Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer Is Infected.


  • Please log in to reply
11 replies to this topic

#1 satax

satax

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 03 December 2007 - 12:39 PM

Dear BleepingComputers,
I'm new here.
Can someone analyse my Hijackthislog,
I'm really infected.
If I start my computer i need to terminate explorer.exe , then i press New Task: "Explorer.exe" and then i see my taskbar etc...
I can go in Safe mode but thats all.
My firewall (Sygate) and Nod32 is disabled by the virus.
It's probally the WIN32/Parite.B! It infected all my .exe' files on my computer.
Also, I have more then 5 new processes in my taskbar called: "wuaclt.exe", "wbcmkrra.exe","spool32.exe", "usnsvc.exe",
and somethimes i get fake antivirusses (like spysheriff, but others) automaticly installed.
And somethimes there are just HOSTS added, that i can see in the HJT-log, but i already deleted them.

Well, Here is my LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:32:57, on 3/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\SaTaXOwner\Application Data\s?stem32\s?ool32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\Config\lsass.exe
C:\DOCUME~1\SATAXO~1\MIJNDO~1\MBOLS~1\wuaclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbcmkrra.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\SaTaXOwner\Bureaublad\utorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [5c2af133] rundll32.exe "C:\WINDOWS\system32\lqkfjxdc.dll",b
O4 - HKCU\..\Run: [Nnrftpl] "C:\Documents and Settings\SaTaXOwner\Application Data\s?stem32\s?ool32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rcld] "C:\DOCUME~1\SATAXO~1\MIJNDO~1\MBOLS~1\wuaclt.exe" -vt yazb
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4495 bytes



Thank you for helping.

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:53 PM

Posted 04 December 2007 - 12:58 PM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:53 PM

Posted 04 December 2007 - 05:43 PM

Hi,

Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 satax

satax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 05 December 2007 - 07:31 AM

My computer starts normally, but my firewall (Sygate Firewall) always asks if i want to block Windows Explorer =/ when i open MY COMPUTER...
Also, it tries to connects with a site called zxela.com or somthing =/...

Anyways, heres the log:

ComboFix 07-12-02.6 - SaTaXOwner 2007-12-05 13:21:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1545 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\SaTaXOwner\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\SaTaXOwner\Application Data\SSTEM3~1
C:\Documents and Settings\SaTaXOwner\Menu Start\Programma's\Outerinfo
C:\Documents and Settings\SaTaXOwner\Menu Start\Programma's\Outerinfo\Uninstall.lnk
C:\Documents and Settings\SaTaXOwner\Mijn documenten\MBOLS~1
C:\Documents and Settings\SaTaXOwner\Mijn documenten\MBOLS~1\??mbols\
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\c3
C:\WINDOWS\system32\coudufbb.dll
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\f3
C:\WINDOWS\system32\l4
C:\WINDOWS\system32\l4\swdrv83122.exe
C:\WINDOWS\system32\m4
C:\WINDOWS\system32\m4\ejup83122.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\plugin1.dat
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\SysPr.prx
C:\WINDOWS\system32\ywftxits.dll
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


(((((((((((((((((((( Bestanden Gemaakt van 2007-11-05 to 2007-12-05 ))))))))))))))))))))))))))))))
.

2007-12-04 18:31 . 2007-12-04 18:36 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-12-04 18:23 . 2007-12-04 18:23 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-04 18:23 . 2007-12-04 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-04 18:20 . 2007-12-04 18:20 <DIR> d-------- C:\Program Files\CCleaner
2007-12-04 18:20 . 2007-12-04 22:39 <DIR> dr-h----- C:\Documents and Settings\SaTaXOwner\Onlangs geopend
2007-12-03 21:31 . 2005-02-16 11:06 395,742 --a------ C:\HijackThis.exe
2007-12-03 21:02 . 2007-12-03 21:02 <DIR> d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Grisoft
2007-12-03 20:37 . 2007-12-03 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 20:37 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-03 20:27 . 2007-12-03 21:02 <DIR> d-------- C:\sysclean
2007-12-03 19:15 . 2007-12-03 19:52 <DIR> d-------- C:\Documents and Settings\SaTaXOwner\.housecall6.6
2007-12-03 18:49 . 2007-12-03 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-12-03 18:06 . 2007-12-03 18:07 792,649 ---hs---- C:\WINDOWS\system32\cdxjfkql.ini
2007-12-03 18:03 . 2007-12-03 18:03 73,280 --a------ C:\WINDOWS\system32\htqwvgvt.dll
2007-12-02 17:52 . 2007-12-03 18:00 792,589 ---hs---- C:\WINDOWS\system32\dnupdosn.ini
2007-12-02 17:46 . 2007-12-03 19:49 249,308 --a------ C:\WINDOWS\system32\wxpfuhhv.exe
2007-12-02 16:35 . 2007-12-02 16:35 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-02 01:03 . 2007-12-02 01:03 <DIR> d-------- C:\Program Files\ImTOO
2007-12-01 17:54 . 2007-12-01 17:54 793,664 ---hs---- C:\WINDOWS\system32\odtxxdlm.ini
2007-12-01 17:48 . 2007-12-03 19:49 249,302 --a------ C:\WINDOWS\system32\rfggrtig.exe
2007-11-30 23:41 . 2007-11-30 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-11-30 17:54 . 2007-11-30 17:55 793,664 ---hs---- C:\WINDOWS\system32\mkttoyvr.ini
2007-11-30 17:48 . 2007-12-03 19:49 249,308 --a------ C:\WINDOWS\system32\kpbmotfa.exe
2007-11-29 18:19 . 2007-11-29 19:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-29 18:19 . 2007-11-29 18:19 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-27 18:12 . 2007-12-04 18:05 <DIR> d-------- C:\Temp
2007-11-27 18:12 . 2007-11-27 18:12 81,975 --a------ C:\WINDOWS\system32\instdump.dmp
2007-11-27 18:12 . 2007-11-27 18:12 15,402 --a------ C:\WINDOWS\system32\instdump.zip
2007-11-27 18:11 . 2007-11-27 18:13 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2007-11-27 18:03 . 2007-11-27 18:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-27 06:29 . 2007-10-09 20:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen
2007-11-27 06:29 . 2007-11-27 18:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2007-11-27 06:29 . 2006-01-24 23:05 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2007-11-27 06:29 . 2007-11-27 18:11 <DIR> d-------- C:\Documents and Settings\Administrator\Mijn documenten
2007-11-27 06:29 . 2006-01-24 23:05 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2007-11-27 06:29 . 2007-11-27 18:11 <DIR> d-------- C:\Documents and Settings\Administrator\Favorieten
2007-11-27 06:29 . 2007-11-27 18:30 <DIR> d-------- C:\Documents and Settings\Administrator\Bureaublad
2007-11-24 15:30 . 2007-11-24 15:30 <DIR> d-------- C:\Program Files\TI Education
2007-11-24 15:30 . 2007-11-24 15:31 <DIR> d-------- C:\Program Files\Common Files\TI Shared
2007-11-24 14:39 . 2007-11-24 14:39 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-11-21 14:42 . 2007-11-21 14:42 <DIR> d-------- C:\Program Files\Google
2007-11-18 18:59 . 2007-11-18 19:14 <DIR> d-------- C:\Program Files\Cheat Engine
2007-11-18 18:59 . 2006-09-04 19:16 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2007-11-18 18:59 . 2006-09-04 19:16 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2007-11-18 17:48 . 2007-11-18 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-18 17:24 . 2007-11-18 17:28 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-11-17 18:33 . 2007-11-17 18:33 <DIR> d-------- C:\Program Files\Windows Live
2007-11-16 23:43 . 2007-11-16 23:43 <DIR> d---s---- C:\Documents and Settings\SaTaXOwner\UserData
2007-11-15 17:48 . 2007-11-20 15:46 <DIR> d-------- C:\Program Files\MessengerDiscovery
2007-11-11 21:12 . 2007-11-13 20:06 <DIR> d-------- C:\Program Files\decomp
2007-11-11 21:12 . 2007-11-11 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-11-11 21:12 . 2007-11-11 21:12 80 -r-hs---- C:\WINDOWS\system32\ED8F25F19F.dll
2007-11-10 19:06 . 2007-12-02 15:41 218 --a------ C:\WINDOWS\zmacrosettings.ini

