 Need Help With Hijacked Ie Browser After Trying To Remove Netbooster Malware |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Aug 3 2008, 01:58 PM
Post
#1
|
|
|
Member  Group: Members Posts: 15 Joined: 30-July 08 Member No.: 226,236  |
I've been trying to remove this for days, using a script found here. I've used Smitfraude, but was/am unable to download any of the other software. I've made some efforts though, because the PC is now relatively clean and stable, but the browser is still hijacked. I desperately need some help, because this is becoming a very frustrating problem to me. I hope anyone can point me in the right direction. I have attached the latest HijackThis log. Thank you. Gerard Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:41:05, on 3-8-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\WgaTray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\Common Files\Ahead\lib\NMIndexStoreSvr.exe C:\Downloads\Nieuwe map\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll (file missing) O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [dcd3d400] rundll32.exe "C:\WINDOWS\system32\tfipdedg.dll",b O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?e48fbc20528d4c6da73724aa6e4cce3d O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?e48fbc20528d4c6da73724aa6e4cce3d O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves-static.net/statics/Auri...geUploader4.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://cache.hyves.nl/statics/Aurigma/ImageUploader.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/componen...loScopeLite.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing) O21 - SSODL: kvxqmtre - {DB0B77B2-58AF-4FA2-9F4D-884A6C63CBB7} - C:\WINDOWS\kvxqmtre.dll (file missing) O21 - SSODL: evgratsm - {6C00F0E9-36C9-4B6C-9461-6A9A5AE23C50} - C:\WINDOWS\evgratsm.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod-service (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 6034 bytes |
 |
 
|
|
Aug 3 2008, 02:23 PM
Post
#2
|
|
 Forum Addict Group: Moderator Posts: 10,585 Joined: 28-October 05 From: London Member No.: 38,920 |
Hi there and welcome to BC!
 Please download Combofix to your desktop. Doubleclick combofix.exe to launch the application. Follow the prompts that will be displayed on the screen. Don't click on the window while the fix is running, because that will cause your system to hang. When finished, it should produce a log, combofix.txt. Post this log in your next reply together with a new hijackthislog. -------------------- Although my help is free, if I have saved you time and money, please consider a donation!:  |
|
|
|
|
Aug 3 2008, 04:18 PM
Post
#3
|
|
|
Member Group: Members Posts: 15 Joined: 30-July 08 Member No.: 226,236 |
Hi there,
Sorry, ComboFix won't run. I've just been trying for the last hour downloading, setting up the xp recovery console and getting Combofix to install it, but nothing happens. It pops up on the Task manager for a brief second, but that's it.... Running Combofix on its own, in normal mode and in safe mode doesn't do much either. There is no way I can dowload anything on that PC. I need to download everything through another pc, put it on a stick to get it onto the infected pc. Btwy, I couldn't access ComboFix on Bleepingcomputer (Forbidden was the message), so i got it somewhere else (kingpin2). So what should be my next step? Gerard |
|
|
|
|
Aug 4 2008, 04:16 AM
Post
#4
|
|
|
Forum Addict Group: Moderator Posts: 10,585 Joined: 28-October 05 From: London Member No.: 38,920 |
Can you retry the link above for combofix, it should work now.
Use that version and let me know whether it runs or not.. -------------------- Although my help is free, if I have saved you time and money, please consider a donation!: |
|
|
|
|
Aug 4 2008, 09:44 AM
Post
#5
|
|
|
Member Group: Members Posts: 15 Joined: 30-July 08 Member No.: 226,236 |
I was able to download from the link. Still couldn't get it to run...
Gerard |
|
|
|
|
Aug 4 2008, 10:45 AM
Post
#6
|
|
|
Forum Addict Group: Moderator Posts: 10,585 Joined: 28-October 05 From: London Member No.: 38,920 |
It could be that the processes you have running are stopping Combofix from working.
We can try something else - first ensure that combofix is saved to your desktop! Run ComboFix using these instructions: Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK. "%userprofile%\desktop\combofix.exe" /killall When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. -------------------- Although my help is free, if I have saved you time and money, please consider a donation!: |
|
|
|
|
Aug 4 2008, 11:24 AM
Post
#7
|
|
|
Member Group: Members Posts: 15 Joined: 30-July 08 Member No.: 226,236 |
Done it, but it will still not run. Again, it pops up in the Task manager for a second and is gone again. Suggestions?
