Jump to content

Rootkit in iexplore.exe *extremely hidden*


Recommended Posts

Hi there MB users!

I was redirected here by one of your members after I had to run a few scans etc. Malware scan didn't reveal anything, nor did my NOD32 AV, CCleaner, JV16 powertools etc.

I ran the scans I was told to if the problem still persisted, and GMER came up with a rootkit in iexplore.exe which is hidden and not to be seen in taskmanager.

Very well; the DDS.txt log posted in this message:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Bjorn Hamburg at 3:07:34,60 on za 07-08-2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2047.1229 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

svchost.exe 4

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\Volume Panel\VolPanlu.exe

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\ctfmon.exe

svchost.exe 4

svchost.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Linksys\WMP300N\WLService.exe

C:\Program Files\Linksys\WMP300N\WMP300N.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\ping.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Bjorn Hamburg\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

{555d4d79-4bd2-4094-a395-cfc534424a05}

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [VolPanel] "c:\program files\creative\volume panel\VolPanlu.exe" /r

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [<NO NAME>]

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab

DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232201913609

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232201787359

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

AppInit_DLLs: winmm.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\windows defender\MpShHook.dll

LSA: Notification Packages = :\windows\system32\srrstr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bjornh~1\applic~1\mozilla\firefox\profiles\zv8a8a4b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\ign\download manager\npfpdlm.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-29 108792]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-1-16 198168]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-1-16 1353240]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-1-16 73752]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]

S3 ConicG;ConicG Wireless Network Adapter Service;c:\windows\system32\drivers\conicg.sys --> c:\windows\system32\drivers\ConicG.sys [?]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-1-16 198168]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-1-16 1353240]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-1-16 73752]

=============== Created Last 30 ================

2010-08-05 16:05:10 0 d-----w- c:\docume~1\bjornh~1\applic~1\Malwarebytes

2010-08-05 16:04:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-05 16:04:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-05 16:04:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-05 16:04:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-05 11:53:52 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-08-02 15:03:17 0 d--h--r- c:\documents and settings\bjorn hamburg\Onlangs geopend

2010-08-01 14:03:41 0 d-----w- c:\program files\StarCraft II

2010-08-01 12:01:35 0 d-----w- c:\program files\CCleaner

2010-07-28 19:58:00 0 d-----w- c:\program files\common files\Blizzard Entertainment

2010-07-28 19:58:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment

2010-07-28 19:56:42 0 d-----w- C:\StarCraft II

2010-07-27 17:54:12 754 ----a-w- c:\windows\WORDPAD.INI

2010-07-27 13:30:24 4175716 ----a-w- C:\fraglist.luar

2010-07-27 01:50:56 0 ----a-w- c:\documents and settings\bjorn hamburg\ntuser.tmp

2010-07-26 20:57:21 61440 ----a-w- c:\windows\system32\zIMF.DLL

2010-07-26 20:57:21 53248 ----a-w- c:\windows\system32\ZTAG.DLL

2010-07-22 16:37:49 0 d-----w- c:\docume~1\bjornh~1\applic~1\HpUpdate

2010-07-22 16:37:35 0 d-----w- c:\windows\Hewlett-Packard

2010-07-19 18:19:02 0 d-----w- c:\docume~1\bjornh~1\applic~1\UDC Profiles

2010-07-19 17:44:18 0 d-----w- c:\docume~1\alluse~1\applic~1\WEBREG

2010-07-19 17:40:31 123904 ----a-w- c:\windows\system32\hpf3l70w.dll

2010-07-19 17:40:30 452408 ----a-r- c:\windows\system32\hpzids01.dll

2010-07-19 17:39:52 372736 ----a-r- c:\windows\system32\hppldcoi.dll

2010-07-19 17:39:52 315392 ----a-r- c:\windows\system32\hposc_p02a.dll

2010-07-19 17:39:52 309760 ----a-r- c:\windows\system32\difxapi.dll

2010-07-19 17:39:51 966656 ----a-r- c:\windows\system32\hpost_p02f.dll

2010-07-19 17:39:51 712704 ----a-r- c:\windows\system32\hposwia_p02f.dll

2010-07-19 17:39:50 6912 -c--a-w- c:\windows\system32\dllcache\serscan.sys

2010-07-19 17:39:50 6912 ----a-w- c:\windows\system32\drivers\serscan.sys

2010-07-19 17:38:57 703 ------w- c:\windows\hpomdl39.dat.temp

2010-07-19 11:33:55 0 d-----w- c:\program files\common files\HP

2010-07-19 11:33:38 0 d-----w- c:\program files\common files\Hewlett-Packard

2010-07-19 11:31:34 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-07-19 11:31:34 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-07-19 11:27:55 703 ------w- c:\windows\hpomdl39.dat

2010-07-19 11:27:55 204556 ----a-w- c:\windows\hpoins39.dat

2010-07-15 13:17:02 0 d-----w- c:\program files\HP

2010-07-13 21:46:07 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-11 14:14:42 0 d-----w- C:\eset_upd_3_(4800)

2010-07-11 11:40:17 22 --sha-w- c:\windows\Sys3390 SettingsCollection.bin

2010-07-11 11:40:17 22 --sha-w- c:\docume~1\bjornh~1\applic~1\Sys6925.Config Collection.sys