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 18:33 --------- d-----w C:\Program Files\MSN Messenger
2007-12-04 17:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 17:23 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\uTorrent
2007-12-04 17:10 --------- d-----w C:\Program Files\Common Files\CodeGear Shared
2007-12-03 20:00 386,516 ------w C:\WINDOWS\system32\nvuide.exe
2007-12-03 20:00 239,576 ------w C:\WINDOWS\system32\HdAShCut.exe
2007-12-03 20:00 226,776 ------w C:\WINDOWS\system32\DSndUp.exe
2007-12-03 19:59 222,676 ------w C:\WINDOWS\system32\CleanUp.exe
2007-12-03 18:49 984,536 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-03 18:49 69,632 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-03 18:49 664,026 ----a-r C:\WINDOWS\system32\AsusSetup.exe
2007-12-03 18:49 629,718 ----a-w C:\WINDOWS\system32\nmap.exe
2007-12-03 18:49 619,998 ----a-w C:\WINDOWS\system32\CapabilityTable.exe
2007-12-03 18:49 619,994 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-03 18:49 603,616 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-03 18:49 533,980 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-03 18:49 471,006 ----a-w C:\WINDOWS\system32\WISPTIS.EXE
2007-12-03 18:49 468,442 ----a-w C:\WINDOWS\system32\nmapserv.exe
2007-12-03 18:49 386,524 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-03 18:49 386,522 ----a-w C:\WINDOWS\system32\nvunrm.exe
2007-12-03 18:49 386,520 ----a-r C:\WINDOWS\system32\nvusmb.exe
2007-12-03 18:49 331,746 ----a-w C:\WINDOWS\system32\vsjitdebugger.exe
2007-12-03 18:49 325,074 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-03 18:49 284,116 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-03 18:49 255,452 ----a-w C:\WINDOWS\system32\nmapwin.exe
2007-12-03 18:49 239,058 ----a-w C:\WINDOWS\system32\dns-sd.exe
2007-12-03 18:49 234,966 ----a-w C:\WINDOWS\KHALMNPR.Exe
2007-12-03 18:49 230,366 ----a-w C:\WINDOWS\system32\migpwd.exe
2007-12-03 18:49 224,734 ----a-w C:\WINDOWS\system32\uwdf.exe
2007-12-03 18:49 201,690 ----a-w C:\WINDOWS\system32\spupdsvc.exe
2007-12-03 18:49 198,110 ----a-w C:\WINDOWS\system32\cliconfg.exe
2007-12-03 18:49 1,799,638 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-03 18:49 1,517,012 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-03 18:49 1,454,550 ----a-w C:\WINDOWS\system32\udate32.exe
2007-12-02 19:58 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Xfire
2007-12-02 16:49 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-01 12:48 --------- d-----w C:\Program Files\Xfire
2007-11-26 19:16 --------- d-----w C:\Program Files\Net Tools
2007-11-25 10:56 --------- d-----w C:\Program Files\WarRock
2007-11-19 18:14 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\teamspeak2
2007-11-01 21:05 --------- d-----w C:\Program Files\Gizmo Project
2007-10-30 19:54 --------- d-----w C:\Program Files\WinPcap
2007-10-24 12:20 --------- d-----w C:\Program Files\GFI
2007-10-21 17:02 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\AdobeUM
2007-10-16 18:40 --------- d-----w C:\Program Files\VirtualDJ
2007-10-16 16:31 --------- d-----w C:\Program Files\EtherDetect
2007-10-16 16:30 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Wireshark
2007-10-16 16:29 --------- d-----w C:\Program Files\Wireshark
2007-10-16 15:51 --------- d-----w C:\Program Files\Sygate
2007-10-16 15:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-15 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-13 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-13 10:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-13 10:12 --------- d-----w C:\Program Files\Bonjour
2007-10-13 10:07 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-13 10:04 6,017 ----a-w C:\WINDOWS\assys.dll
2007-10-13 10:04 40,177 ----a-w C:\WINDOWS\ffnsys.dll
2007-10-13 10:04 38,982 ----a-w C:\WINDOWS\rsczsys.dll
2007-10-13 10:04 30,559 ----a-w C:\WINDOWS\mfnsys.dll
2007-10-13 10:04 227,851 ----a-w C:\WINDOWS\uawin.dll
2007-10-13 10:04 13,277 ----a-w C:\WINDOWS\snsys.dll
2007-10-13 10:04 12,558 ----a-w C:\WINDOWS\gstcore.dll
2007-10-13 10:04 --------- d-----w C:\Program Files\MagicISO
2007-10-12 22:29 --------- d-----w C:\Program Files\TechSmith
2007-10-12 20:30 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Ahead
2007-10-12 17:29 --------- d-----w C:\Program Files\Java
2007-10-12 17:28 --------- d-----w C:\Program Files\Common Files\Java
2007-10-11 19:11 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-10-11 16:48 --------- d-----w C:\Program Files\Nero
2007-10-10 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\CodeGear
2007-10-10 14:45 --------- d-----w C:\Program Files\Free Easy Burner
2007-10-10 14:39 --------- d-----w C:\Program Files\Softnyx
2007-10-10 11:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Xfire
2007-10-10 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-10-10 11:50 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2007-10-10 11:50 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-10-10 11:50 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Logitech
2007-10-10 11:49 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-10 11:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 11:49 --------- d-----w C:\Program Files\Logitech
2007-10-10 11:49 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-10 11:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-10-10 11:46 --------- d-----w C:\Program Files\MSBuild
2007-10-10 11:46 --------- d-----w C:\Program Files\Microsoft Works
2007-10-10 11:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-09 21:54 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Borland
2007-10-09 21:51 --------- d-----w C:\Program Files\Common Files\Borland Shared
2007-10-09 21:51 --------- d-----w C:\Program Files\CodeGear
2007-10-09 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\{AB3EC276-D261-4943-A921-1CC1C6799AED}
2007-10-09 21:45 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-09 20:38 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\InstallShield
2007-10-09 20:21 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-10-09 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-09 20:13 --------- d-----w C:\Program Files\Lavalys
2007-10-09 20:13 --------- d-----w C:\Program Files\Delphi7SE
2007-10-09 20:00 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-10-09 20:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-09 20:00 --------- d-----w C:\Program Files\Asus
2007-10-09 19:58 --------- d-----w C:\Program Files\Analog Devices
2007-10-09 19:54 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2cbd2456-12b3-4388-ba7d-418b4e48541c}]
2007-12-03 18:03 73280 --a------ C:\WINDOWS\system32\htqwvgvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{570640E3-5309-4778-03A0-4EC2C3E55512}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F34449C-FE8E-47A1-B5B4-7EDE81BD0031}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94AF8B43-3584-4E57-DA5C-3DE674800EC5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DEC58B4-D8EE-4120-9CC8-9B54C2835373}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcabc]
khfcabc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^ASUS WiFi-AP Solo.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ASUS WiFi-AP Solo.lnk
backup=C:\WINDOWS\pss\ASUS WiFi-AP Solo.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^LNSS Status Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\LNSS Status Monitor.lnk
backup=C:\WINDOWS\pss\LNSS Status Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^SnagIt 8.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\SnagIt 8.lnk
backup=C:\WINDOWS\pss\SnagIt 8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^SaTaXOwner^Menu Start^Programma's^Opstarten^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\SaTaXOwner\Menu Start\Programma's\Opstarten\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5c2af133]
rundll32.exe C:\WINDOWS\system32\lqkfjxdc.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2007-11-07 15:49 4756952 --a------ C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 13:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSS]
C:\WINDOWS\SvrLinTCP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe /hide /waitservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gizmo Project]
2007-12-03 19:48 4027864 --a------ C:\Program Files\Gizmo Project\Gizmo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-12-03 19:48 208850 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2007-12-03 19:47 727000 --a------ C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe /SHOWHIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-12-03 19:47 1021400 -ra------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-12-03 19:48 312794 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Firewall]
C:\WINDOWS\System32\drivers\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16]
2007-12-03 19:49 1454550 --a------ C:\WINDOWS\system32\udate32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3 (0x3)
"gfi_lnss8_attservice"=2 (0x2)
"cmdService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter;C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S4 gfi_lnss8_attservice;GFI LANguard N.S.S. 8.0 Attendant Service;"C:\Program Files\GFI\LANguard Network Security Scanner 8.0\lnssatt.exe" -service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e72d741-8d25-11da-85a9-806d6172696f}]
\Shell\AutoRun\command - D:\monsetup.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 13:24:56
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2007-12-05 13:25:16 - machine was rebooted
.
--- E O F ---






Hijackthis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31:28, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {c14584e4-b814-d7ab-8834-3b216542dbc2} - {2cbd2456-12b3-4388-ba7d-418b4e48541c} - C:\WINDOWS\system32\htqwvgvt.dll
O2 - BHO: 0 - {570640E3-5309-4778-03A0-4EC2C3E55512} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7F34449C-FE8E-47A1-B5B4-7EDE81BD0031} - (no file)
O2 - BHO: (no name) - {94AF8B43-3584-4E57-DA5C-3DE674800EC5} - (no file)
O2 - BHO: (no name) - {9DEC58B4-D8EE-4120-9CC8-9B54C2835373} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: khfcabc - khfcabc.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4768 bytes

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:53 PM

Posted 05 December 2007 - 08:11 PM

Hi, thanks for your patience.