Gerard |
|
|
|
|
Aug 4 2008, 11:27 AM
Post
#8
|
|
|
Forum Addict Group: Moderator Posts: 10,585 Joined: 28-October 05 From: London Member No.: 38,920 |
It could be that the processes you have running are stopping Combofix from working.
We can try something else - first ensure that combofix is saved to your desktop! Run ComboFix using these instructions: Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK. "%userprofile%\desktop\combofix.exe" /killall When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. -------------------- Although my help is free, if I have saved you time and money, please consider a donation!: |
|
|
|
|
Aug 4 2008, 11:50 AM
Post
#9
|
|
|
Member Group: Members Posts: 15 Joined: 30-July 08 Member No.: 226,236 |
This is what I did and you suggested earlier... Like I wrote, nothing happens.
I've done everything you wrote, a couple of times. Combofix is on the desktop and gets fired off (in the task manager), but then nothing. |
|
|
|
|
Aug 4 2008, 04:46 PM
Post
#10
|
|
|
Forum Addict Group: Moderator Posts: 10,585 Joined: 28-October 05 From: London Member No.: 38,920 |
Sorry about the double post - I have another user with exactly the same problem, and I thought I'd answered on different threads! It sounds like something might be trying to close Combofix as it trys to run, so let's try and clear some malware up first and try combofix fix again afterwards. It looks like we might have something nasty on our hands here, but stick with me, and if you've got any questions about the process, don't hesitate to stop and ask me!
It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps. Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present: O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll (file missing) O4 - HKLM\..\Run: [dcd3d400] rundll32.exe "C:\WINDOWS\system32\tfipdedg.dll",b O21 - SSODL: kvxqmtre - {DB0B77B2-58AF-4FA2-9F4D-884A6C63CBB7} - C:\WINDOWS\kvxqmtre.dll (file missing) O21 - SSODL: evgratsm - {6C00F0E9-36C9-4B6C-9461-6A9A5AE23C50} - C:\WINDOWS\evgratsm.dll (file missing) Click on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer is closed when you click Fix Checked! Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top. Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below. Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. When asked if you want to reboot now, say Yes: C:\WINDOWS\system32\tfipdedg.dll Allow the PC to reboot, if it doesn't do it automatically, please reboot manually. Please download Malwarebytes Anti-Malware and save it to your desktop. Double-click on mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation finishes, leave both 'Update' and 'Launch' checked. Click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here. On the Scanner tab, ensure the "Perform Quick Scan" option is selected, then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. When the scan finishes, a box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM. -------------------- Although my help is free, if I have saved you time and money, please consider a donation!: |
|
|
|
|
Aug 5 2008, 11:06 AM
Post
#11
|
|
|
Member Group: Members Posts: 15 Joined: 30-July 08 Member No.: 226,236 |
Hi D-Trojanator,
Let me start by saying thanks for all the effort you are putting into this. I really appreciate it! I am running a little out of time here. I'll be leaving the country tomorrow for at least weeks, so if we haven't resolved the problem we will have to put it on hold for a while.  I managed to remove the line items you indicated with HiJackThis. However, when clicking on `delete a file on reboot´ there was no field to paste the filepath lines in. Instead HiJackThis simply went away. After rebooting I reran HiJackThis to verify if the line items were gone and they were. I clicked on ´delete a file on reboot´ and nothing happened, no matter how often I clicked. I proceeded to run mbam-setup.exe, but just like Combofix earlier, it didn't do anything. So that's as far as I got... Gerard |
|
|
|
|
Aug 5 2008, 01:59 PM
