Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Btcar


  • This topic is locked This topic is locked
9 replies to this topic

#1 pieterman

pieterman

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 AM

Posted 01 November 2007 - 04:50 PM

Dear team,
I followed all suggestions in the Preparation Guide, which seems a pretty thorough remedy already. But still, I feel unsure that the problem will not resurface today or tomorrow.
For certainty, I post the Log here -- could you please check this for me?
Many thanks,
Pieterman





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:40:58, on 1.11.2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.resonant.be/
R3 - URLSearchHook: DigiLetteren Toolbar - {8042d186-724d-4937-9be4-41b362b1f46e} - C:\Program Files\DigiLetteren\tbDig1.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: DigiLetteren Toolbar - {8042d186-724d-4937-9be4-41b362b1f46e} - C:\Program Files\DigiLetteren\tbDig1.dll
O2 - BHO: (no name) - {9AE3D80D-141F-85CE-7420-8929DD7CF1BB} - C:\DOCUME~1\u0035535\APPLIC~1\JOYDAT~1\two media.exe (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: posHelp Class - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: DigiLetteren Toolbar - {8042d186-724d-4937-9be4-41b362b1f46e} - C:\Program Files\DigiLetteren\tbDig1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BiasAtom] C:\DOCUME~1\u0035535\APPLIC~1\LOGOOK~1\settingstypestart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://194.117.7.102/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O16 - DPF: {F4653484-F38C-455F-BB15-1175E527754E} (VideoProducer Class) - http://www.jointheorgy.com/static/class/we...ie6/webcam2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC97B53C-D09E-4ADB-A724-FEC1E821FF7A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINNT\system32\wmfhotfix.dll
O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINNT\system32\yephk.dll (file missing)
O22 - SharedTaskScheduler: {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - coursings - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Banyan VINES Workstation (VinesWorkstation) - Unknown owner - C:\vines\vnsws\vnsws.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

--
End of file - 9041 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 01 November 2007 - 06:44 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum pieterman :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


Download Deljob.exe and save it on your desktop.
Double click on Deljob.exe.
A log,(logit.txt) should open afterwards.
This log will be present on your desktop.
Post the contents of the logfile into your next reply,along with a new Hijack This log.
Posted Image
Posted Image

#3 pieterman

pieterman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 AM

Posted 01 November 2007 - 08:21 PM

Hi, these are the logs requested:

1 -- COMBOFIX

ComboFix 07-11-01.2 - u0035535 02.11.2007 2:03:39.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.240 [GMT 1:00]
Running from: C:\Documents and Settings\u0035535\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\companion wizard