Your log shows some very bad trojans on your computer: HKTL_BRUTFORCE.A


Important Note: Backdoor/IRCBot Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. When infected by one of them you should disconnect the computer from the Internet until your system is cleaned. If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

More info can be found here:

How to report ID theft, fraud, drive-by installs, hijacking and malware?
http://www.dslreports.com/faq/10451

Some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

If you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

If you want to try clean your PC, please follow the instrucions bellow.
If you decided to reformat your PC., plese let me know that In your next reply.

*****************

REMOVAL INSTRUCIONS

Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=119459&st=0&gopid=677799�entry677799
Collect::
C:\WINDOWS\system32\cdxjfkql.ini
C:\WINDOWS\system32\dnupdosn.ini
C:\WINDOWS\system32\wxpfuhhv.exe
C:\WINDOWS\system32\odtxxdlm.ini
C:\WINDOWS\system32\rfggrtig.exe
C:\WINDOWS\system32\mkttoyvr.ini
C:\WINDOWS\system32\kpbmotfa.exe
C:\WINDOWS\system32\lqkfjxdc.dll

Suspect::
C:\WINDOWS\system32\ED8F25F19F.dll
C:\WINDOWS\zmacrosettings.ini

File::
C:\WINDOWS\system32\htqwvgvt.dll
C:\WINDOWS\system32\udate32.exe
C:\WINDOWS\assys.dll
C:\WINDOWS\ffnsys.dll
C:\WINDOWS\rsczsys.dll
C:\WINDOWS\mfnsys.dll
C:\WINDOWS\uawin.dll
C:\WINDOWS\snsys.dll
C:\WINDOWS\gstcore.dll
C:\WINDOWS\system32\khfcabc.dll
C:\WINDOWS\System32\drivers\svchost.exe
C:\WINDOWS\SvrLinTCP.exe

Folder::
C:\WINDOWS\system32\daSgo01

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2cbd2456-12b3-4388-ba7d-418b4e48541c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{570640E3-5309-4778-03A0-4EC2C3E55512}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F34449C-FE8E-47A1-B5B4-7EDE81BD0031}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94AF8B43-3584-4E57-DA5C-3DE674800EC5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DEC58B4-D8EE-4120-9CC8-9B54C2835373}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfcabc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5c2af133]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Firewall]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WInUpdate16]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows


Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\WINDOWS\system32\ED8F25F19F.dll
  • Do the same for this file:
    C:\WINDOWS\zmacrosettings.ini
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
In your next reply, please post:
  • A new HijackThis log.
  • The results from ComboFix.
  • The results from Jotti.
Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 satax

satax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 06 December 2007 - 07:52 AM

Thank you for helping me.
Here are the results:

C:\WINDOWS\zmacrosettings.ini --> I'm a programmer, and this is of my own program. It's just a reminder.
So it's clean. No scan need :thumbsup:.

C:\WINDOWS\system32\ED8F25F19F.dll --> Is deleted by COMBOFIX.



Combofix log:
ComboFix 07-12-02.7 - SaTaXOwner 2007-12-06 13:39:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1583 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\SaTaXOwner\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\SaTaXOwner\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

FILE
C:\WINDOWS\assys.dll
C:\WINDOWS\ffnsys.dll
C:\WINDOWS\gstcore.dll
C:\WINDOWS\mfnsys.dll
C:\WINDOWS\rsczsys.dll
C:\WINDOWS\snsys.dll
C:\WINDOWS\SvrLinTCP.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\WINDOWS\system32\htqwvgvt.dll
C:\WINDOWS\system32\khfcabc.dll
C:\WINDOWS\system32\udate32.exe
C:\WINDOWS\uawin.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\assys.dll
C:\WINDOWS\ffnsys.dll
C:\WINDOWS\gstcore.dll
C:\WINDOWS\mfnsys.dll
C:\WINDOWS\rsczsys.dll
C:\WINDOWS\snsys.dll
C:\WINDOWS\system32\cdxjfkql.ini
C:\WINDOWS\system32\daSgo01
C:\WINDOWS\system32\daSgo01\daSgo011065.exe
C:\WINDOWS\system32\dnupdosn.ini
C:\WINDOWS\system32\htqwvgvt.dll
C:\WINDOWS\system32\kpbmotfa.exe
C:\WINDOWS\system32\mkttoyvr.ini
C:\WINDOWS\system32\odtxxdlm.ini
C:\WINDOWS\system32\rfggrtig.exe
C:\WINDOWS\system32\udate32.exe
C:\WINDOWS\system32\wxpfuhhv.exe
C:\WINDOWS\uawin.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-11-06 to 2007-12-06 ))))))))))))))))))))))))))))))
.

2007-12-05 16:16 . 2007-12-05 17:01 <DIR> d-------- C:\Program Files\Cain
2007-12-04 18:31 . 2007-12-04 18:36 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-12-04 18:23 . 2007-12-04 18:23 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-04 18:23 . 2007-12-04 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-04 18:20 . 2007-12-04 18:20 <DIR> d-------- C:\Program Files\CCleaner
2007-12-04 18:20 . 2007-12-06 13:36 <DIR> dr-h----- C:\Documents and Settings\SaTaXOwner\Onlangs geopend
2007-12-03 21:31 . 2005-02-16 11:06 395,742 --a------ C:\HijackThis.exe
2007-12-03 21:02 . 2007-12-03 21:02 <DIR> d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Grisoft
2007-12-03 20:37 . 2007-12-03 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 20:37 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-03 20:27 . 2007-12-03 21:02 <DIR> d-------- C:\sysclean
2007-12-03 19:15 . 2007-12-03 19:52 <DIR> d-------- C:\Documents and Settings\SaTaXOwner\.housecall6.6
2007-12-03 18:49 . 2007-12-03 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-12-02 01:03 . 2007-12-02 01:03 <DIR> d-------- C:\Program Files\ImTOO
2007-11-30 23:41 . 2007-11-30 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-11-29 18:19 . 2007-11-29 19:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-29 18:19 . 2007-11-29 18:19 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-27 18:12 . 2007-12-04 18:05 <DIR> d-------- C:\Temp
2007-11-27 18:12 . 2007-11-27 18:12 81,975 --a------ C:\WINDOWS\system32\instdump.dmp
2007-11-27 18:12 . 2007-11-27 18:12 15,402 --a------ C:\WINDOWS\system32\instdump.zip
2007-11-27 18:11 . 2007-11-27 18:13 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2007-11-27 18:03 . 2007-11-27 18:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-27 06:29 . 2007-10-09 20:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen
2007-11-27 06:29 . 2007-11-27 18:26 <DIR> d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2007-11-27 06:29 . 2006-01-24 23:05 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2007-11-27 06:29 . 2007-11-27 18:11 <DIR> d-------- C:\Documents and Settings\Administrator\Mijn documenten
2007-11-27 06:29 . 2006-01-24 23:05 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2007-11-27 06:29 . 2007-11-27 18:11 <DIR> d-------- C:\Documents and Settings\Administrator\Favorieten
2007-11-27 06:29 . 2007-11-27 18:30 <DIR> d-------- C:\Documents and Settings\Administrator\Bureaublad
2007-11-24 15:30 . 2007-11-24 15:30 <DIR> d-------- C:\Program Files\TI Education
2007-11-24 15:30 . 2007-11-24 15:31 <DIR> d-------- C:\Program Files\Common Files\TI Shared
2007-11-24 14:39 . 2007-11-24 14:39 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-11-21 14:42 . 2007-11-21 14:42 <DIR> d-------- C:\Program Files\Google
2007-11-18 18:59 . 2007-11-18 19:14 <DIR> d-------- C:\Program Files\Cheat Engine
2007-11-18 18:59 . 2006-09-04 19:16 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2007-11-18 18:59 . 2006-09-04 19:16 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2007-11-18 17:48 . 2007-11-18 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-18 17:24 . 2007-11-18 17:28 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-11-17 18:33 . 2007-11-17 18:33 <DIR> d-------- C:\Program Files\Windows Live
2007-11-16 23:43 . 2007-11-16 23:43 <DIR> d---s---- C:\Documents and Settings\SaTaXOwner\UserData
2007-11-15 17:48 . 2007-11-20 15:46 <DIR> d-------- C:\Program Files\MessengerDiscovery
2007-11-11 21:12 . 2007-11-13 20:06 <DIR> d-------- C:\Program Files\decomp
2007-11-11 21:12 . 2007-11-11 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-11-11 21:12 . 2007-11-11 21:12 80 -r-hs---- C:\WINDOWS\system32\ED8F25F19F.dll
2007-11-10 19:06 . 2007-12-02 15:41 218 --a------ C:\WINDOWS\zmacrosettings.ini