Post
#12
|
|
|
Forum Addict Group: Moderator Posts: 10,585 Joined: 28-October 05 From: London Member No.: 38,920 |
Hi Gerard,
If the 'delete on reboot' thing didn't work for that file, it means it's already been deleted so that's a good sign! I want to try one more tool before we look into why they aren't actually running. Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. -------------------- Although my help is free, if I have saved you time and money, please consider a donation!: |
|
|
|
|
Aug 5 2008, 04:28 PM
Post
#13
|
|
|
Member Group: Members Posts: 15 Joined: 30-July 08 Member No.: 226,236 |
Hi D-Trojanator, I ran DSS, but curiously enough it only produced the main.txt. There was NO 'extra.txt'. I ran DSS twice. I ran DSS yesterday and at that time it did produce an 'extra.txt'. Below I will insert the main.txt (first run) and the main.txt(second run). For some reason they are different in size, so maybe you would like to check that out. I will also attach yesterday's 'extra.txt'. I'm not sure if that is of any help, but waste not want not... regards, Gerard Main.txt first run 080508 Deckard's System Scanner v20071014.68 Run by Gerard2 on 2008-08-05 22:53:41 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 320 MiB (512 MiB recommended). System Drive C: has 2.22 GiB (less than 15%) free. -- HijackThis (run as Gerard2.exe) --------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:53:48, on 5-8-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\WgaTray.exe C:\Documents and Settings\Gerard2\Bureaublad\dss.exe C:\DOWNLO~1\NIEUWE~1\Gerard2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: (no name) - {1F5DC0AF-81EF-4AD2-B76B-39853B371130} - C:\WINDOWS\system32\iiffEvUl.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: (no name) - {769D8280-A207-4EEA-9963-F8B156C32855} - C:\WINDOWS\system32\ddcCUmMD.dll O2 - BHO: QXK Olive - {812AE34E-162C-4C94-BAA1-A2C0431AEC84} - C:\WINDOWS\kgxmotapktx.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: {03a3e7b6-d8b4-583b-5504-d92472f47b1d} - {d1b74f27-429d-4055-b385-4b8d6b7e3a30} - C:\WINDOWS\system32\atzbjr.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?e48fbc20528d4c6da73724aa6e4cce3d O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?e48fbc20528d4c6da73724aa6e4cce3d O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyves-static.net/statics/Auri...geUploader4.cab O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://cache.hyves.nl/statics/Aurigma/ImageUploader.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/componen...loScopeLite.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing) O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: ddcCUmMD - C:\WINDOWS\SYSTEM32\ddcCUmMD.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod-service (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 6788 bytes -- Files created between 2008-07-05 and 2008-08-05 ----------------------------- 2008-08-04 16:32:35 99200 --a------ C:\WINDOWS\system32\pkdxegyh.dll 2008-08-03 18:28:34 0 d-------- C:\Documents and Settings\Gerard2\Application Data\AVG7 2008-08-03 18:27:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-07-28 18:30:00 0 d-------- C:\Program Files\RogueRemover FREE 2008-07-28 09:13:42 0 d-------- C:\Documents and Settings\Gerard2\Application Data\Macromedia 2008-07-27 22:46:28 2002 --a------ C:\WINDOWS\system32\tmp.reg 2008-07-27 21:18:21 116352 --a------ C:\WINDOWS\system32\atzbjr.dll 2008-07-27 21:18:20 116352 --a------ C:\WINDOWS\system32\lcygugww.dll 2008-07-27 20:57:53 0 d---s---- C:\Documents and Settings\Gerard2\UserData 2008-07-27 20:14:17 0 d-------- C:\Documents and Settings\Gerard2\Application Data\SUPERAntiSpyware.com 2008-07-27 17:58:43 0 d-------- C:\Documents and Settings\Gerard2\Application Data\Google 2008-07-27 17:40:29 0 d-------- C:\Documents and Settings\Gerard2\Application Data\Teleca 2008-07-27 17:38:58 0 d-------- C:\Documents and Settings\Gerard2\Application Data\Adobe 2008-07-27 17:38:44 0 d-------- C:\Documents and