2010-07-11 11:39:47 0 d-----w- c:\program files\jv16 PowerTools 2010

2010-07-10 17:23:45 782336 ----a-r- c:\windows\system32\tmp665.tmp

==================== Find3M ====================

2010-08-06 15:57:16 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-08-06 15:57:14 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-07-31 11:11:27 99 ----a-w- c:\documents and settings\bjorn hamburg\jagex_runescape_preferences2.dat

2010-07-31 11:11:23 41 ----a-w- c:\documents and settings\bjorn hamburg\jagex__preferences3.dat

2010-07-31 11:10:20 46 ----a-w- c:\documents and settings\bjorn hamburg\jagex_runescape_preferences.dat

2010-07-10 17:25:50 578476 ----a-w- c:\windows\system32\perfh013.dat

2010-07-10 17:25:50 118626 ----a-w- c:\windows\system32\perfc013.dat

2010-07-05 17:59:04 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys

2008-08-20 23:14:50 2619 ----a-w- c:\program files\torrentbytes.txt

2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 3:09:11,85 ===============

Attach.zip

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

GMER flags indeed Iexplore as a hidden object, which is definitely not normal.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi there Elise and thank you for your time and effort in trying to help me.

I ran ComboFix and it produces a log accordingly, which I'll post up, some parts are apparently in dutch so if you need them translated let me know. I think it is cleaned but I'll leave that decision up to you. Thank you either way and I hope to hear from you soon ;) <3

ComboFix 10-08-06.03 - Bjorn Hamburg 07-08-2010 13:10:32.1.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2047.1507 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Bjorn Hamburg\Bureaublad\ComboFix.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Aanwezig AV is actief

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Bjorn Hamburg\Application Data\.#