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 20:14 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\AdobeUM
2007-12-05 17:43 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Xfire
2007-12-04 18:33 --------- d-----w C:\Program Files\MSN Messenger
2007-12-04 17:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 17:23 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\uTorrent
2007-12-04 17:10 --------- d-----w C:\Program Files\Common Files\CodeGear Shared
2007-12-03 18:49 234,966 ----a-w C:\WINDOWS\KHALMNPR.Exe
2007-12-02 16:49 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-01 12:48 --------- d-----w C:\Program Files\Xfire
2007-11-26 19:16 --------- d-----w C:\Program Files\Net Tools
2007-11-25 10:56 --------- d-----w C:\Program Files\WarRock
2007-11-19 18:14 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\teamspeak2
2007-11-01 21:05 --------- d-----w C:\Program Files\Gizmo Project
2007-10-30 19:54 --------- d-----w C:\Program Files\WinPcap
2007-10-24 12:20 --------- d-----w C:\Program Files\GFI
2007-10-16 18:40 --------- d-----w C:\Program Files\VirtualDJ
2007-10-16 16:31 --------- d-----w C:\Program Files\EtherDetect
2007-10-16 16:30 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Wireshark
2007-10-16 16:29 --------- d-----w C:\Program Files\Wireshark
2007-10-16 15:51 --------- d-----w C:\Program Files\Sygate
2007-10-16 15:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-15 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-13 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-13 10:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-13 10:12 --------- d-----w C:\Program Files\Bonjour
2007-10-13 10:07 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-13 10:04 --------- d-----w C:\Program Files\MagicISO
2007-10-12 22:29 --------- d-----w C:\Program Files\TechSmith
2007-10-12 20:30 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Ahead
2007-10-12 17:29 --------- d-----w C:\Program Files\Java
2007-10-12 17:28 --------- d-----w C:\Program Files\Common Files\Java
2007-10-11 19:11 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-10-11 16:48 --------- d-----w C:\Program Files\Nero
2007-10-10 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\CodeGear
2007-10-10 14:45 --------- d-----w C:\Program Files\Free Easy Burner
2007-10-10 14:39 --------- d-----w C:\Program Files\Softnyx
2007-10-10 11:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Xfire
2007-10-10 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-10-10 11:50 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2007-10-10 11:50 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-10-10 11:50 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Logitech
2007-10-10 11:49 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-10 11:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 11:49 --------- d-----w C:\Program Files\Logitech
2007-10-10 11:49 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-10 11:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-10-10 11:46 --------- d-----w C:\Program Files\MSBuild
2007-10-10 11:46 --------- d-----w C:\Program Files\Microsoft Works
2007-10-10 11:44 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-10-09 21:54 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\Borland
2007-10-09 21:51 --------- d-----w C:\Program Files\Common Files\Borland Shared
2007-10-09 21:51 --------- d-----w C:\Program Files\CodeGear
2007-10-09 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\{AB3EC276-D261-4943-A921-1CC1C6799AED}
2007-10-09 21:45 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-09 20:38 --------- d-----w C:\Documents and Settings\SaTaXOwner\Application Data\InstallShield
2007-10-09 20:21 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-10-09 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-09 20:13 --------- d-----w C:\Program Files\Lavalys
2007-10-09 20:13 --------- d-----w C:\Program Files\Delphi7SE
2007-10-09 20:00 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-10-09 20:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-09 20:00 --------- d-----w C:\Program Files\Asus
2007-10-09 19:58 --------- d-----w C:\Program Files\Analog Devices
2007-10-09 19:54 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-10-09 19:54 --------- d-----w C:\Program Files\ASUS WiFi-AP Solo
2007-10-09 19:43 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2007-12-05_13.25.06.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 09:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-13 09:57:10 340,950 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2006-12-01 04:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 04:20:32 390,102 ----a-w C:\WINDOWS\system32\swxcacls.exe
- 2006-11-27 01:34:46 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2006-11-27 01:34:46 226,776 ----a-w C:\WINDOWS\system32\VFind.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 C:\WINDOWS\system32\rundll32.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^ASUS WiFi-AP Solo.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ASUS WiFi-AP Solo.lnk
backup=C:\WINDOWS\pss\ASUS WiFi-AP Solo.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^LNSS Status Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\LNSS Status Monitor.lnk
backup=C:\WINDOWS\pss\LNSS Status Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^SnagIt 8.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\SnagIt 8.lnk
backup=C:\WINDOWS\pss\SnagIt 8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^SaTaXOwner^Menu Start^Programma's^Opstarten^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\SaTaXOwner\Menu Start\Programma's\Opstarten\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2007-11-07 15:49 4756952 --a------ C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 13:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSS]
C:\WINDOWS\SvrLinTCP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe /hide /waitservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gizmo Project]
2007-12-03 19:48 4027864 --a------ C:\Program Files\Gizmo Project\Gizmo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-12-03 19:48 208850 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
2007-12-03 19:47 727000 --a------ C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe /SHOWHIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-12-03 19:47 1021400 -ra------ C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-12-03 19:48 312794 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3 (0x3)
"gfi_lnss8_attservice"=2 (0x2)
"cmdService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter;C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S4 gfi_lnss8_attservice;GFI LANguard N.S.S. 8.0 Attendant Service;"C:\Program Files\GFI\LANguard Network Security Scanner 8.0\lnssatt.exe" -service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e72d741-8d25-11da-85a9-806d6172696f}]
\Shell\AutoRun\command - D:\monsetup.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 13:42:04
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2007-12-06 13:42:23 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-05 13:25
.
--- E O F ---










New hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52:35, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4442 bytes

#7 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:53 PM

Posted 07 December 2007 - 04:55 AM

Hi satax,

C:\WINDOWS\zmacrosettings.ini --> I'm a programmer, and this is of my own program. It's just a reminder.
So it's clean. No scan need smile.gif.

OK :thumbsup:


Im sorry, but i have bad news to give you :blink:

Your computer have a Parite infection.

Parite is a memory-resident polymorphic virus that infects executable files with EXE and SCR extensions.

The virus can also infect files on connected network drives.

If the computer is connected on network disable network sharing or disconnect from the network, check all other computers on the network for possible infection before enabling sharing or connecting the network.


Also, on this kind of infection there is a risk that some files will probably not work properly after cleaning procedure, and if you have back ups of important data (except any files with exe and scr extensions same with exe and scr files that are zipped) you could reformat, which in this case might be the best thing to do.

It's possible that maybe reformat will be the only way for cleaning their computer, but we can try to clean your PC.

If you want to try clean your PC, please follow the instrucions bellow.
If you decided to reformat your PC, plese let me know that In your next reply.

*****************

REMOVAL INSTRUCIONS

1. Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


3. Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.
4. Click START then RUN
Now type Combofix /u in the runbox and click OK
  • Posted Image
5. Download again ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.


6. In your next reply, please post:
  • A new HijackThis log.
  • Dr.Web results. (step nº 1)
  • Kaspersky WebScanner results. (step nº 3)
  • ComboFix results. (step nº 5)
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 satax

satax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 December 2007 - 08:32 AM

I know about the parite.B, as I said in my first post.
But I wan't to say some results:
Dr-WebCure, OK
Hijackthis, OK
Kaspersky , CANNOT START
ATF Cleaner, OK

And, when I start my pc it ownz, it's fast, it doens't eat my CPU %,

I have E6600 CORE 2DUO, 2gig and when I opened Firefox yesterday
it took 1 minute before it opens :blink: , cpu was immidacly 100%.
And, as i said, i'm a programmer and all my .exe's were infected so you will see
in the Dr-web there will be many programs !

Also, when i start my computer, I get a message from SYGATE,
it says if i wan't to accept a connection with a file upload website :s.
I denied it, here is a picture of it:
Posted Image


The Dr-Web Cure-It log is here:
http://s1.uppit.com/d/19ZZZN


Hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:32, on 2007-12-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NET2SOFT\Anti-Hacker Expert\Firewall.exe
C:\WINDOWS\SYSTEM\msmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\Program Files\NET2SOFT\Anti-Hacker Expert\Firewall.exe
O4 - HKLM\..\Run: [MsManager] C:\WINDOWS\SYSTEM\msmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\NET2SOFT\ANTI-H~1\IEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\NET2SOFT\ANTI-H~1\IEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4900 bytes







Combofix:
NOTHING =D

ComboFix 07-12-07.3 - SaTaXOwner 2007-12-07 14:14:51.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1392 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\SaTaXOwner\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((( Bestanden Gemaakt van 2007-11-07 to 2007-12-07 ))))))))))))))))))))))))))))))
.