Settings\Gerard2\Application Data\Sony Ericsson 2008-07-27 17:38:38 0 d-------- C:\Documents and Settings\Gerard2\Application Data\TmpRecentIcons 2008-07-27 17:38:04 0 d-------- C:\Documents and Settings\Gerard2\Application Data\Identities 2008-07-27 17:37:07 0 d--h----- C:\Documents and Settings\Gerard2\Sjablonen 2008-07-27 17:37:07 0 dr-h----- C:\Documents and Settings\Gerard2\SendTo 2008-07-27 17:37:07 0 dr-h----- C:\Documents and Settings\Gerard2\Onlangs geopend 2008-07-27 17:37:07 1310720 --ah----- C:\Documents and Settings\Gerard2\NTUSER.DAT 2008-07-27 17:37:07 0 d--h----- C:\Documents and Settings\Gerard2\Netwerkprinteromgeving 2008-07-27 17:37:07 0 d--h----- C:\Documents and Settings\Gerard2\NetHood 2008-07-27 17:37:07 0 dr------- C:\Documents and Settings\Gerard2\Mijn documenten 2008-07-27 17:37:07 0 dr------- C:\Documents and Settings\Gerard2\Menu Start 2008-07-27 17:37:07 0 d--h----- C:\Documents and Settings\Gerard2\Local Settings 2008-07-27 17:37:07 0 dr------- C:\Documents and Settings\Gerard2\Favorieten 2008-07-27 17:37:07 0 d---s---- C:\Documents and Settings\Gerard2\Cookies 2008-07-27 17:37:07 0 d-------- C:\Documents and Settings\Gerard2\Bureaublad 2008-07-27 17:37:07 0 dr-h----- C:\Documents and Settings\Gerard2\Application Data 2008-07-27 16:31:44 0 d-------- C:\Program Files\FreeFixer 2008-07-27 16:27:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia 2008-07-27 16:27:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2008-07-27 15:56:20 0 d-------- C:\Program Files\RegCleaner 2008-07-27 15:32:27 0 dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend 2008-07-27 15:19:56 0 d---s---- C:\Documents and Settings\Administrator\UserData 2008-07-27 15:15:59 116352 --a------ C:\WINDOWS\system32\lglhpa.dll 2008-07-27 15:15:58 116352 --a------ C:\WINDOWS\system32\phxbbgrf.dll 2008-07-27 15:13:45 95360 --a------ C:\WINDOWS\system32\vylxcqmg.dll 2008-07-27 15:12:58 386964 --ahs---- C:\WINDOWS\system32\lUvEffii.ini2 2008-07-27 15:12:53 323584 --a------ C:\WINDOWS\system32\iiffEvUl.dll 2008-07-27 15:02:28 0 d--hs---- C:\WINDOWS\CSC 2008-07-27 14:56:07 0 d-------- C:\Program Files\Bazooka Scanner 2008-07-27 13:23:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-07-27 12:56:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson 2008-07-27 12:53:18 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-07-27 12:53:18 0 d-------- C:\Documents and Settings\Administrator\Favorieten 2008-07-27 12:53:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies 2008-07-27 12:53:18 0 d-------- C:\Documents and Settings\Administrator\Bureaublad 2008-07-27 12:53:18 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-07-27 12:53:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-07-27 12:53:17 0 d--h----- C:\Documents and Settings\Administrator\Sjablonen 2008-07-27 12:53:17 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-07-27 12:53:17 786432 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT 2008-07-27 12:53:17 0 d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving 2008-07-27 12:53:17 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-07-27 12:53:17 0 d-------- C:\Documents and Settings\Administrator\Mijn documenten 2008-07-27 12:53:17 0 dr------- C:\Documents and Settings\Administrator\Menu Start 2008-07-23 01:03:42 33152 --a------ C:\WINDOWS\system32\wvUKEVmK.dll 2008-07-23 01:03:40 33152 --a------ C:\WINDOWS\system32\ddcCUmMD.dll 2008-07-23 01:03:31 0 d-------- C:\Documents and Settings\Joris\Application Data\TmpRecentIcons 2008-07-23 01:03:08 163840 --a------ C:\WINDOWS\erms.exe 2008-07-23 01:03:07 155648 --a------ C:\WINDOWS\agpqlrfm.exe 2008-07-18 12:16:32 0 d--h----- C:\Documents and Settings\TEMP.PENTIUM3\Sjablonen 2008-07-18 12:16:32 0 dr-h----- C:\Documents and Settings\TEMP.PENTIUM3\SendTo 2008-07-18 12:16:32 0 d--h----- C:\Documents and Settings\TEMP.PENTIUM3\Onlangs geopend 2008-07-18 12:16:32 229376 --a------ C:\Documents and Settings\TEMP.PENTIUM3\NTUSER.DAT 2008-07-18 12:16:32 0 d--h----- C:\Documents and