c:\documents and settings\Bjorn Hamburg\Application Data\inst.exe

c:\windows\system32\_004058_.tmp.dll

c:\windows\system32\_004059_.tmp.dll

c:\windows\system32\_004060_.tmp.dll

c:\windows\system32\_004061_.tmp.dll

c:\windows\system32\_004068_.tmp.dll

c:\windows\system32\_004069_.tmp.dll

c:\windows\system32\_004070_.tmp.dll

c:\windows\system32\_004071_.tmp.dll

c:\windows\system32\_004072_.tmp.dll

c:\windows\system32\_004073_.tmp.dll

c:\windows\system32\_004074_.tmp.dll

c:\windows\system32\_004075_.tmp.dll

c:\windows\system32\_004076_.tmp.dll

c:\windows\system32\_004077_.tmp.dll

c:\windows\system32\_004078_.tmp.dll

c:\windows\system32\_004079_.tmp.dll

c:\windows\system32\_004080_.tmp.dll

c:\windows\system32\_004081_.tmp.dll

c:\windows\system32\_004083_.tmp.dll

c:\windows\system32\_004086_.tmp.dll

c:\windows\system32\_004087_.tmp.dll

c:\windows\system32\_004091_.tmp.dll

c:\windows\system32\_004092_.tmp.dll

c:\windows\system32\_004093_.tmp.dll

c:\windows\system32\_004094_.tmp.dll

c:\windows\system32\_004095_.tmp.dll

c:\windows\system32\_004096_.tmp.dll

c:\windows\system32\_004097_.tmp.dll

c:\windows\system32\_004099_.tmp.dll

c:\windows\system32\_004100_.tmp.dll

c:\windows\system32\_004101_.tmp.dll

c:\windows\system32\_004102_.tmp.dll

c:\windows\system32\_004103_.tmp.dll

c:\windows\system32\_004104_.tmp.dll

c:\windows\system32\_004105_.tmp.dll

c:\windows\system32\_004106_.tmp.dll

c:\windows\system32\_004107_.tmp.dll

c:\windows\system32\_004108_.tmp.dll

c:\windows\system32\_004109_.tmp.dll

c:\windows\system32\_004112_.tmp.dll

c:\windows\system32\_004113_.tmp.dll

c:\windows\system32\_004114_.tmp.dll

c:\windows\system32\_004116_.tmp.dll

c:\windows\system32\_004117_.tmp.dll

c:\windows\system32\_004118_.tmp.dll

c:\windows\system32\_004119_.tmp.dll

c:\windows\system32\_004121_.tmp.dll

c:\windows\system32\_004124_.tmp.dll

c:\windows\system32\_004125_.tmp.dll

c:\windows\system32\_004129_.tmp.dll

c:\windows\system32\_004130_.tmp.dll

c:\windows\system32\_004132_.tmp.dll

c:\windows\system32\_004135_.tmp.dll

c:\windows\system32\_004137_.tmp.dll

c:\windows\system32\_004138_.tmp.dll

c:\windows\system32\_004139_.tmp.dll

c:\windows\system32\_004140_.tmp.dll

c:\windows\system32\_004143_.tmp.dll

c:\windows\system32\_004144_.tmp.dll

c:\windows\system32\_004145_.tmp.dll

c:\windows\system32\_004146_.tmp.dll

c:\windows\system32\_004147_.tmp.dll

c:\windows\system32\_004148_.tmp.dll

c:\windows\system32\_004152_.tmp.dll

c:\windows\system32\_004154_.tmp.dll

c:\windows\system32\_006204_.tmp.dll

c:\windows\system32\_006205_.tmp.dll

c:\windows\system32\_006206_.tmp.dll

c:\windows\system32\_006207_.tmp.dll

c:\windows\system32\_006214_.tmp.dll

c:\windows\system32\_006215_.tmp.dll

c:\windows\system32\_006216_.tmp.dll

c:\windows\system32\_006217_.tmp.dll

c:\windows\system32\_006219_.tmp.dll

c:\windows\system32\_006220_.tmp.dll

c:\windows\system32\_006223_.tmp.dll

c:\windows\system32\_006224_.tmp.dll

c:\windows\system32\_006226_.tmp.dll

c:\windows\system32\_006227_.tmp.dll

c:\windows\system32\_006228_.tmp.dll

c:\windows\system32\_006230_.tmp.dll

c:\windows\system32\_006233_.tmp.dll

c:\windows\system32\_006234_.tmp.dll

c:\windows\system32\_006238_.tmp.dll

c:\windows\system32\_006239_.tmp.dll

c:\windows\system32\_006241_.tmp.dll

c:\windows\system32\_006244_.tmp.dll

c:\windows\system32\_006246_.tmp.dll

c:\windows\system32\_006247_.tmp.dll

c:\windows\system32\_006248_.tmp.dll

c:\windows\system32\_006249_.tmp.dll

c:\windows\system32\_006250_.tmp.dll

c:\windows\system32\_006253_.tmp.dll

c:\windows\system32\_006254_.tmp.dll

c:\windows\system32\_006255_.tmp.dll

c:\windows\system32\_006256_.tmp.dll

c:\windows\system32\_006257_.tmp.dll

c:\windows\system32\_006258_.tmp.dll

c:\windows\system32\_006262_.tmp.dll

c:\windows\system32\_006264_.tmp.dll

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\skinboxer43.dll

c:\windows\system32\wpcap.dll

.

\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected

\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_NPF

(((((((((((((((((((( Bestanden Gemaakt van 2010-07-07 to 2010-08-07 ))))))))))))))))))))))))))))))

.

2010-08-06 10:44 . 2010-08-06 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-08-05 16:05 . 2010-08-05 16:05 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\Malwarebytes

2010-08-05 16:04 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-05 16:04 . 2010-08-05 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-05 16:04 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-05 16:04 . 2010-08-05 16:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-05 11:53 . 2010-05-21 12:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-08-05 11:53 . 2010-08-05 11:53 -------- d-----w- c:\program files\Windows Defender

2010-08-02 15:03 . 2010-08-06 01:39 -------- d--h--r- c:\documents and settings\Bjorn Hamburg\Onlangs geopend

2010-08-01 14:03 . 2010-08-06 17:27 -------- d-----w- c:\program files\StarCraft II

2010-08-01 12:01 . 2010-08-01 12:01 -------- d-----w- c:\program files\CCleaner

2010-07-30 15:15 . 2010-07-30 15:15 -------- d-----r- c:\documents and settings\NetworkService\Favorieten

2010-07-28 19:58 . 2010-08-06 17:24 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment

2010-07-28 19:58 . 2010-08-01 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2010-07-28 19:56 . 2010-07-28 19:57 -------- d-----w- C:\StarCraft II

2010-07-26 20:57 . 2007-06-27 06:00 61440 ----a-w- c:\windows\system32\zIMF.DLL

2010-07-26 20:57 . 2007-06-27 06:00 57344 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\zIMFPRNT.DLL

2010-07-26 20:57 . 2007-06-27 06:00 53248 ----a-w- c:\windows\system32\ZTAG.DLL

2010-07-26 20:55 . 2010-07-26 20:55 -------- d-----w- c:\program files\Hewlett-Packard

2010-07-23 08:34 . 2010-07-23 08:34 -------- d-----r- c:\documents and settings\LocalService\Favorieten

2010-07-22 16:37 . 2010-07-23 08:34 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\HpUpdate

2010-07-22 16:37 . 2010-07-22 16:37 -------- d-----w- c:\windows\Hewlett-Packard

2010-07-19 18:19 . 2010-07-19 18:19 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\UDC Profiles

2010-07-19 17:44 . 2010-07-19 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG

2010-07-19 17:42 . 2010-07-19 17:42 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Local Settings\Application Data\HP

2010-07-19 17:41 . 2010-07-19 17:44 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\HP

2010-07-19 17:40 . 2009-04-20 10:23 315904 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70w.dll

2010-07-19 17:40 . 2009-04-20 10:23 123904 ----a-w- c:\windows\system32\hpf3l70w.dll

2010-07-19 17:40 . 2009-04-15 14:53 452408 ----a-r- c:\windows\system32\hpzids01.dll

2010-07-19 17:39 . 2009-02-10 13:03 315392 ----a-r- c:\windows\system32\hposc_p02a.dll

2010-07-19 17:39 . 2008-10-28 03:27 372736 ----a-r- c:\windows\system32\hppldcoi.dll

2010-07-19 17:39 . 2008-10-28 03:27 309760 ----a-r- c:\windows\system32\difxapi.dll

2010-07-19 17:39 . 2009-02-10 13:03 966656 ----a-r- c:\windows\system32\hpost_p02f.dll

2010-07-19 17:39 . 2009-02-10 13:03 712704 ----a-r- c:\windows\system32\hposwia_p02f.dll

2010-07-19 17:39 . 2001-09-06 18:47 6912 -c--a-w- c:\windows\system32\dllcache\serscan.sys

2010-07-19 17:39 . 2001-09-06 18:47 6912 ----a-w- c:\windows\system32\drivers\serscan.sys

2010-07-19 11:35 . 2010-07-19 11:35 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant

2010-07-19 11:33 . 2010-07-19 11:33 -------- d-----w- c:\program files\Common Files\HP

2010-07-19 11:33 . 2010-07-19 11:33 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2010-07-19 11:33 . 2010-07-19 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2010-07-19 11:31 . 2008-04-13 17:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-07-19 11:31 . 2008-04-13 17:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-07-19 11:27 . 2010-07-19 17:44 204556 ----a-w- c:\windows\hpoins39.dat

2010-07-19 11:27 . 2009-06-11 02:32 703 ------w- c:\windows\hpomdl39.dat

2010-07-15 13:17 . 2010-07-19 11:36 -------- d-----w- c:\program files\HP

2010-07-13 21:46 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-11 14:14 . 2010-01-24 14:46 -------- d-----w- C:\eset_upd_3_(4800)

2010-07-11 13:42 . 2010-07-11 13:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-07-11 11:40 . 2010-07-11 11:40 22 --sha-w- c:\windows\Sys3390 SettingsCollection.bin

2010-07-11 11:39 . 2010-08-05 18:11 -------- d-----w- c:\program files\jv16 PowerTools 2010

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-07 11:21 . 2009-01-08 21:40 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-08-07 11:21 . 2009-01-08 21:39 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-08-06 10:39 . 2008-02-24 20:24 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\uTorrent

2010-08-06 01:46 . 2010-06-09 20:51 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\vlc

2010-08-05 16:25 . 2009-01-22 15:15 -------- d-----w- c:\program files\Messenger Plus! Live

2010-08-04 18:36 . 2008-07-04 23:03 -------- d-----w- c:\program files\MPlayer for Windows

2010-07-31 11:11 . 2009-09-02 15:32 99 ----a-w- c:\documents and settings\Bjorn Hamburg\jagex_runescape_preferences2.dat

2010-07-31 11:11 . 2010-03-24 17:32 41 ----a-w- c:\documents and settings\Bjorn Hamburg\jagex__preferences3.dat

2010-07-31 11:10 . 2008-07-05 19:47 46 ----a-w- c:\documents and settings\Bjorn Hamburg\jagex_runescape_preferences.dat

2010-07-31 02:15 . 2009-02-08 21:19 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\LimeWire

2010-07-30 21:24 . 2007-08-10 11:58 -------- d-----w- c:\program files\Winamp

2010-07-30 18:19 . 2007-08-13 02:40 -------- d-----w- c:\program files\Incomplete

2010-07-30 18:15 . 2007-08-10 12:13 -------- d-----w- c:\program files\My Music

2010-07-28 20:18 . 2010-07-28 20:18 47364 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll

2010-07-27 01:50 . 2010-07-27 01:50 0 ----a-w- c:\documents and settings\Bjorn Hamburg\ntuser.tmp

2010-07-23 00:40 . 2007-08-10 21:00 -------- d-----w- c:\program files\VentriloMIX

2010-07-19 17:41 . 2007-08-10 13:17 77016 ----a-w- c:\documents and settings\Bjorn Hamburg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-13 23:11 . 2008-08-31 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-11 13:30 . 2007-10-27 21:29 -------- d-----w- c:\program files\ESET

2010-07-11 11:57 . 2007-08-10 14:53 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\Ventrilo

2010-07-11 11:40 . 2010-07-11 11:40 22 --sha-w- c:\documents and settings\Bjorn Hamburg\Application Data\Sys6925.Config Collection.sys

2010-07-11 11:40 . 2010-07-11 11:40 22 --sha-w- c:\documents and settings\Bjorn Hamburg\Application Data\Sys6925.Config Collection.sys

2010-07-10 17:51 . 2007-08-11 10:26 -------- d-----w- c:\program files\CyberLink

2010-07-10 17:40 . 2010-06-13 23:16 -------- d-----w- c:\program files\Acro Software

2010-07-10 17:34 . 2008-10-01 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-07-10 17:31 . 2009-01-17 10:28 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE

2010-07-10 17:29 . 2010-04-24 03:28 -------- d-----w- c:\program files\Nokia

2010-07-10 17:25 . 2001-09-07 14:00 578476 ----a-w- c:\windows\system32\perfh013.dat

2010-07-10 17:25 . 2001-09-07 14:00 118626 ----a-w- c:\windows\system32\perfc013.dat

2010-07-10 17:17 . 2007-08-09 20:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-06 11:35 . 2009-01-14 23:45 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\Hamachi

2010-07-05 20:40 . 2010-06-23 19:25 -------- d-----w- c:\program files\7-Zip

2010-07-05 17:59 . 2007-08-16 00:35 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys

2010-07-01 21:38 . 2007-10-10 20:09 -------- d-----w- c:\program files\Registry Clean Expert

2010-07-01 21:12 . 2010-07-01 21:12 -------- d-----w- c:\program files\Firefly Studios

2010-06-30 08:26 . 2010-06-24 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-06-29 17:17 . 2010-06-24 21:54 25 ----a-w- c:\windows\popcinfot.dat

2010-06-29 09:49 . 2007-08-10 13:39 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-29 09:30 . 2009-10-06 15:19 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-28 18:27 . 2008-12-24 21:15 -------- d-----w- c:\program files\Gpotato

2010-06-27 12:48 . 2007-08-13 02:37 -------- d-----w- c:\program files\LimeWire

2010-06-27 12:40 . 2009-08-28 16:36 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\Samsung