Anyways, thank you for all your help.
And i'm 98% sure that msmgr.exe a keylogger/ or somthing is with a log
that it will sent to a victim :thumbsup:

Edited by satax, 07 December 2007 - 08:35 AM.


#9 satax

satax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 08 December 2007 - 08:17 AM

ALso, in taskbar , the process SYSTEM takes 40% of my PC, so it's very slow.

#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:53 PM

Posted 08 December 2007 - 12:49 PM

Hello satax,

The tool Dr.Web did a good job for us, but we have much more to do.


1. Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
2. Please go HERE to run Panda's TotalScan (only compatible with Internet Explorer)
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report
3. Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close ALL applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
The logs can be quite lengthy..use two post if you need to get them all in.


4. In your next reply, please post:
  • SuperAntispyware results. (step n.º 1)
  • Online scan results. (step n.º 2)
  • Deckard's results. (step n.º 3)
  • A new HijackThis log.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 satax

satax
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 11 December 2007 - 12:34 PM

Hi, sorry for late answer.
But, Msmgr.exe is a Keylogger, i just deleted the .exe and now it doens't keylog , LOL.
Also, i deleted it after the Totalscan !

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/09/2007 at 11:36 AM

Application Version : 3.9.1008

Core Rules Database Version : 3358
Trace Rules Database Version: 1357

Scan type : Complete Scan
Total Scan Time : 00:06:07

Memory items scanned : 396
Memory threats detected : 0
Registry items scanned : 5846
Registry threats detected : 27
File items scanned : 27618
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\SaTaXOwner\Cookies\sataxowner@clicksor[1].txt
C:\Documents and Settings\SaTaXOwner\Cookies\sataxowner@atdmt[1].txt

Unclassified.Oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Malware.LocusSoftware Inc/SpyGuardPro
HKLM\Software\SpyGuardPro
HKLM\Software\SpyGuardPro#EulaUGA6P_0001_N122M2210












;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-12-09 12:23:34
PROTECTIONS: 0
MALWARE: 11
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00055967 W32/Parite.B Virus No 0 Yes No C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
00055967 W32/Parite.B Virus No 0 Yes No C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
00055967 W32/Parite.B Virus No 0 Yes No C:\UnrealTournament\System\mplaynow.exe
00055967 W32/Parite.B Virus No 0 Yes No C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ose.exe
00055967 W32/Parite.B Virus No 0 Yes No C:\UnrealTournament\System\UCC.exe
00055967 W32/Parite.B Virus No 0 Yes No C:\UnrealTournament\System\UnrealEd.exe
00055967 W32/Parite.B Virus No 0 Yes No C:\UnrealTournament\System\UnrealTournament.exe
00055967 W32/Parite.B Virus No 0 Yes No C:\UnrealTournament\System\GotoHeat.exe
00121425 Hacktool/NMap HackTools No 0 Yes No C:\WINDOWS\system32\CCGNU32.dll
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SaTaXOwner\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SaTaXOwner\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SaTaXOwner\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SaTaXOwner\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SaTaXOwner\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SaTaXOwner\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SaTaXOwner\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SaTaXOwner\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\cookies-1.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\SaTaXOwner\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\cookies-1.txt[ad.yieldmanager.com/]
00172449 Cookie/MetriWeb TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\stcaewv0.default\cookies.txt[.metriweb.be/]
01006994 Generic Backdoor Virus/Trojan No 0 Yes No C:\Documents and Settings\SaTaXOwner\Bureaublad\Google Hack V2.0\Google Hack V2.0.exe
01049080 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\nmapserv.exe
01049080 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\Net Tools\nmapserv.exe
01240658 Trj/Keylog.MF Virus/Trojan No 1 No No C:\Documents and Settings\SaTaXOwner\Local Settings\Application Data\Mozilla\Firefox\Profiles\yvlkilbi.default\Cache\512934C8d01[rinst.exe]
01240658 Trj/Keylog.MF Virus/Trojan No 1 No No C:\Documents and Settings\SaTaXOwner\Bureaublad\mousemacro.exe[rinst.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\SaTaXOwner\Bureaublad\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\NirCmd.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\ComboFix\nircmd.cfexe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\SaTaXOwner\Bureaublad\ComboFix.exe[nircmd.cfexe]
01297189 Trj/Agent.GBF Virus/Trojan No 0 No No C:\Documents and Settings\SaTaXOwner\Mijn documenten\Downloads\MagicISO Maker 5.4.251 + Crack.Patch.[Sept.2007]\MagicISO Maker 5.4.251.exe[_gorvedi.exe]
02198842 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Documents and Settings\SaTaXOwner\Bureaublad\DoS5.5Final\DoS v 5.5 Final.exe
02883796 Adware/DiscoveryLive Adware No 0 Yes No C:\Program Files\MessengerDiscovery\MessengerDiscoveryToday.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================










MAIN!


Deckard's System Scanner v20071014.68
Run by SaTaXOwner on 2007-12-11 18:24:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2007-12-11 17:24:57 UTC - RP9 - Deckard's System Scanner Restore Point
5: 2007-12-11 16:31:22 UTC - RP8 - Removed RAD Studio
4: 2007-12-11 16:08:25 UTC - RP7 - Controlepunt van systeem
3: 2007-12-09 10:28:10 UTC - RP6 - Installed SUPERAntiSpyware Free Edition
2: 2007-12-07 13:14:45 UTC - RP5 - ComboFix created restore point


-- First Restore Point --
1: 2007-12-07 13:14:39 UTC - RP4 - Controlepunt van systeem