Settings\TEMP.PENTIUM3\Netwerkprinteromgeving 2008-07-18 12:16:32 0 d--h----- C:\Documents and Settings\TEMP.PENTIUM3\NetHood 2008-07-18 12:16:32 0 d-------- C:\Documents and Settings\TEMP.PENTIUM3\Mijn documenten 2008-07-18 12:16:32 0 dr------- C:\Documents and Settings\TEMP.PENTIUM3\Menu Start 2008-07-18 12:16:32 0 d--h----- C:\Documents and Settings\TEMP.PENTIUM3\Local Settings 2008-07-18 12:16:32 0 d-------- C:\Documents and Settings\TEMP.PENTIUM3\Favorieten 2008-07-18 12:16:32 0 d---s---- C:\Documents and Settings\TEMP.PENTIUM3\Cookies 2008-07-18 12:16:32 0 d-------- C:\Documents and Settings\TEMP.PENTIUM3\Bureaublad 2008-07-18 12:16:32 0 dr-h----- C:\Documents and Settings\TEMP.PENTIUM3\Application Data 2008-07-18 12:16:32 0 d---s---- C:\Documents and Settings\TEMP.PENTIUM3\Application Data\Microsoft 2008-07-17 19:21:45 0 dr-h----- C:\Documents and Settings\Joris\Onlangs geopend -- Find3M Report --------------------------------------------------------------- 2008-07-28 13:06:47 0 d-------- C:\Program Files\SUPERAntiSpyware 2008-05-18 19:43:21 1528 --a------ C:\WINDOWS\system32\d3d9caps.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F5DC0AF-81EF-4AD2-B76B-39853B371130}] 27-07-2008 15:12 323584 --a------ C:\WINDOWS\system32\iiffEvUl.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}] 23-07-2008 01:03 33152 --a------ C:\WINDOWS\system32\ddcCUmMD.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{812AE34E-162C-4C94-BAA1-A2C0431AEC84}] C:\WINDOWS\kgxmotapktx.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d1b74f27-429d-4055-b385-4b8d6b7e3a30}] 27-07-2008 21:18 116352 --a------ C:\WINDOWS\system32\atzbjr.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09-07-2001 10:50] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06-06-2005 23:46] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27-04-2007 09:41] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [24-11-2006 02:06] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03-08-2008 18:27] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 01:03] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [23-10-2006 2:48:20] Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [23-10-2006 1:01:50] hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [9-4-2003 18:21:38] hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [9-4-2003 18:11:12] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13-03-2006 14:11 233472] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20-12-2006 13:55 77824] "{769D8280-A207-4EEA-9963-F8B156C32855}"= C:\WINDOWS\system32\ddcCUmMD.dll [23-07-2008 01:03 33152] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcCUmMD] ddcCUmMD.dll 23-07-2008 01:03 33152 C:\WINDOWS\system32\ddcCUmMD.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\iiffEvUl -- End of Deckard's System Scanner: finished at 2008-08-05 22:57:28 ------------ Main.txt 080508 Second Run Deckard's System Scanner v20071014.68 Run by Gerard2 on 2008-08-05 23:05:02 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 320 MiB (512 MiB recommended). System Drive C: has 2.22 GiB (less than 15%) free. -- HijackThis (run as Gerard2.exe) --------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:05:08, on 5-8-2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\WgaTray.exe C:\Program Files\Common Files\Ahead\lib\NMIndexStoreSvr.exe C:\Documents and Settings\Gerard2\Bureaublad\dss.exe C:\DOWNLO~1\NIEUWE~1\Gerard2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: (no name) - {1F5DC0AF-81EF-4AD2-B76B-39853B371130} - C:\WINDOWS\system32\iiffEvUl.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: (no name) - {769D8280-A207-4EEA-9963-F8B156C32855} - C:\WINDOWS\system32\ddcCUmMD.dll O2 - BHO: QXK Olive - {812AE34E-162C-4C94-BAA1-A2C0431AEC84} - C:\WINDOWS\kgxmotapktx.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: {03a3e7b6-d8b4-583b-5504-d92472f47b1d} - {d1b74f27-429d-4055-b385-4b8d6b7e3a30} - C:\WINDOWS\system32\atzbjr.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\goog |