2010-06-27 12:40 . 2009-08-28 16:35 -------- d-----w- c:\program files\Samsung

2010-06-27 12:36 . 2007-08-10 00:29 -------- d-----w- c:\program files\BitLord

2010-06-25 08:48 . 2007-08-10 21:49 -------- d-----w- c:\program files\Google

2010-06-24 21:56 . 2010-06-24 21:56 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-06-23 20:01 . 2010-06-23 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

2010-06-19 18:25 . 2007-09-09 12:49 -------- d-----w- c:\documents and settings\Bjorn Hamburg\Application Data\Vso

2010-06-15 12:04 . 2008-02-24 20:26 -------- d-----w- c:\program files\uTorrent

2010-06-14 14:31 . 2007-08-09 19:34 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2010-06-12 19:58 . 2007-08-10 01:02 -------- d-----w- c:\program files\Steam

2010-05-23 14:16 . 2010-05-23 14:16 503808 ----a-w- c:\documents and settings\Bjorn Hamburg\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-667bcfcf-n\msvcp71.dll

2010-05-23 14:16 . 2010-05-23 14:16 499712 ----a-w- c:\documents and settings\Bjorn Hamburg\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-667bcfcf-n\jmc.dll

2010-05-23 14:16 . 2010-05-23 14:16 348160 ----a-w- c:\documents and settings\Bjorn Hamburg\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-667bcfcf-n\msvcr71.dll

2010-05-23 14:16 . 2010-05-23 14:16 61440 ----a-w- c:\documents and settings\Bjorn Hamburg\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-11243969-n\decora-sse.dll

2010-05-23 14:16 . 2010-05-23 14:16 12800 ----a-w- c:\documents and settings\Bjorn Hamburg\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-11243969-n\decora-d3d.dll

2008-08-20 23:14 . 2008-05-15 19:11 2619 ----a-w- c:\program files\torrentbytes.txt

2008-03-15 13:25 . 2008-02-25 22:39 72 --sh--w- c:\windows\SA26FAF3F.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]

"CTxfiHlp"="CTXFIHLP.EXE" [2008-08-06 23040]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bjorn Hamburg^Menu Start^Programma's^Opstarten^Logitech . Productregistratie.lnk]

path=c:\documents and settings\Bjorn Hamburg\Menu Start\Programma's\Opstarten\Logitech . Productregistratie.lnk

backup=c:\windows\pss\Logitech . Productregistratie.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

2008-02-06 10:06 89024 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2007-03-12 11:49 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

2006-09-28 19:21 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2007-08-24 05:00 33648 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]

2007-03-05 11:57 1103480 ----a-w- c:\program files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]

2006-10-30 12:44 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]

2006-10-30 12:44 36864 ----a-r- c:\windows\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

2004-12-10 10:45 49152 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2008-12-20 06:50 2656528 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 17:03 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2009-07-26 14:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2007-03-09 16:53 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]

2010-05-13 03:59 604032 ----a-w- c:\program files\Registry Clean Expert\RCHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

2006-07-13 06:12 729088 ------w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2006-12-18 20:34 868352 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-06-10 02:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]

2005-10-27 14:01 139264 ----a-w- c:\program files\Multimedia Card Reader\shwicon2k.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\mIRC2\\mirc.exe"=

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Steam\\steamapps\\brmhamburg@hotmail.com\\counter-strike\\hl.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\{722B4A13-F24D-43AE-8813-5DB82C0B23C2}\\setup\\hpznui01.exe"=

"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29-9-2009 13:02 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [29-9-2009 13:05 96408]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [29-9-2009 13:03 735960]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 19:19 13592]

R2 WMP300NSvc;WMP300NSvc;c:\program files\Linksys\WMP300N\WLService.exe [8-11-2008 17:21 53307]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [16-1-2009 17:27 198168]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [16-1-2009 17:27 1353240]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [16-1-2009 17:27 73752]

R3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [16-1-2009 17:27 1221144]

R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [8-8-2009 13:44 2048]

R3 WMP300Nv2;Linksys Wireless-N PCI Adapter WMP300Nv2 Service;c:\windows\system32\drivers\WMP300Nv2.sys [11-10-2008 19:48 1297824]

S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25-6-2010 10:47 136176]

S3 ConicG;ConicG Wireless Network Adapter Service;c:\windows\system32\DRIVERS\ConicG.sys --> c:\windows\system32\DRIVERS\ConicG.sys [?]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [16-1-2009 17:25 79360]

S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [16-1-2009 17:32 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [16-1-2009 17:27 198168]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [16-1-2009 17:27 1353240]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [16-1-2009 17:27 73752]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [28-8-2009 18:36 36608]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24-11-2008 23:31 29263712]

S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [13-11-2008 11:52 24576]

S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [19-8-2007 16:04 223128]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18-8-2007 18:57 685816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Inhoud van de 'Gedeelde Taken' map

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 08:47]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 08:47]

2010-08-07 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2010-08-07 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.nl/

uInternet Settings,ProxyOverride = *.local

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Bjorn Hamburg\Application Data\Mozilla\Firefox\Profiles\zv8a8a4b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS VERWIJDERD - - - -

MSConfigStartUp-nwiz - nwiz.exe

MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-07 13:32

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTxfiHlp = CTXFIHLP.EXE?