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-02 02:11 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_230.dat
2007-11-02 02:09 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_28c.dat
2007-11-02 02:02 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-02 01:13 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-02 01:13 801,144 --a------ C:\WINNT\system32\aswBoot.exe
2007-11-02 01:13 95,608 --a------ C:\WINNT\system32\AvastSS.scr
2007-11-02 01:13 94,416 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2007-11-02 01:13 92,848 --a------ C:\WINNT\system32\drivers\aswmon.sys
2007-11-02 01:13 42,912 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2007-11-02 01:13 26,624 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2007-11-02 01:13 23,152 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2007-11-01 22:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-01 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-01 22:01 75,248 --a------ C:\WINNT\zllsputility.exe
2007-11-01 22:01 4,212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-11-01 19:50 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-11-01 18:02 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-11-01 16:29 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-11-01 16:04 <DIR> d-------- C:\Documents and Settings\u0035535\.housecall6.6
2007-11-01 16:03 <DIR> d-------- C:\WINNT\Sun
2007-11-01 15:29 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-31 23:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-31 23:42 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-31 22:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-31 22:33 <DIR> d-------- C:\Documents and Settings\u0035535\Application Data\SUPERAntiSpyware.com
2007-10-31 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-31 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 21:51 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-10-25 10:26 53,248 --a------ C:\WINNT\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 13:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-27 13:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-27 13:12 --------- d-----w C:\Program Files\Lavasoft
2007-09-24 15:47 --------- d-----w C:\Program Files\RadioXpi
2007-09-24 07:34 --------- d-----w C:\Documents and Settings\u0035535\Application Data\Skype
2007-09-24 07:33 --------- d-----w C:\Program Files\Skype
2007-09-24 07:33 --------- d-----w C:\Program Files\Common Files\Skype
2007-09-24 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-09-11 17:21 --------- d-----w C:\Program Files\DigiLetteren
2007-09-06 15:14 1,086,952 ----a-w C:\WINNT\system32\zpeng24.dll
2007-09-06 06:54 197,120 ----a-w C:\WINNT\system32\Vacature Interactive.scr
2007-08-19 16:55 93,184 ----a-w C:\WINNT\system32\dllcache\OEIMPORT.DLL
2007-08-19 16:55 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL
2007-08-19 16:55 91,136 ----a-w C:\WINNT\system32\dllcache\MSOERT2.DLL
2007-08-19 16:55 77,824 ----a-w C:\WINNT\system32\dllcache\WABIMP.DLL
2007-08-19 16:55 75,776 ----a-w C:\WINNT\system32\dllcache\DIRECTDB.DLL
2007-08-19 16:55 596,992 ----a-w C:\WINNT\system32\INETCOMM.DLL
2007-08-19 16:55 596,992 ----a-w C:\WINNT\system32\dllcache\INETCOMM.DLL
2007-08-19 16:55 56,832 ----a-w C:\WINNT\system32\dllcache\MSIMN.EXE
2007-08-19 16:55 55,808 ----a-w C:\WINNT\system32\dllcache\OEMIG50.EXE
2007-08-19 16:55 47,616 ----a-w C:\WINNT\system32\INETRES.DLL
2007-08-19 16:55 47,616 ----a-w C:\WINNT\system32\dllcache\INETRES.DLL
2007-08-19 16:55 465,920 ----a-w C:\WINNT\system32\dllcache\WAB32.DLL
2007-08-19 16:55 42,496 ----a-w C:\WINNT\system32\dllcache\WAB.EXE
2007-08-19 16:55 31,744 ----a-w C:\WINNT\system32\dllcache\OEMIGLIB.DLL
2007-08-19 16:55 30,208 ----a-w C:\WINNT\system32\dllcache\WABFIND.DLL
2007-08-19 16:55 27,648 ----a-w C:\WINNT\system32\dllcache\WABMIG.EXE
2007-08-19 16:55 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL
2007-08-19 16:55 229,376 ----a-w C:\WINNT\system32\dllcache\MSOEACCT.DLL
2007-08-19 16:55 2,479,616 ----a-w C:\WINNT\system32\dllcache\MSOERES.DLL
2007-08-19 16:55 1,176,064 ----a-w C:\WINNT\system32\dllcache\MSOE.DLL
2007-08-19 16:52 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL
2007-08-19 16:52 44,032 ----a-w C:\WINNT\system32\dllcache\MSIDENT.DLL
2007-08-17 12:21 132,096 ----a-w C:\WINNT\system32\dllcache\MSRATING.DLL
2007-08-17 12:20 402,944 ----a-w C:\WINNT\system32\dllcache\SHLWAPI.DLL
2007-08-17 12:20 143,360 ----a-w C:\WINNT\system32\dllcache\CDFVIEW.DLL
2007-08-17 12:20 1,340,416 ----a-w C:\WINNT\system32\dllcache\SHDOCVW.DLL
2007-08-17 12:20 1,018,368 ----a-w C:\WINNT\system32\dllcache\BROWSEUI.DLL
2007-08-17 10:10 575,488 ----a-w C:\WINNT\system32\dllcache\WININET.DLL
2007-08-17 10:10 462,336 ----a-w C:\WINNT\system32\dllcache\URLMON.DLL
2007-08-17 10:10 12,288 ----a-w C:\WINNT\system32\dllcache\JSPROXY.DLL
2007-08-17 10:08 69,632 ----a-w C:\WINNT\system32\dllcache\INSENG.DLL
2007-08-17 10:08 498,176 ----a-w C:\WINNT\system32\dllcache\MSTIME.DLL
2007-08-17 10:08 351,744 ----a-w C:\WINNT\system32\dllcache\DXTMSFT.DLL
2007-08-17 10:08 34,816 ----a-w C:\WINNT\system32\dllcache\PNGFILT.DLL
2007-08-17 10:08 236,032 ----a-w C:\WINNT\system32\dllcache\IEPEERS.DLL
2007-08-17 10:07 2,705,408 ----a-w C:\WINNT\system32\dllcache\MSHTML.DLL
2007-08-17 10:07 192,512 ----a-w C:\WINNT\system32\dllcache\DXTRANS.DLL
2007-08-17 07:48 448,272 ----a-w C:\WINNT\system32\oieng400.dll
2007-08-17 07:48 448,272 ------w C:\WINNT\system32\dllcache\oieng400.dll
2007-08-17 07:48 39,184 ----a-w C:\WINNT\system32\jpeg2x32.dll
2007-08-17 07:48 39,184 ------w C:\WINNT\system32\dllcache\jpeg2x32.dll
2007-08-17 07:48 33,552 ----a-w C:\WINNT\system32\tifflt.dll
2007-08-17 07:48 33,552 ----a-w C:\WINNT\system32\dllcache\tifflt.dll
2007-02-13 20:57 1,845,024 ----a-w C:\Program Files\InstallScorch.exe
2007-01-29 16:33 604 ---ha-w C:\Program Files\STLL Notifier
2007-01-10 23:10 18,278,624 ----a-w C:\Program Files\AdbeRdr60_nld_full.exe
2006-10-25 16:14 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2006-06-21 11:37 398,888 ----a-w C:\Program Files\msgr75us.exe
2006-01-27 11:16 5,264,896 ----a-w C:\Program Files\ps2pdf995.exe
2006-01-27 11:15 2,214,912 ----a-w C:\Program Files\pdf995s.exe
2005-10-27 10:20 1,878,744 ----a-w C:\Program Files\ica32t.exe
2005-10-03 08:55 57,976 ----a-w C:\Program Files\greek.ttf
2002-11-06 07:51 271 ---h--w C:\Program Files\desktop.ini
2002-11-06 07:51 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 11:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8042d186-724d-4937-9be4-41b362b1f46e}]
07-09-25 21:28 1453080 --a------ C:\Program Files\DigiLetteren\tbDig1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9AE3D80D-141F-85CE-7420-8929DD7CF1BB}]
C:\DOCUME~1\u0035535\APPLIC~1\JOYDAT~1\two media.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8042d186-724d-4937-9be4-41b362b1f46e}"= C:\Program Files\DigiLetteren\tbDig1.dll [07-09-25 21:28 1453080]