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as SaTaXOwner.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25, on 2007-12-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NET2SOFT\Anti-Hacker Expert\Firewall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\SaTaXOwner\Bureaublad\utorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\SaTaXOwner\Bureaublad\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SaTaXOwner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Anti-Hacker Expert Firewall] C:\Program Files\NET2SOFT\Anti-Hacker Expert\Firewall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\NET2SOFT\ANTI-H~1\IEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\NET2SOFT\ANTI-H~1\IEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5097 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071127-180907-106 O23 - Service: GFI LANguard N.S.S. 8.0 Attendant Service (gfi_lnss8_attservice) - GFI Software Ltd. - C:\Program Files\GFI\LANguard Network Security Scanner 8.0\lnssatt.exe
backup-20071127-180907-110 O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
backup-20071127-180907-238 O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
backup-20071127-180907-244 O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
backup-20071127-180907-287 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071127-180907-327 O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
backup-20071127-180907-377 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
backup-20071127-180907-473 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20071127-180907-575 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
backup-20071127-180907-672 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071127-180907-754 R3 - Default URLSearchHook is missing
backup-20071127-180907-992 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20071127-180930-707 O23 - Service: GFI LANguard N.S.S. 8.0 Attendant Service (gfi_lnss8_attservice) - GFI Software Ltd. - C:\Program Files\GFI\LANguard Network Security Scanner 8.0\lnssatt.exe
backup-20071127-182031-101 O15 - Trusted Zone: *.imagesrvr.com
backup-20071127-182031-105 O15 - Trusted Zone: *.amaena.com
backup-20071127-182031-162 O15 - Trusted Zone: *.virusschlacht.com (HKLM)
backup-20071127-182031-180 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20071127-182031-197 O15 - Trusted Zone: *.gomyhit.com
backup-20071127-182031-241 O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U2FUYVg\command.exe
backup-20071127-182031-248 O15 - Trusted Zone: *.amaena.com (HKLM)
backup-20071127-182031-300 O15 - Trusted Zone: *.onerateld.com
backup-20071127-182031-433 O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
backup-20071127-182031-455 O15 - Trusted Zone: *.onerateld.com (HKLM)
backup-20071127-182031-493 O15 - Trusted Zone: *.virusschlacht.com
backup-20071127-182031-500 O15 - Trusted Zone: *.trustedantivirus.com
backup-20071127-182031-508 O15 - Trusted Zone: *.gomyhit.com (HKLM)
backup-20071127-182031-739 O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
backup-20071127-182031-802 O15 - Trusted Zone: *.avsystemcare.com
backup-20071127-182031-834 O15 - Trusted Zone: *.imageservr.com
backup-20071127-182031-938 O15 - Trusted Zone: *.imageservr.com (HKLM)
backup-20071127-182031-985 O15 - Trusted Zone: *.avsystemcare.com (HKLM)
backup-20071127-182501-224 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
backup-20071127-182501-341 O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvsnet.exe"
backup-20071127-182501-390 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.clicksor.com/serving/links.php?...C%26&durl==
backup-20071127-182501-576 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
backup-20071129-174650-429 O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rtepre.html
backup-20071129-174650-636 O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
backup-20071130-181148-401 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20071130-181148-621 O4 - HKLM\..\Run: [5c2af133] rundll32.exe "C:\WINDOWS\system32\rvyottkm.dll",b
backup-20071130-181148-796 O23 - Service: DomainService - - C:\WINDOWS\system32\kpbmotfa.exe
backup-20071130-181148-829 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
backup-20071201-185753-577 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
backup-20071201-185753-797 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
backup-20071201-185753-880 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
backup-20071202-170320-201 O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
backup-20071202-170320-205 O15 - Trusted Zone: *.amaena.com (HKLM)
backup-20071202-170320-273 O15 - Trusted Zone: *.onerateld.com
backup-20071202-170320-359 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20071202-170320-391 O15 - Trusted Zone: *.amaena.com
backup-20071202-170320-519 O15 - Trusted Zone: *.imagesrvr.com
backup-20071202-170320-526 O15 - Trusted Zone: *.imageservr.com
backup-20071202-170320-534 O15 - Trusted Zone: *.trustedantivirus.com
backup-20071202-170320-560 O15 - Trusted Zone: *.gomyhit.com (HKLM)
backup-20071202-170320-569 O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
backup-20071202-170320-579 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5375FB0FB68AD6
backup-20071202-170320-624 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20071202-170320-658 O15 - Trusted Zone: *.avsystemcare.com
backup-20071202-170320-662 O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\SATAXO~1\LOCALS~1\Temp\winvsnet.exe"
backup-20071202-170320-703 O15 - Trusted Zone: *.onerateld.com (HKLM)
backup-20071202-170320-754 O4 - HKCU\..\Run: [Rcld] "C:\DOCUME~1\SATAXO~1\MIJNDO~1\MBOLS~1\wuaclt.exe" -vt yazb
backup-20071202-170320-806 O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rtepre.html
backup-20071202-170320-857 O15 - Trusted Zone: *.gomyhit.com
backup-20071202-170320-895 O15 - Trusted Zone: *.imageservr.com (HKLM)
backup-20071202-170320-917 O15 - Trusted Zone: *.avsystemcare.com (HKLM)
backup-20071202-170320-923 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
backup-20071202-170320-964 O15 - Trusted Zone: *.virusschlacht.com
backup-20071202-170320-973 O15 - Trusted Zone: *.virusschlacht.com (HKLM)
backup-20071203-195147-745 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20071203-195147-965 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
backup-20071203-195147-986 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
backup-20071203-212236-567 O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
backup-20071203-212236-650 O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 HopperP (WiFi Hopper) - c:\windows\system32\drivers\hopperp.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
S3 catchme - c:\docume~1\sataxo~1\locals~1\temp\catchme.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>
R2 ForcewareWebInterface (Forceware Web Interface) - "c:\program files\nvidia corporation\networkaccessmanager\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 PnkBstrA - c:\windows\system32\pnkbstra.exe

S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 gfi_lnss8_attservice (GFI LANguard N.S.S. 8.0 Attendant Service) - "c:\program files\gfi\languard network security scanner 8.0\lnssatt.exe" -service <Not Verified; GFI Software Ltd.; >
S4 Microsoft Office Groove Audit Service - "c:\program files\microsoft office\office12\grooveauditservice.exe" <Not Verified; Microsoft Corporation; Groove Audit Service>
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)
S4 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; WinPcap>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394-netwerkkaart
Device ID: V1394\NIC1394\F5BCCF11D800
Manufacturer: Microsoft
Name: 1394-netwerkkaart
PNP Device ID: V1394\NIC1394\F5BCCF11D800
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&D0990A6&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #2
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&D0990A6&0&00
Service: NVENETFD


-- Files created between 2007-11-11 and 2007-12-11 -----------------------------

2007-12-11 18:00:29 0 dr-h----- C:\Documents and Settings\SaTaXOwner\Onlangs geopend
2007-12-09 11:51:52 0 d-------- C:\Program Files\Panda Security
2007-12-09 11:28:14 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-09 11:28:11 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-09 11:28:11 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\SUPERAntiSpyware.com
2007-12-07 14:23:10 0 d-------- C:\WINDOWS\.jagex_cache_32
2007-12-07 13:25:43 0 d-------- C:\Documents and Settings\SaTaXOwner\DoctorWeb
2007-12-06 20:03:46 0 d-------- C:\Program Files\Makayama Interactive
2007-12-06 20:02:37 21376 --a------ C:\WINDOWS\system32\drivers\hopperp.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
2007-12-06 20:02:37 0 d-------- C:\WINDOWS\{hopper}
2007-12-06 20:02:37 0 d-------- C:\Program Files\WiFi Hopper
2007-12-06 14:46:18 4376 --a------ C:\WINDOWS\system\msdata.dat
2007-12-06 14:18:50 0 d-------- C:\Program Files\Super Internet TV
2007-12-06 14:04:18 32509 --a------ C:\WINDOWS\system\msconfig.dat
2007-12-06 13:59:33 0 d-------- C:\Program Files\NET2SOFT
2007-12-05 16:16:02 0 d-------- C:\Program Files\Cain
2007-12-04 18:23:42 0 d-------- C:\Program Files\Lavasoft
2007-12-04 18:23:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-04 18:20:40 0 d-------- C:\Program Files\CCleaner
2007-12-03 21:02:31 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Grisoft
2007-12-03 20:37:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 19:15:18 0 d-------- C:\Documents and Settings\SaTaXOwner\.housecall6.6
2007-12-03 18:49:27 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-12-02 01:03:23 0 d-------- C:\Program Files\ImTOO
2007-11-30 23:41:01 0 d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-11-29 18:19:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-29 18:19:51 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-27 18:12:11 0 d-------- C:\Temp
2007-11-27 18:11:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-11-27 18:11:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-11-27 18:11:21 0 d-------- C:\Documents and Settings\Administrator\Contacts
2007-11-27 18:03:56 0 d-------- C:\Program Files\Trend Micro
2007-11-27 06:29:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-11-27 06:29:00 0 d--h----- C:\Documents and Settings\Administrator\Sjablonen
2007-11-27 06:29:00 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-27 06:29:00 0 d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2007-11-27 06:29:00 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-27 06:29:00 0 d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2007-11-27 06:29:00 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-27 06:29:00 0 d-------- C:\Documents and Settings\Administrator\Mijn documenten
2007-11-27 06:29:00 0 dr------- C:\Documents and Settings\Administrator\Menu Start
2007-11-27 06:29:00 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-27 06:29:00 0 d-------- C:\Documents and Settings\Administrator\Favorieten
2007-11-27 06:29:00 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-27 06:29:00 0 d-------- C:\Documents and Settings\Administrator\Bureaublad
2007-11-27 06:29:00 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-27 06:29:00 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-24 15:30:24 0 d-------- C:\MyTIData
2007-11-24 15:30:17 0 d-------- C:\Program Files\Common Files\TI Shared
2007-11-24 15:30:06 0 d-------- C:\Program Files\TI Education
2007-11-24 14:39:03 33824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-11-21 14:44:18 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Google
2007-11-21 14:42:32 0 d-------- C:\Program Files\Google
2007-11-18 18:59:19 1970176 --a------ C:\WINDOWS\system32\d3dx9.dll
2007-11-18 18:59:19 679936 --a------ C:\WINDOWS\system32\D3DX81ab.dll <Not Verified; Generated by JEDI; D3DX81>
2007-11-18 18:59:19 0 d-------- C:\Program Files\Cheat Engine
2007-11-18 17:48:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-18 17:24:09 0 d-------- C:\Program Files\Messenger Plus! Live
2007-11-17 18:33:09 0 d-------- C:\Program Files\Windows Live
2007-11-16 23:43:31 0 d---s---- C:\Documents and Settings\SaTaXOwner\UserData
2007-11-15 17:48:07 0 d-------- C:\Program Files\MessengerDiscovery
2007-11-11 21:12:27 80 -r-hs---- C:\WINDOWS\system32\ED8F25F19F.dll
2007-11-11 21:12:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-11-11 21:12:07 0 d-------- C:\Program Files\decomp