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"="a"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-343818398-688789844-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"??"=hex:84,5a,ff,be,79,95,c4,e0,10,00,3f,3b,a8,a7,f0,4f,b7,6f,76,d5,81,b8,96,

74,91,b5,78,9d,b5,f5,72,30,9b,ab,89,87,52,c3,c2,30,42,e8,4d,fc,79,45,f4,35,\

"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-343818398-688789844-839522115-1004\Software\SecuROM\License information*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"datasecu"=hex:78,c8,6a,de,5c,04,19,c9,b8,89,6c,92,01,b1,c3,83,a7,5e,6c,2d,41,

33,d6,69,7d,46,03,0d,5e,b6,92,97,fb,8e,a8,5c,28,53,64,b7,7f,b6,1c,15,f9,15,\

"rkeysecu"=hex:9e,f6,24,6b,d5,c7,93,b8,5d,24,d9,09,3c,4d,4b,31

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ

Link to post
Share on other sites

I ran ComboFix and it produces a log accordingly, which I'll post up, some parts are apparently in dutch so if you need them translated let me know.
I happen to be a native Dutch speaker, so no need for a translation. ;)

Since you had an MBR rootkit infection, I want to doublecheck its really gone.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.

Link to post
Share on other sites

Hah very well then, makes things easier eh :)

Here's the log you requested:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x000003ec

Kernel Drivers (total 165):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E5000 \WINDOWS\system32\hal.dll

0xB85A8000 \WINDOWS\system32\KDCOM.DLL

0xB84B8000 \WINDOWS\system32\BOOTVID.dll

0xB7F78000 ACPI.sys

0xB85AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS

0xB7F67000 pci.sys

0xB80A8000 isapnp.sys

0xB8670000 pciide.sys

0xB8328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

0xB80B8000 MountMgr.sys

0xB7F48000 ftdisk.sys

0xB85AC000 dmload.sys

0xB7F22000 dmio.sys

0xB8330000 PartMgr.sys

0xB80C8000 VolSnap.sys

0xB7F0A000 atapi.sys

0xB80D8000 jraid.sys

0xB7EF2000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

0xB80E8000 disk.sys

0xB80F8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

0xB7ED2000 fltmgr.sys

0xB7EC0000 sr.sys

0xB8108000 PxHelp20.sys

0xB7EA9000 KSecDD.sys

0xB7E96000 WudfPf.sys

0xB7E09000 Ntfs.sys

0xB7DDC000 NDIS.sys

0xB8118000 Combo-Fix.sys

0xB7DC2000 Mup.sys

0xB85AE000 JGOGO.sys

0xB8574000 \SystemRoot\System32\DRIVERS\tunmp.sys

0xB8218000 \SystemRoot\System32\DRIVERS\intelppm.sys

0xB6F41000 \SystemRoot\system32\DRIVERS\nv4_mini.sys

0xB6F2D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB83C8000 \SystemRoot\System32\DRIVERS\usbuhci.sys

0xB6F09000 \SystemRoot\System32\DRIVERS\USBPORT.SYS

0xB83D0000 \SystemRoot\System32\DRIVERS\usbehci.sys

0xB6EE1000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB6E60000 \SystemRoot\system32\drivers\ctaud2k.sys