[HKEY_CLASSES_ROOT\CLSID\{8042d186-724d-4937-9be4-41b362b1f46e}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{8042D186-724D-4937-9BE4-41B362B1F46E}"= C:\Program Files\DigiLetteren\tbDig1.dll [07-09-25 21:28 1453080]

[HKEY_CLASSES_ROOT\CLSID\{8042D186-724D-4937-9BE4-41B362B1F46E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 21:05 C:\WINNT\system32\mobsync.exe]
"ATIModeChange"="Ati2mdxx.exe" [02-07-11 21:19 C:\WINNT\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [02-07-11 23:08 C:\WINNT\system32\atiptaxx.exe]
"PCTVOICE"="pctspk.exe" [03-02-24 15:35 C:\WINNT\system32\pctspk.exe]
"POINTER"="point32.exe" []
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [02-05-02 18:58 ]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-09-06 16:14 ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-09-06 12:06 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 12:00 C:\WINNT\system32\internat.exe]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"BiasAtom"="C:\DOCUME~1\u0035535\APPLIC~1\LOGOOK~1\settingstypestart.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-07-12 21:38 ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07-08-31 16:46 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-11-06 09:54:52]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 21:53:14]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [02-03-28 18:58 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"coursings"= {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINNT\system32\yephk.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINNT\system32\wmfhotfix.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 VinesIFS;Banyan VINES Redirector;C:\WINNT\system32\DRIVERS\vinesifs.sys
S3 VinesWorkstation;Banyan VINES Workstation;C:\vines\vnsws\vnsws.exe
S3 Vns;Banyan VINES IP Transport Protocol;C:\WINNT\system32\DRIVERS\vns.sys

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 01:00:02 C:\WINNT\Tasks\A4478B95918405AD.job"
- c:\docume~1\u0035535\applic~1\logook~1\four base bold.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 02:11:15
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 2:13:33 - machine was rebooted
.
--- E O F ---












2 --- LOGIT
--------------------------------------------------------
File(s) moved to C:\deljob

A4478B95918405AD.job
--------------------------------------------------------
Files remaining after cleaning