-- Find3M Report ---------------------------------------------------------------

2007-12-11 18:25:22 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\uTorrent
2007-12-11 17:31:55 0 d-------- C:\Program Files\Common Files
2007-12-10 15:52:58 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Xfire
2007-12-09 11:51:52 1911 --a------ C:\WINDOWS\mozver.dat
2007-12-09 11:28:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-05 21:14:19 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\AdobeUM
2007-12-04 19:33:55 0 d-------- C:\Program Files\MSN Messenger
2007-12-04 17:49:16 0 d-------- C:\Program Files\Messenger
2007-12-03 21:00:32 61952 -----n--- C:\WINDOWS\system32\HdAShCut.exe <Not Verified; Windows ® Server 2003 DDK provider; Microsoft® Windows® Operating System>
2007-12-03 21:00:30 49152 -----n--- C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2007-12-03 20:59:52 45056 -----n--- C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2007-12-03 19:49:30 47104 --a------ C:\WINDOWS\system32\uwdf.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-03 19:49:30 24064 --a------ C:\WINDOWS\system32\spupdsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-03 19:49:28 1622016 --a------ C:\WINDOWS\system32\nwiz.exe
2007-12-03 19:49:28 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-12-03 19:49:28 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-12-03 19:49:28 77824 --a------ C:\WINDOWS\system32\nmapwin.exe <Not Verified; JVSoftware; NMapWin nmap front-end>
2007-12-03 19:49:28 290816 --a------ C:\WINDOWS\system32\nmapserv.exe
2007-12-03 19:49:28 452096 --a------ C:\WINDOWS\system32\nmap.exe <Not Verified; ; Nmap>
2007-12-03 19:49:28 52736 --a------ C:\WINDOWS\system32\migpwd.exe <Not Verified; Microsoft Corporation; Besturingssysteem Microsoft® Windows®>
2007-12-03 19:49:26 293376 --a------ C:\WINDOWS\system32\WISPTIS.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-03 19:49:26 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-12-03 19:49:26 61440 --a------ C:\WINDOWS\system32\dns-sd.exe <Not Verified; Apple Computer, Inc.; Bonjour>
2007-12-03 19:49:24 106496 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-12-03 19:49:24 486400 -ra------ C:\WINDOWS\system32\AsusSetup.exe <Not Verified; ASUS; AsusSetup>
2007-12-03 19:49:23 69632 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-12-03 19:49:18 57344 --a------ C:\WINDOWS\KHALMNPR.Exe <Not Verified; Logitech Inc.; Logitech SetPoint>
2007-12-01 13:48:10 0 d-------- C:\Program Files\Xfire
2007-11-30 22:11:27 458848 --a------ C:\WINDOWS\system32\perfh013.dat
2007-11-30 22:11:27 77630 --a------ C:\WINDOWS\system32\perfc013.dat
2007-11-26 20:16:10 0 d-------- C:\Program Files\Net Tools
2007-11-25 11:56:44 0 d-------- C:\Program Files\WarRock
2007-11-19 19:14:00 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\teamspeak2
2007-11-02 14:16:38 68 --a------ C:\PACKAGEINFO
2007-11-02 14:16:38 16 --a------ C:\DVCLAL
2007-11-01 22:05:23 0 d-------- C:\Program Files\Gizmo Project
2007-10-31 12:34:25 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Help
2007-10-30 20:54:09 0 d-------- C:\Program Files\WinPcap
2007-10-27 22:05:18 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Adobe
2007-10-24 13:20:59 0 d-------- C:\Program Files\GFI
2007-10-16 19:40:58 0 d-------- C:\Program Files\VirtualDJ
2007-10-16 17:31:07 0 d-------- C:\Program Files\EtherDetect
2007-10-16 17:30:22 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Wireshark
2007-10-16 17:29:47 0 d-------- C:\Program Files\Wireshark
2007-10-16 16:51:13 0 d-------- C:\Program Files\Sygate
2007-10-13 11:12:27 0 d-------- C:\Program Files\Bonjour
2007-10-13 11:12:25 0 d-------- C:\Program Files\Common Files\Adobe
2007-10-13 11:07:15 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-13 11:04:29 0 d-------- C:\Program Files\MagicISO
2007-10-13 07:30:30 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Sun
2007-10-12 23:29:44 0 d-------- C:\Program Files\TechSmith
2007-10-12 21:30:27 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Ahead
2007-10-12 18:29:16 0 d-------- C:\Program Files\Java
2007-10-12 18:28:33 0 d-------- C:\Program Files\Common Files\Java
2007-10-11 20:11:52 0 d-------- C:\Program Files\Teamspeak2_RC2
2007-10-11 18:05:14 0 d-------- C:\Documents and Settings\SaTaXOwner\Application Data\Macromedia
2007-10-11 17:48:46 0 d-------- C:\Program Files\Nero
2007-10-09 21:58:46 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-09 21:00:39 22 --a------ C:\WINDOWS\FileName
2007-10-09 20:43:38 0 -rahs---- C:\MSDOS.SYS
2007-10-09 20:43:38 0 -rahs---- C:\IO.SYS
2007-10-09 20:43:38 0 --a------ C:\CONFIG.SYS
2007-10-09 20:43:38 0 --a------ C:\AUTOEXEC.BAT
2007-10-09 20:41:45 21748 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-12-21 10:29]
"Anti-Hacker Expert Firewall"="C:\Program Files\NET2SOFT\Anti-Hacker Expert\Firewall.exe" [2003-07-02 10:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^ASUS WiFi-AP Solo.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ASUS WiFi-AP Solo.lnk
backup=C:\WINDOWS\pss\ASUS WiFi-AP Solo.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^LNSS Status Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\LNSS Status Monitor.lnk
backup=C:\WINDOWS\pss\LNSS Status Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^SnagIt 8.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\SnagIt 8.lnk
backup=C:\WINDOWS\pss\SnagIt 8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^SaTaXOwner^Menu Start^Programma's^Opstarten^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\SaTaXOwner\Menu Start\Programma's\Opstarten\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSS]
C:\WINDOWS\SvrLinTCP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
"C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gizmo Project]
C:\Program Files\Gizmo Project\Gizmo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
"C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
"C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsManager]
C:\WINDOWS\SYSTEM\msmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3 (0x3)
"gfi_lnss8_attservice"=2 (0x2)
"cmdService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e72d741-8d25-11da-85a9-806d6172696f}]
AutoRun\command- D:\monsetup.exe




-- End of Deckard's System Scanner: finished at 2007-12-11 18:26:11 ------------





EXTRA:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Dutch

CPU 0: Intel® Core™2 CPU 6600 @ 2.40GHz
CPU 1: Intel® Core™2 CPU 6600 @ 2.40GHz
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2046.48 MiB / 1519.67 MiB
Pagefile Memory (total/avail): 3939.22 MiB / 3590.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.5 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 193.71 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3250620AS - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: Sygate Personal Firewall Pro v4.6 (Sygate Technologies, Inc.)
FW: ActiveArmor Firewall v1.0 (NVIDIA Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe"="C:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe:*:Enabled:MessengerDiscovery Live the Windows Live Messenger addon"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Verkenner"
"C:\\Documents and Settings\\SaTaXOwner\\Bureaublad\\utorrent.exe"="C:\\Documents and Settings\\SaTaXOwner\\Bureaublad\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Documents and Settings\\SaTaXOwner\\Bureaublad\\DoS5.5Final\\DoS v 5.5 Final.exe"="C:\\Documents and Settings\\SaTaXOwner\\Bureaublad\\DoS5.5Final\\DoS v 5.5 Final.exe:*:Enabled:bleep up websites, ftps, and ips by congesting them with massive connections"
"C:\\Program Files\\Cain\\Cain.exe"="C:\\Program Files\\Cain\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"
"C:\\Program Files\\Net Tools\\nettools5.exe"="C:\\Program Files\\Net Tools\\nettools5.exe:*:Enabled:Net Tools by Mohammad Ahmadi Bidakhvidi"
"C:\\Program Files\\Delphi7SE\\Projects\\Project1.exe"="C:\\Program Files\\Delphi7SE\\Projects\\Project1.exe:*:Enabled:Project1"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Documents and Settings\\SaTaXOwner\\Bureaublad\\Client_En\\Client.exe"="C:\\Documents and Settings\\SaTaXOwner\\Bureaublad\\Client_En\\Client.exe:*:Enabled:NetBot_Attacker"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\SaTaXOwner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SATAX
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\SaTaXOwner
LOGONSERVER=\\SATAX
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Delphi7SE\bin;C:\Program Files\Delphi7SE\Projects\BPL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SATAXO~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SATAXO~1\LOCALS~1\Temp
USERDOMAIN=SATAX
USERNAME=SaTaXOwner
USERPROFILE=C:\Documents and Settings\SaTaXOwner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