0xB6E3C000 \SystemRoot\system32\drivers\portcls.sys

0xB8238000 \SystemRoot\system32\drivers\drmk.sys

0xB6E19000 \SystemRoot\system32\drivers\ks.sys

0xB6DE4000 \SystemRoot\system32\drivers\ctoss2k.sys

0xB83D8000 \SystemRoot\system32\drivers\ctprxy2k.sys

0xB6CA7000 \SystemRoot\system32\DRIVERS\WMP300Nv2.sys

0xB8248000 \SystemRoot\System32\DRIVERS\serial.sys

0xB857C000 \SystemRoot\System32\DRIVERS\serenum.sys

0xB85D2000 \SystemRoot\system32\DRIVERS\ASACPI.sys

0xB6C93000 \SystemRoot\System32\DRIVERS\parport.sys

0xB8258000 \SystemRoot\System32\DRIVERS\i8042prt.sys

0xB8580000 \SystemRoot\system32\DRIVERS\L8042Kbd.sys

0xB83E0000 \SystemRoot\System32\DRIVERS\kbdclass.sys

0xB8268000 \SystemRoot\System32\DRIVERS\imapi.sys

0xB85D4000 \SystemRoot\System32\Drivers\ElbyDelay.sys

0xB83E8000 \SystemRoot\System32\Drivers\ElbyCDFL.sys

0xB6C7D000 \SystemRoot\System32\Drivers\AnyDVD.sys

0xB8278000 \SystemRoot\System32\DRIVERS\cdrom.sys

0xB8288000 \SystemRoot\System32\DRIVERS\redbook.sys

0xB6C6C000 \SystemRoot\system32\DRIVERS\VMNetSrv.sys

0xB879C000 \SystemRoot\System32\DRIVERS\audstub.sys

0xB82E8000 \SystemRoot\System32\DRIVERS\rasl2tp.sys

0xB858C000 \SystemRoot\System32\DRIVERS\ndistapi.sys

0xB6C55000 \SystemRoot\System32\DRIVERS\ndiswan.sys

0xB82F8000 \SystemRoot\System32\DRIVERS\raspppoe.sys

0xB8308000 \SystemRoot\System32\DRIVERS\raspptp.sys

0xB83F8000 \SystemRoot\System32\DRIVERS\TDI.SYS

0xB6C44000 \SystemRoot\System32\DRIVERS\psched.sys

0xB8318000 \SystemRoot\System32\DRIVERS\msgpc.sys

0xB8400000 \SystemRoot\System32\DRIVERS\ptilink.sys

0xB8408000 \SystemRoot\System32\DRIVERS\raspti.sys

0xB7994000 \SystemRoot\System32\Drivers\pcouffin.sys

0xB85EA000 \SystemRoot\System32\Drivers\RootMdm.sys

0xB8410000 \SystemRoot\System32\Drivers\Modem.SYS

0xB6C14000 \SystemRoot\System32\DRIVERS\rdpdr.sys

0xB7984000 \SystemRoot\System32\DRIVERS\termdd.sys

0xB8418000 \SystemRoot\System32\DRIVERS\mouclass.sys

0xB85EC000 \SystemRoot\System32\DRIVERS\swenum.sys

0xB6BB6000 \SystemRoot\System32\DRIVERS\update.sys

0xB85A0000 \SystemRoot\System32\DRIVERS\mssmbios.sys

0xB86D2000 \SystemRoot\system32\drivers\portio32.sys

0xB7974000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xB7964000 \SystemRoot\System32\DRIVERS\usbhub.sys

0xB85F0000 \SystemRoot\System32\DRIVERS\USBD.SYS

0xB4A1A000 \SystemRoot\system32\drivers\ADIHdAud.sys

0xB4A03000 \SystemRoot\system32\drivers\AEAudio.sys

0xB49A3000 \SystemRoot\system32\drivers\Senfilt.sys

0xB3675000 \SystemRoot\system32\drivers\ha20x22k.sys

0xB3645000 \SystemRoot\system32\drivers\emupia2k.sys

0xB361B000 \SystemRoot\system32\drivers\ctsfm2k.sys

0xB3606000 \SystemRoot\System32\drivers\CTHWIUT.SYS

0xB35D1000 \SystemRoot\System32\drivers\CT20XUT.SYS

0xB3483000 \SystemRoot\System32\drivers\CTEXFIFX.SYS

0xB85F6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xB870B000 \SystemRoot\System32\Drivers\Null.SYS

0xB85F8000 \SystemRoot\System32\Drivers\Beep.SYS

0xB343E000 \SystemRoot\system32\DRIVERS\ehdrv.sys

0xB8438000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS

0xB8440000 \SystemRoot\System32\drivers\vga.sys

0xB85FA000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xB85FC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xB8448000 \SystemRoot\System32\Drivers\Msfs.SYS

0xB8450000 \SystemRoot\System32\Drivers\Npfs.SYS

0xB855C000 \SystemRoot\System32\DRIVERS\rasacd.sys

0xB340B000 \SystemRoot\System32\DRIVERS\ipsec.sys

0xB33B2000 \SystemRoot\System32\DRIVERS\tcpip.sys

0xB338A000 \SystemRoot\System32\DRIVERS\netbt.sys

0xB3364000 \SystemRoot\System32\DRIVERS\ipnat.sys

0xB7924000 \SystemRoot\System32\DRIVERS\wanarp.sys

0xB332C000 \SystemRoot\System32\DRIVERS\tcpip6.sys

0xB3313000 \SystemRoot\system32\DRIVERS\epfwtdir.sys

0xB7914000 \SystemRoot\system32\drivers\ip6fw.sys

0xB8570000 \SystemRoot\System32\drivers\ws2ifsl.sys

0xB3251000 \SystemRoot\System32\drivers\afd.sys

0xB7904000 \SystemRoot\System32\DRIVERS\netbios.sys

0xB3216000 \??\C:\WINDOWS\system32\Drivers\vmm.sys

0xB8458000 \SystemRoot\System32\Drivers\SCDEmu.SYS

0xB31C3000 \SystemRoot\System32\DRIVERS\rdbss.sys

0xB3153000 \SystemRoot\System32\DRIVERS\mrxsmb.sys

0xB8178000 \SystemRoot\System32\Drivers\Fips.SYS

0xB8460000 \SystemRoot\System32\Drivers\ElbyCDIO.sys

0xB8468000 \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys

0xB8470000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS

0xB81A8000 \SystemRoot\System32\Drivers\LHidUsbK.Sys

0xB81B8000 \SystemRoot\System32\Drivers\HIDCLASS.SYS

0xB81C8000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xB8480000 \SystemRoot\System32\DRIVERS\usbccgp.sys

0xB8488000 \SystemRoot\system32\DRIVERS\LHidKE.Sys

0xB4A6A000 \SystemRoot\System32\DRIVERS\mouhid.sys

0xB311A000 \SystemRoot\system32\DRIVERS\LMouKE.Sys

0xB81D8000 \SystemRoot\system32\drivers\LVUSBSta.sys

0xB2B09000 \SystemRoot\system32\DRIVERS\lvuvc.sys

0xB81E8000 \SystemRoot\system32\drivers\usbaudio.sys

0xB2A4F000 \SystemRoot\system32\DRIVERS\lvrs.sys

0xB2A37000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xB8602000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xB346F000 \SystemRoot\System32\drivers\Dxapi.sys

0xB8490000 \SystemRoot\System32\watchdog.sys

0xBD000000 \SystemRoot\System32\drivers\dxg.sys

0xB8794000 \SystemRoot\System32\drivers\dxgthk.sys

0xBD012000 \SystemRoot\System32\nv4_disp.dll

0xB233B000 \SystemRoot\system32\DRIVERS\eamon.sys

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xB231B000 \SystemRoot\system32\DRIVERS\mdc8021x.sys