--------------------------------------------------------
App data folders

Volume in drive C has no label.
Volume Serial Number is 3B61-1805

Directory of C:\Documents and Settings\u0035535\Application Data

10.05.2004 14:17 <DIR> .
10.05.2004 14:17 <DIR> ..
06.11.2002 08:52 <DIR> MICROS~1 Microsoft
10.05.2004 14:18 <DIR> IDENTI~1 Identities
10.05.2004 18:09 <DIR> MACROM~1 Macromedia
12.05.2004 00:50 <DIR> ADOBE Adobe
12.05.2004 14:19 <DIR> HELP Help
18.08.2004 16:52 <DIR> iacn
20.08.2004 11:13 <DIR> LAVASOFT Lavasoft
23.08.2004 11:04 <DIR> YAHOO! Yahoo!
12.10.2004 09:00 <DIR> REAL Real
25.10.2004 19:27 <DIR> LOGOOK~1 LogoOkayHide
25.10.2004 22:39 <DIR> APPLEC~1 Apple Computer
18.12.2004 11:58 <DIR> FUJIFILM
08.03.2005 12:17 <DIR> ICACLI~1 ICAClient
27.01.2006 12:20 <DIR> pdf995
24.02.2006 12:50 <DIR> NETSCAPE Netscape
24.02.2006 16:33 <DIR> JOYDAT~1 Joy Data
25.10.2006 17:34 <DIR> ADOBEUM AdobeUM
27.04.2007 07:38 <DIR> GOOGLE Google
22.09.2007 15:20 <DIR> MOZILLA Mozilla
24.09.2007 08:34 <DIR> SKYPE Skype
31.10.2007 22:33 <DIR> SUPERA~1.COM SUPERAntiSpyware.com
01.11.2007 16:03 <DIR> SUN Sun
0 File(s) 0 bytes
24 Dir(s) 1.438.203.904 bytes free
Volume in drive C has no label.
Volume Serial Number is 3B61-1805

Directory of C:\Documents and Settings\All Users\Application Data

06.11.2002 08:40 <DIR> .
06.11.2002 08:40 <DIR> ..
06.11.2002 08:48 <DIR> MICROS~1 Microsoft
06.09.2004 09:15 <DIR> THISIN~1 This internet book sixth
25.10.2004 22:38 <DIR> APPLEC~1 Apple Computer
27.01.2006 12:16 <DIR> pdf995
26.07.2006 19:17 <DIR> yahoo!
11.01.2007 00:12 <DIR> ADOBE Adobe
29.01.2007 17:33 <DIR> SIBELI~1 Sibelius Software
27.04.2007 07:38 <DIR> GOOGLE Google
24.09.2007 08:33 <DIR> SKYPE Skype
27.09.2007 14:17 <DIR> LAVASOFT Lavasoft
31.10.2007 22:03 <DIR> SPYBOT~1 Spybot - Search & Destroy
31.10.2007 22:33 <DIR> SUPERA~1.COM SUPERAntiSpyware.com
31.10.2007 23:49 <DIR> PREVX Prevx
01.11.2007 22:02 <DIR> MAILFR~1 MailFrontier
0 File(s) 0 bytes
16 Dir(s) 1.438.203.904 bytes free
--------------------------------------------------------




3 ---- HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:50, on 2.11.2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.resonant.be/
R3 - URLSearchHook: DigiLetteren Toolbar - {8042d186-724d-4937-9be4-41b362b1f46e} - C:\Program Files\DigiLetteren\tbDig1.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: DigiLetteren Toolbar - {8042d186-724d-4937-9be4-41b362b1f46e} - C:\Program Files\DigiLetteren\tbDig1.dll
O2 - BHO: (no name) - {9AE3D80D-141F-85CE-7420-8929DD7CF1BB} - C:\DOCUME~1\u0035535\APPLIC~1\JOYDAT~1\two media.exe (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: posHelp Class - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: DigiLetteren Toolbar - {8042d186-724d-4937-9be4-41b362b1f46e} - C:\Program Files\DigiLetteren\tbDig1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BiasAtom] C:\DOCUME~1\u0035535\APPLIC~1\LOGOOK~1\settingstypestart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://194.117.7.102/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC97B53C-D09E-4ADB-A724-FEC1E821FF7A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINNT\system32\wmfhotfix.dll
O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINNT\system32\yephk.dll (file missing)
O22 - SharedTaskScheduler: {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - coursings - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Banyan VINES Workstation (VinesWorkstation) - Unknown owner - C:\vines\vnsws\vnsws.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

--
End of file - 9603 bytes





Hope this is what you need?
All best,
Pieterman

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 01 November 2007 - 08:59 PM

