1: AMD Athlon 64 X2 Dual Core Processor 4200+Percentage of Memory in Use: 34%Physical Memory (total/avail): 1023.23 MiB / 666.52 MiBPagefile Memory (total/avail): 2460.48 MiB / 2133.06 MiBVirtual Memory (total/avail): 2047.88 MiB / 1920.7 MiBA: is Removable (No Media)C: is Fixed (NTFS) - 19.53 GiB total, 1.56 GiB free. D: is Fixed (NTFS) - 17.73 GiB total, 0.09 GiB free. E: is Fixed (NTFS) - 149.04 GiB total, 1.57 GiB free. F: is CDROM (No Media)G: is CDROM (No Media)\\.\PHYSICALDRIVE1 - Maxtor 6G160P0 - 149.05 GiB - 1 partition \PARTITION0 - Extended w/Extended Int 13 - 149.04 GiB - E:\\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 19.53 GiB - C: \PARTITION1 - Extended w/Extended Int 13 - 17.73 GiB - D:-- Security Center -------------------------------------------------------------AUOptions is disabled.Windows Internal Firewall is disabled.FirstRunDisabled is set.AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List][HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All UsersAPPDATA=C:\Documents and Settings\Spobstertje\Application DataCLIENTNAME=ConsoleCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=SPOBSTERComSpec=C:\WINDOWS\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Documents and Settings\SpobstertjeLOGONSERVER=\\SPOBSTERNUMBER_OF_PROCESSORS=2OS=Windows_NTPath=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem"PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMDPROCESSOR_LEVEL=15PROCESSOR_REVISION=4b02ProgramFiles=C:\Program FilesPROMPT=$P$GSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WINDOWSTEMP=C:\DOCUME~1\SPOBST~1\LOCALS~1\TempTMP=C:\DOCUME~1\SPOBST~1\LOCALS~1\TempUSERDOMAIN=SPOBSTERUSERNAME=SpobstertjeUSERPROFILE=C:\Documents and Settings\Spobstertjewindir=C:\WINDOWS-- User Profiles ---------------------------------------------------------------Spobstertje (admin)Administrator (new local, admin)-- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf3ivx D4 4.5.1 Decoder (remove only) --> "C:\Program Files\3ivx\3ivx D4 4.5.1 Decoder\uninstall.exe"Aangifte inkomstenbelasting 2007 --> C:\Program Files\Belastingdienst\Aangifte inkomstenbelasting\2007\ib2007u.exeACDSee Pro --> MsiExec.exe /I{F99F74B4-972B-4B06-B893-6B3B0DB0128B}Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}Adobe Acrobat 7.0 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"Apple Mobile Device Support --> MsiExec.exe /I{8FC46258-0843-4D79-B7F0-F2B82FE6173B}Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}ASUS Enhanced Display Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}\setup.exe" -l0x9 -removeonlyASUS Utilities --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{43C67D92-F56E-4729-8673-9A2D5A6036F8} /l1043 Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x13 Attansic Giga Ethernet Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F698102-5739-441E-96F0-74F4EA540F06}\setup.exe" -l0x9 Attansic L1 Gigabit Ethernet Driver --> rundll32.exe C:\WINDOWS\system32\Attansic\L1\atcInst.dll,AtcUninst C:\WINDOWS\system32\Attansic\L1 x86 1969 1048 L1AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exeAzureus Vuze --> C:\Program Files\Azureus\uninstall.exeCampingselect 2007 --> "C:\Program Files\ANWB\Campingselect 2007\Uninstall.exe" "C:\Program Files\ANWB\Campingselect 2007\install.log"Canon Utilities PhotoStitch 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{03CDDD00-BD57-4326-9480-4C74449AF597} CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"Cole2k Media - Codec Pack (Advanced) --> C:\WINDOWS\system32\C2MP\Uninst.exeCool & Quiet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}\setup.exe" -l0x9 DC++ 0.699 --> "E:\DC++\uninstall.exe"EPSON-printersoftware --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /REPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /rEuroglot Professional 4.5 (remove only) --> "C:\Program Files\Linguistic Systems\Euroglot Professional 4.5\uninstall.exe"Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}GraphPad Prism 4 --> "C:\Program Files\GraphPad\Prism 4\unins000.exe"HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstallHuur- en zorgtoeslag 2008 --> E:\Robberts documenten\Belastingdienst\2008\hz2008u.exeImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"ISI ResearchSoft - Export Helper --> C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXEIsoBuster 1.6 --> "C:\Program Files\IsoBuster\Uninst\unins000.exe"iTunes --> MsiExec.exe /I{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}K-Lite Codec Pack 2.83 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"Logitech Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 20, 2008 Root Admin ID:18490 Share Posted May 20, 2008 Yes, sorry about that - my Dutch is a bit weak, or should I say non-existent B) Is this a home computer or a work computer?This entry here is a policy that says DO NOT ALLOW WINDOWS UPDATES. If this is your home computer then you should change the policy to 0Then check and see if Microsoft has Service Pack 3 for the Dutch operating systemIf so I would download that and install it. Then go back and find Internet Explorer 7 download and install that. [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoWindowsUpdate"=1 (0x1)Please start Regedit and browse to this location and then copy / paste the value for the (Default)HKEY_CLASSES_ROOT\regedit\shell\open\commandHere is what it should be - if it's not then change it to match regedit.exe %1Restart your computer and go back and verify that it is still set to that.Then go to this location HKEY_CLASSES_ROOT\scrfile\shell\open\commandand it should be "%1" /SWhen done you should then have Windows XP Service Pack 3 and IE7 installed.Then we can look at getting you a better firewall and some other software to help prevent infection in the future.Though bittorrent can be a great tool - often these days people infect what would otherwise be good valid fileswith Malware. Be careful with all files downloaded via bittorrent.. Link to post Share on other sites More sharing options...
spobster Posted May 20, 2008 Author ID:18498 Share Posted May 20, 2008 I have to admit that I don't have a valid version of Windows XP on my home computer. I think I disabled the updates, because there is some kind of genuine advantage check update that identifies whether you have a valid registration code or not. So I am not sure whether I can safely update to Service Pack 3 (if available in Dutch). What do you think? Do you know this update?Furthermore, I rarely download torrents. A few months ago I switched to Azureus instead of Bittorrent, but I think the threats of malware are the same. Still I try to be careful. If I get password protected .rar-files I always delete the total downloaded package and don't visit websites they advertise for. Link to post Share on other sites More sharing options...
spobster Posted May 20, 2008 Author ID:18506 Share Posted May 20, 2008 I have made the changes you suggested. Indeed the only update offered to me is the Windows Genuine Advantage-validation program, which checks whether my Windows is authentic. Any suggestions? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 20, 2008 Root Admin ID:18510 Share Posted May 20, 2008 Hi spobster,I'm sorry, but due to your own admission that you're not running a legal version of Windows XP we can no longer provide you with continued support.The best advice I can provide right now it to update to a legal version which if done via the Web from Microsoft is at a very much reduced price than a full copy anyways.At this time I will have to close this topic. Link to post Share on other sites More sharing options...
Recommended Posts