SaTaXOwner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\5bc0f8414ec36c555a3e7e5ec2e225e\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{1BCEA516-B4C5-4B2D-BFA0-AB7910BAD862}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{D504303A-717D-414C-BA9F-FE01093E2EF8}
Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Anti-Hacker Expert 2003 Build 1.2 --> C:\PROGRA~1\NET2SOFT\ANTI-H~1\UNWISE.EXE C:\PROGRA~1\NET2SOFT\ANTI-H~1\INSTALL.LOG
ASUS WiFi-AP Solo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B3F4499-32E6-470D-8586-E6C03420F889}\Setup.exe" -l0x9 REMOVE
AsusUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\setup.exe" -l0x9
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Cain & Abel v4.9.9 --> C:\PROGRA~1\Cain\UNINSTAL.EXE C:\PROGRA~1\Cain\Install.log
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Cheat Engine 5.3 --> "C:\Program Files\Cheat Engine\unins000.exe"
Delphi 7 Second Edition --> "C:\Program Files\Delphi7SE\unins000.exe"
DJ Java Decompiler v.3.9.9.91 --> MsiExec.exe /I{8AD2EA30-5049-11D4-A08E-0080AD97BBF5}
Easy WiFi Radar 1.0.3 --> C:\PROGRA~1\MAKAYA~1\EASYWI~1\Setup.exe /remove
EtherDetect Packet Sniffer v1.3 --> C:\PROGRA~1\ETHERD~1\UNWISE.EXE C:\PROGRA~1\ETHERD~1\INSTALL.LOG
EVEREST Ultimate Edition v4.00 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
EVGA Display Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\Setup.exe" -l0x13 -removeonly
Free Easy Burner V 2.0 --> "C:\Program Files\Free Easy Burner\unins000.exe"
GFI LANguard Network Security Scanner 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{5CC9450B-13EC-44AF-9990-66FD5D4B24BF}
GFI LANguard Network Security Scanner 8.0 --> MsiExec.exe /X{5CC9450B-13EC-44AF-9990-66FD5D4B24BF} /qf
Gizmo Project 3.1 --> C:\Program Files\Gizmo Project\uninst.exe
Google Earth Pro --> MsiExec.exe /X{9578C0CD-8108-4379-9026-4601F59859A0}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
KhalInstallWrapper --> MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
Logitech G15 Keyboard Software 1.03 --> MsiExec.exe /X{A514B037-31E3-4158-A1AB-AEE1952D0184}
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0013 -removeonly
Magic ISO Maker v5.4 (build 0251) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
MessengerDiscovery Live 1.3.0322 --> "C:\Program Files\MessengerDiscovery\unins000.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Mozilla Firefox (2.0.0.10) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
NetTools 5.0 --> "C:\Program Files\Net Tools\unins000.exe"
NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
Panda TotalScan --> C:\Program Files\Panda Security\TotalScan\ascuninst.exe
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Rakion International --> "C:\Program Files\Softnyx\Rakion\unins000.exe"
SnagIt 8 --> MsiExec.exe /I{B6F0BE9B-41D7-45A2-9A76-D3DB1A89EC6A}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x13 -removeonly
Super Internet TV v7.2 --> "C:\Program Files\Super Internet TV\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Sygate Personal Firewall Pro --> MsiExec.exe /I{10B446B3-4DF4-4489-A168-8A98F7CD807E}
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TI Connect™ 1.3 --> C:\PROGRA~1\TIEDUC~1\TICONN~1\UNWISE.EXE C:\PROGRA~1\TIEDUC~1\TICONN~1\INSTALL.LOG
Virtual DJ - Atomix Productions --> C:\PROGRA~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\VIRTUA~1\INSTALL.LOG
WarRock --> C:\Program Files\InstallShield Installation Information\{00D15456-F679-4AD4-8BD2-56450D4C3F72}\setup.exe -runfromtemp -l0x0009 -removeonly
WiFi Hopper --> C:\Program Files\WiFi Hopper\Uninstall.exe
Windows Live Messenger --> MsiExec.exe /I{9816B8B8-4B53-4D3D-9235-AD931252001D}
WinPcap 3.0 --> "C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wireshark 0.99.6a --> "C:\Program Files\Wireshark\uninstall.exe"
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2284 / Warning
Event Submitted/Written: 12/11/2007 05:30:55 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Kan geen verbinding met de server maken. Fout: 0x800401F0

Event Record #/Type2268 / Success
Event Submitted/Written: 12/11/2007 01:20:00 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2253 / Success
Event Submitted/Written: 12/10/2007 05:20:36 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2243 / Error
Event Submitted/Written: 12/10/2007 04:03:57 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Vastgelopen toepassing: java.exe, versie: 6.0.30.5, vastgelopen module: hungapp, versie: 0.0.0.0, vastgelopen op: 0x00000000.

Event Record #/Type2242 / Error
Event Submitted/Written: 12/10/2007 03:58:07 PM
Event ID/Source: 1000 / Application Error
Event Description:
Vastgelopen toepassing: client.exe, versie: 1.0.0.1, vastgelopen module: client.exe, versie: 1.0.0.1, vastgelopen op: 0x00070f96.
Verwerken van mediaspecifieke gebeurtenis voor [client.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8299 / Warning
Event Submitted/Written: 12/11/2007 06:13:08 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Deze computer kan het netwerkadres niet vernieuwen (van de DHCP-
server) voor de netwerkkaart met netwerkadres 0018F3B45649. De volgende fout is
opgetreden:
%%121.
De computer zal doorgaan om zelf een adres van de netwerkadresserver
(DHCP-server) proberen te krijgen.

Event Record #/Type8298 / Warning
Event Submitted/Written: 12/11/2007 06:12:26 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Deze computer kan het netwerkadres niet vernieuwen (van de DHCP-
server) voor de netwerkkaart met netwerkadres 0018F3B45649. De volgende fout is
opgetreden:
%%121.
De computer zal doorgaan om zelf een adres van de netwerkadresserver
(DHCP-server) proberen te krijgen.

Event Record #/Type8297 / Warning
Event Submitted/Written: 12/11/2007 06:02:39 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP heeft de beveiligingslimiet bereikt van het aantal gelijktijdige verbindingspogingen via TCP.

Event Record #/Type8278 / Warning
Event Submitted/Written: 12/11/2007 03:42:32 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Deze computer kan het netwerkadres niet vernieuwen (van de DHCP-
server) voor de netwerkkaart met netwerkadres 0018F3B45649. De volgende fout is
opgetreden:
%%121.
De computer zal doorgaan om zelf een adres van de netwerkadresserver
(DHCP-server) proberen te krijgen.

Event Record #/Type8277 / Warning
Event Submitted/Written: 12/11/2007 03:41:49 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Deze computer kan het netwerkadres niet vernieuwen (van de DHCP-
server) voor de netwerkkaart met netwerkadres 0018F3B45649. De volgende fout is
opgetreden:
%%121.
De computer zal doorgaan om zelf een adres van de netwerkadresserver
(DHCP-server) proberen te krijgen.



-- End of Deckard's System Scanner: finished at 2007-12-11 18:26:11 ------------




HJT-Log in Deckard's System Scan.

#12 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:53 PM

Posted 14 December 2007 - 07:15 AM

Hello satax,

Sorry for the late answer and thanks for your patience.

Your log doesn't show an antivirus software running. :thumbsup:
This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it or you need to install an antivirus program as soon as you can and run a complete scan of the computer.
Please download and install one of these good (and free) products:

Avira Antivir
Avast
AVG


Install just one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Note: I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Once your installing of antivirus program and the update file definitions, please do a full scan with it!


Now, right Click the Desktop and Select New--> Folder--> Name it SysClean
  • Download the Sysclean Package to the folder you made.
  • Next,download the Virus Pattern Files (Official Pattern Release) to your desktop from Here
  • Right Click and Select Extract All to unzip the folder.
  • Now,from the unzipped folder,move lpt$vpn.XXX file to the SysClean folder.
  • Restart in SAFE MODE(Tap F8 when restarting)
  • Open the SysClean Folder and doubleclick sysclean.com
  • Be sure Automatically clean or delete detected files is checked.
  • Click the Scan button to begin,please be patient,it will take a little bit to finish.
  • Once complete,verify the log from the scan (SYSCLEAN.LOG) is in the SysClean folder and restart back to Normal Mode.
  • Copy&Paste those results in the next reply.
Tutorial from Trend
http://esupport.trendmicro.com/support/vie...entID=en-125991


In your rext reply put the contents from SYSCLEAN.LOG, along with a new HijackThis log.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users