Please temporarily disable Spybot S&D’s protection,or it will interfere.
You can enable it later once you're system is clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\Documents and Settings\u0035535\Application Data\LogoOkayHide
C:\Documents and Settings\u0035535\Application Data\Joy Data
C:\Documents and Settings\All Users\Application Data\This internet book sixth

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here,if you have'nt still got it installed:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {9AE3D80D-141F-85CE-7420-8929DD7CF1BB} - C:\DOCUME~1\u0035535\APPLIC~1\JOYDAT~1\two media.exe (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: posHelp Class - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKCU\..\Run: [BiasAtom] C:\DOCUME~1\u0035535\APPLIC~1\LOGOOK~1\settingstypestart.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINNT\system32\yephk.dll (file missing)
O22 - SharedTaskScheduler: {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - coursings - (no file)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Edited by RichieUK, 01 November 2007 - 09:01 PM.

Posted Image
Posted Image

#5 pieterman

pieterman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 AM

Posted 02 November 2007 - 05:27 AM

OK, here are the next three logs:

1---OTMoveIt:

C:\Documents and Settings\u0035535\Application Data\LogoOkayHide moved successfully.
C:\Documents and Settings\u0035535\Application Data\Joy Data moved successfully.
C:\Documents and Settings\All Users\Application Data\This internet book sixth moved successfully.

Created on 11.02.2007 10:29:19

-------------------------------------------------------------------------------------------------------------


2---SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/02/2007 at 11:10 AM

Application Version : 3.9.1008

Core Rules Database Version : 3336
Trace Rules Database Version: 1337

Scan type : Complete Scan
Total Scan Time : 00:31:00

Memory items scanned : 370
Memory threats detected : 0
Registry items scanned : 4488
Registry threats detected : 86
File items scanned : 24018
File threats detected : 164

Adware.Tracking Cookie
C:\Documents and Settings\u0035535\Cookies\u0035535@advertising[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@uclick[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[12].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@pornaccess[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@cgi-bin[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@questionmarket[7].txt
C:\Documents and Settings\u0035535\Cookies\system@atdmt[1].txt
C:\Documents and Settings\u0035535\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@a[8].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@enhance[6].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atwola[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[10].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@m2.sexgarantie[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@server.iad.liveperson[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@1068415716[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[16].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@richmedia.yahoo[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@www.internationalsexguide[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@yadro[1].txt
C:\Documents and Settings\u0035535\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@eas.apm.emediate[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@trafficroup[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@jetair[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@freesexhub[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@tribalfusion[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@hornyfux[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adinterax[4].txt
C:\Documents and Settings\u0035535\Cookies\system@a[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@xiti[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@m1.webstats.motigo[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@fortunecity[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@doubleclick[7].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@serving-sys[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@xiti[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@doubleclick[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ad.yieldmanager[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@enhance[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@dealtime[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@mediaplex[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@stat.dealtime[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ad.yieldmanager[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@uclick[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@2o7[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@doubleclick[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@mediaplex[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@bs.serving-sys[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ad.yieldmanager[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@questionmarket[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@mediaplex[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@goclick[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@overture[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[6].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@eas.apm.emediate[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@mediatheek[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@uclick[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@mediaplex[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@stat.dealtime[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@xiti[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[7].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ad.yieldmanager[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@doubleclick[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ad.yieldmanager[6].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adbrite[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[8].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@joeycrack[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@enhance[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@fastclick[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@doubleclick[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[9].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adultfriendfinder[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@doubleclick[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@revenuemax[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adserver[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@windowsmedia[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[6].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@stat.dealtime[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@revsci[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@fastclick[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@serving-sys[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@bs.serving-sys[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ads.adbrite[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@m1.webstats.motigo[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@track.webgains[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@doubleclick[6].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adinterax[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@bs.serving-sys[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[10].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[7].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adinterax[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@serving-sys[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adinterax[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@xiti[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[7].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@overture[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@advertising[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ad.yieldmanager[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@shopping.112.2o7[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@enhance[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ad.yieldmanager[8].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@doubleclick[8].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[12].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[13].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@bs.serving-sys[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@serving-sys[4].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@windowsmedia[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@enhance[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@dealtime[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[9].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@mediaplex[6].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[8].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ad.yieldmanager[7].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@bs.serving-sys[6].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[11].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[15].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@questionmarket[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@enhance[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[14].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@bs.serving-sys[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ad.yieldmanager[10].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@serving-sys[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[9].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@questionmarket[3].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@sexhomepage[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@stats.ilsemedia[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@www.supersexfilms[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@www.hardesexfotos[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@pornokanjer[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@questionmarket[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[8].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[10].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@atdmt[11].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@bs.serving-sys[7].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@serving-sys[6].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adinterax[5].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[17].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adrevolver[18].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@adforce.advertserve[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@perf.overture[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@apmebf[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@www2.mystats[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@2o7[2].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@msnportal.112.2o7[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@questionmarket[6].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@media.adrevolver[11].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@22traffic[1].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@bs.serving-sys[8].txt
C:\Documents and Settings\u0035535\Cookies\u0035535@ads.techguy[2].txt
C:\Documents and Settings\u0035535\Cookies\system@bs.serving-sys[2].txt