0xB21E5000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys

0xB2477000 \SystemRoot\system32\DRIVERS\nwlnknb.sys

0xB226B000 \SystemRoot\System32\DRIVERS\ndisuio.sys

0xB1FF0000 \SystemRoot\system32\drivers\wdmaud.sys

0xB214D000 \SystemRoot\system32\drivers\sysaudio.sys

0xB211D000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys

0xB1F25000 \SystemRoot\System32\DRIVERS\mrxdav.sys

0xB85DC000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xB1EE2000 \SystemRoot\system32\DRIVERS\atksgt.sys

0xB1DB1000 \SystemRoot\System32\Drivers\HTTP.sys

0xB84A8000 \SystemRoot\system32\DRIVERS\lirsgt.sys

0xB1C6A000 \SystemRoot\System32\DRIVERS\srv.sys

0xB83B8000 \SystemRoot\system32\Drivers\LVPr2Mon.sys

0xB861C000 \??\C:\WINDOWS\nvoclock.sys

0xB16F1000 \??\C:\PROGRA~1\Linksys\WMP300N\GTNDIS5.SYS

0xB8420000 \??\C:\DOCUME~1\BJORNH~1\LOCALS~1\Temp\mbr.sys

0xB1462000 \SystemRoot\system32\drivers\kmixer.sys

0xB8428000 \??\C:\ComboFix\catchme.sys

0xB866C000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):

0 System Idle Process

4 System

744 C:\WINDOWS\system32\smss.exe

824 csrss.exe

860 C:\WINDOWS\system32\winlogon.exe

904 C:\WINDOWS\system32\services.exe

916 C:\WINDOWS\system32\lsass.exe

1092 C:\WINDOWS\system32\nvsvc32.exe

1144 C:\WINDOWS\system32\svchost.exe

1232 svchost.exe

1368 C:\WINDOWS\system32\svchost.exe

1412 C:\WINDOWS\system32\svchost.exe

1608 svchost.exe

1732 svchost.exe

1924 C:\WINDOWS\system32\spoolsv.exe

1968 C:\Program Files\Creative\Shared Files\CTAudSvc.exe

652 svchost.exe

784 C:\WINDOWS\system32\CTSVCCDA.EXE

820 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

1136 C:\WINDOWS\system32\svchost.exe

1212 C:\WINDOWS\system32\svchost.exe

1460 C:\WINDOWS\system32\svchost.exe

1504 C:\Program Files\Java\jre6\bin\jqs.exe

1624 C:\WINDOWS\system32\svchost.exe

200 C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

280 C:\WINDOWS\system32\svchost.exe

396 sqlbrowser.exe

444 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

488 C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

496 C:\WINDOWS\system32\svchost.exe

552 C:\Program Files\Linksys\WMP300N\WLService.exe

244 C:\Program Files\Linksys\WMP300N\WMP300N.exe

2040 wmpnetwk.exe

2628 alg.exe

2868 C:\Program Files\Creative\Volume Panel\VolPanlu.exe

3112 C:\WINDOWS\system32\rundll32.exe

3196 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

3284 C:\WINDOWS\system32\CTxfispi.exe

6864 C:\WINDOWS\explorer.exe

10196 C:\WINDOWS\system32\notepad.exe

4736 C:\Program Files\Mozilla Firefox\firefox.exe

6272 C:\Program Files\Mozilla Firefox\plugin-container.exe

8612 C:\Program Files\Windows Defender\MsMpEng.exe

2268 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

3556 C:\WINDOWS\system32\ctfmon.exe

976 C:\Program Files\Windows Live\Contacts\wlcomm.exe

1072 C:\Program Files\Winamp\winamp.exe

1692 C:\Documents and Settings\Bjorn Hamburg\Bureaublad\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD501LJ, Rev: CR100-10

PhysicalDrive1 Model Number: WDCWD5000AAKS-00YGA0, Rev: 12.01C02

Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

465 GB \\.\PhysicalDrive1 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Link to post
Share on other sites

Now, thats looking better, the MBR's of both drives are clean. :)

How are things running now? Any problems left?

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Now please launch MBAM, update it first and run a full scan. When done, post me the resulting log.

Link to post
Share on other sites

Right, I haven't heard the sound play anymore, so I'm assuming it's gone, as the scans don't reveal anything either.

Updated JAVA and ran another MBAM scan, results are here:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Databaseversie: 4402

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

7-8-2010 16:42:11

mbam-log-2010-08-07 (16-42-11).txt

Scantype: Volledige scan (C:\|D:\|)

Objecten gescand: 307916

Verstreken tijd: 1 uur/uren, 1 minuut/minuten, 44 seconde(n)

Geheugenprocessen ge

Link to post
Share on other sites

Hi, lets do one last scan to doublecheck. :)

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Sorry, yes, you could have scanned with your installed ESET as well. I forgot to check which AV you had installed.

And yes, this means the green light! :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and GMER (this is a random named file).

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Read the above and deleted the programs. How about that other program that was required to undo the virtual CD/DVD drives or something? Something I had to install to be able to scan properly... can't find the name right now but according to the topic that redirected me here I had to do it and so I have, waiting for further instructions to re-enable it again, that's safe too I'm guessing?

If so, could you please relink that program one last time? :)

Other than that, again, thanks a huge lot for your assistance, no more farm animals driving me nuts through my speakers :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.