Malware.SpyHeal
HKCR\TypeLib\{A48995B0-2BB5-4246-B0EA-55B2FFCF9129}
HKCR\TypeLib\{A48995B0-2BB5-4246-B0EA-55B2FFCF9129}\1.0
HKCR\TypeLib\{A48995B0-2BB5-4246-B0EA-55B2FFCF9129}\1.0\0
HKCR\TypeLib\{A48995B0-2BB5-4246-B0EA-55B2FFCF9129}\1.0\0\win32
HKCR\TypeLib\{A48995B0-2BB5-4246-B0EA-55B2FFCF9129}\1.0\FLAGS
HKCR\TypeLib\{A48995B0-2BB5-4246-B0EA-55B2FFCF9129}\1.0\HELPDIR
HKCR\Interface\{0EBCA7C4-AA97-4B47-99D7-4932A73E9198}
HKCR\Interface\{0EBCA7C4-AA97-4B47-99D7-4932A73E9198}\ProxyStubClsid
HKCR\Interface\{0EBCA7C4-AA97-4B47-99D7-4932A73E9198}\ProxyStubClsid32
HKCR\Interface\{0EBCA7C4-AA97-4B47-99D7-4932A73E9198}\TypeLib
HKCR\Interface\{0EBCA7C4-AA97-4B47-99D7-4932A73E9198}\TypeLib#Version
HKCR\Interface\{16640BA0-193C-4BD5-882B-F92D6EF82156}
HKCR\Interface\{16640BA0-193C-4BD5-882B-F92D6EF82156}\ProxyStubClsid
HKCR\Interface\{16640BA0-193C-4BD5-882B-F92D6EF82156}\ProxyStubClsid32
HKCR\Interface\{16640BA0-193C-4BD5-882B-F92D6EF82156}\TypeLib
HKCR\Interface\{16640BA0-193C-4BD5-882B-F92D6EF82156}\TypeLib#Version
HKCR\Interface\{2A041B9C-44AC-47FF-9399-CB8AEEF1CFE8}
HKCR\Interface\{2A041B9C-44AC-47FF-9399-CB8AEEF1CFE8}\ProxyStubClsid
HKCR\Interface\{2A041B9C-44AC-47FF-9399-CB8AEEF1CFE8}\ProxyStubClsid32
HKCR\Interface\{2A041B9C-44AC-47FF-9399-CB8AEEF1CFE8}\TypeLib
HKCR\Interface\{2A041B9C-44AC-47FF-9399-CB8AEEF1CFE8}\TypeLib#Version
HKCR\Interface\{4DFFBEAB-DB11-4602-A3E8-0454ED3F928B}
HKCR\Interface\{4DFFBEAB-DB11-4602-A3E8-0454ED3F928B}\ProxyStubClsid
HKCR\Interface\{4DFFBEAB-DB11-4602-A3E8-0454ED3F928B}\ProxyStubClsid32
HKCR\Interface\{4DFFBEAB-DB11-4602-A3E8-0454ED3F928B}\TypeLib
HKCR\Interface\{4DFFBEAB-DB11-4602-A3E8-0454ED3F928B}\TypeLib#Version
HKCR\Interface\{57DD6CFE-ABDB-46C2-92EB-316A5F499167}
HKCR\Interface\{57DD6CFE-ABDB-46C2-92EB-316A5F499167}\ProxyStubClsid
HKCR\Interface\{57DD6CFE-ABDB-46C2-92EB-316A5F499167}\ProxyStubClsid32
HKCR\Interface\{57DD6CFE-ABDB-46C2-92EB-316A5F499167}\TypeLib
HKCR\Interface\{57DD6CFE-ABDB-46C2-92EB-316A5F499167}\TypeLib#Version
HKCR\Interface\{690D2910-BFD6-47D3-A96C-13E6BA2935E8}
HKCR\Interface\{690D2910-BFD6-47D3-A96C-13E6BA2935E8}\ProxyStubClsid
HKCR\Interface\{690D2910-BFD6-47D3-A96C-13E6BA2935E8}\ProxyStubClsid32
HKCR\Interface\{690D2910-BFD6-47D3-A96C-13E6BA2935E8}\TypeLib
HKCR\Interface\{690D2910-BFD6-47D3-A96C-13E6BA2935E8}\TypeLib#Version
HKCR\Interface\{8407F578-6FA7-446A-8852-53E6A147472E}
HKCR\Interface\{8407F578-6FA7-446A-8852-53E6A147472E}\ProxyStubClsid
HKCR\Interface\{8407F578-6FA7-446A-8852-53E6A147472E}\ProxyStubClsid32
HKCR\Interface\{8407F578-6FA7-446A-8852-53E6A147472E}\TypeLib
HKCR\Interface\{8407F578-6FA7-446A-8852-53E6A147472E}\TypeLib#Version
HKCR\Interface\{85A126D1-2706-443D-9979-8841A1C5B482}
HKCR\Interface\{85A126D1-2706-443D-9979-8841A1C5B482}\ProxyStubClsid
HKCR\Interface\{85A126D1-2706-443D-9979-8841A1C5B482}\ProxyStubClsid32
HKCR\Interface\{85A126D1-2706-443D-9979-8841A1C5B482}\TypeLib
HKCR\Interface\{85A126D1-2706-443D-9979-8841A1C5B482}\TypeLib#Version
HKCR\Interface\{B11E589E-9A82-40EF-9777-8E13553F83D4}
HKCR\Interface\{B11E589E-9A82-40EF-9777-8E13553F83D4}\ProxyStubClsid
HKCR\Interface\{B11E589E-9A82-40EF-9777-8E13553F83D4}\ProxyStubClsid32
HKCR\Interface\{B11E589E-9A82-40EF-9777-8E13553F83D4}\TypeLib
HKCR\Interface\{B11E589E-9A82-40EF-9777-8E13553F83D4}\TypeLib#Version
HKCR\Interface\{C2E39865-E9E9-462F-87CB-9A09CEB4795F}
HKCR\Interface\{C2E39865-E9E9-462F-87CB-9A09CEB4795F}\ProxyStubClsid
HKCR\Interface\{C2E39865-E9E9-462F-87CB-9A09CEB4795F}\ProxyStubClsid32
HKCR\Interface\{C2E39865-E9E9-462F-87CB-9A09CEB4795F}\TypeLib
HKCR\Interface\{C2E39865-E9E9-462F-87CB-9A09CEB4795F}\TypeLib#Version
HKCR\Interface\{E12E00DE-9BE2-486C-A9F1-19730F93807E}
HKCR\Interface\{E12E00DE-9BE2-486C-A9F1-19730F93807E}\ProxyStubClsid
HKCR\Interface\{E12E00DE-9BE2-486C-A9F1-19730F93807E}\ProxyStubClsid32
HKCR\Interface\{E12E00DE-9BE2-486C-A9F1-19730F93807E}\TypeLib
HKCR\Interface\{E12E00DE-9BE2-486C-A9F1-19730F93807E}\TypeLib#Version
HKCR\Interface\{EBDD9FB9-3A6C-4DA2-B0A9-D117528D4040}
HKCR\Interface\{EBDD9FB9-3A6C-4DA2-B0A9-D117528D4040}\ProxyStubClsid
HKCR\Interface\{EBDD9FB9-3A6C-4DA2-B0A9-D117528D4040}\ProxyStubClsid32
HKCR\Interface\{EBDD9FB9-3A6C-4DA2-B0A9-D117528D4040}\TypeLib
HKCR\Interface\{EBDD9FB9-3A6C-4DA2-B0A9-D117528D4040}\TypeLib#Version
HKCR\Interface\{ED33F056-D246-4FF2-8D2A-D9F3938753BF}
HKCR\Interface\{ED33F056-D246-4FF2-8D2A-D9F3938753BF}\ProxyStubClsid
HKCR\Interface\{ED33F056-D246-4FF2-8D2A-D9F3938753BF}\ProxyStubClsid32
HKCR\Interface\{ED33F056-D246-4FF2-8D2A-D9F3938753BF}\TypeLib
HKCR\Interface\{ED33F056-D246-4FF2-8D2A-D9F3938753BF}\TypeLib#Version
HKCR\Interface\{EFC68768-18B9-4930-9643-F6DD7AA60A71}
HKCR\Interface\{EFC68768-18B9-4930-9643-F6DD7AA60A71}\ProxyStubClsid
HKCR\Interface\{EFC68768-18B9-4930-9643-F6DD7AA60A71}\ProxyStubClsid32
HKCR\Interface\{EFC68768-18B9-4930-9643-F6DD7AA60A71}\TypeLib
HKCR\Interface\{EFC68768-18B9-4930-9643-F6DD7AA60A71}\TypeLib#Version
HKCR\Interface\{F5EC0F1E-A3EB-49EA-BD87-989899B6E1C9}
HKCR\Interface\{F5EC0F1E-A3EB-49EA-BD87-989899B6E1C9}\ProxyStubClsid
HKCR\Interface\{F5EC0F1E-A3EB-49EA-BD87-989899B6E1C9}\ProxyStubClsid32
HKCR\Interface\{F5EC0F1E-A3EB-49EA-BD87-989899B6E1C9}\TypeLib
HKCR\Interface\{F5EC0F1E-A3EB-49EA-BD87-989899B6E1C9}\TypeLib#Version
HKCR\Interface\{FEB6CDEC-70F6-4D2B-BCA4-1AB3BCDCC513}
HKCR\Interface\{FEB6CDEC-70F6-4D2B-BCA4-1AB3BCDCC513}\ProxyStubClsid
HKCR\Interface\{FEB6CDEC-70F6-4D2B-BCA4-1AB3BCDCC513}\ProxyStubClsid32
HKCR\Interface\{FEB6CDEC-70F6-4D2B-BCA4-1AB3BCDCC513}\TypeLib
HKCR\Interface\{FEB6CDEC-70F6-4D2B-BCA4-1AB3BCDCC513}\TypeLib#Version

--------------------------------------------------------------------------------------------------------------------

3---HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:49, on 2.11.2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.resonant.be/
R3 - URLSearchHook: DigiLetteren Toolbar - {8042d186-724d-4937-9be4-41b362b1f46e} - C:\Program Files\DigiLetteren\tbDig1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: DigiLetteren Toolbar - {8042d186-724d-4937-9be4-41b362b1f46e} - C:\Program Files\DigiLetteren\tbDig1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: DigiLetteren Toolbar - {8042d186-724d-4937-9be4-41b362b1f46e} - C:\Program Files\DigiLetteren\tbDig1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://194.117.7.102/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC97B53C-D09E-4ADB-A724-FEC1E821FF7A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINNT\system32\wmfhotfix.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Banyan VINES Workstation (VinesWorkstation) - Unknown owner - C:\vines\vnsws\vnsws.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

--
End of file - 8334 bytes






Hope this is what you need?

My pc seems to be running fine now, the btcar hasn't surfaced any more!

All best,
Pieterman

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 02 November 2007 - 05:45 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#7 pieterman

pieterman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 AM

Posted 02 November 2007 - 08:04 AM

Hi
Thank you SO much for your help, you've been great! :blink: :thumbsup:
One more question: I end up with a lot of new programs on my desktop -- which of these do you advise me to keep?
- HijackThis
- Stinger
- Avast!Antivirus (AFDB and On-Access Scanner)
- deljob
- SuperAntiSpyware
- ATF-Clearner
- ZoneAlarm

For some reason or other, Combofix and OTMoveIt have gone.

Should I keep all of these programs/files (+ on my desktop)? i'm a bit worried that they might take much memory or slow down my machine... Or shouldn't I?

All best,
Pieterman

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 02 November 2007 - 12:17 PM

One more question: I end up with a lot of new programs on my desktop -- which of these do you advise me to keep?

- HijackThis
- Stinger
- Avast!Antivirus (AFDB and On-Access Scanner)->Keep
- deljob
- SuperAntiSpyware ->Keep
- ATF-Clearner
- ZoneAlarm ->Keep

For some reason or other, Combofix and OTMoveIt have gone.

Yes,they were deliberatly removed by running the OTMoveIt Cleanup.
Posted Image
Posted Image

#9 pieterman

pieterman
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:12 AM

Posted 02 November 2007 - 12:36 PM

OK thanks again, you have been extremely helpful and i'm sure your help has saved me a lot of time!! :thumbsup: :blink: :wacko:

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 02 November 2007 - 01:10 PM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users