Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware I Can't Get Rid Off


  • This topic is locked This topic is locked
10 replies to this topic

#1 Nelisje

Nelisje

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 16 June 2008 - 09:02 AM

I run XoftSpySE, Hitman Pro and used CWShredder and SmitfraudFix and the spyware's still present :thumbsup: get IE popups regularly and weird never seen before popups like:
Posted Image
and my background turned into:
Warning: Spyware threat has been detected on your PC.

Your computer has several fatal errors due to spyware activity.
It is strongly reommended to install an antispyware software to close all security vulnerabilities.
Antispyware software helps protect your PC against spyware and other security threats
next thing is a link, which is 'http://windows-privacy-protection.com/?aid=444.470'

and also is my taskmanager disabled :)
I can turn the code in the registry to 0, but instantly it's being reset to 1 :thumbup2:

that's why i try HijackThis now,, I hope I copied the whole log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:01:23, on 16-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\Cornelis\Mijn documenten\s?stem\r?ndll32.exe
C:\DOCUME~1\Cornelis\MIJNDO~1\MANTEC~1\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {26D6C823-05ED-404F-95D5-B86637C6E927} - C:\WINDOWS\system32\wvUoLcaX.dll
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dce92730] rundll32.exe "C:\WINDOWS\system32\jktqvlnv.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Judxl] "C:\Documents and Settings\Cornelis\Mijn documenten\s?stem\r?ndll32.exe"
O4 - HKCU\..\Run: [Soab] "C:\DOCUME~1\Cornelis\MIJNDO~1\MANTEC~1\wuauclt.exe" -vt yazb
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211796034840
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6779 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:47 PM

Posted 16 June 2008 - 11:17 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Nelisje

Nelisje
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 17 June 2008 - 10:16 AM

Hi Sam
unfortunately I can't complete the DSS-scan it seems, when it's examining event logs it crashs, i also tried in safe mode, but it doesn't seem to work, also it hasn't created any logfile yet, so there's no log till it crashes :)

is there any workaround? or,, do i have to reinstall the whole system (something i just did like 3 weeks ago :thumbsup: :thumbup2: )

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:47 PM

Posted 18 June 2008 - 08:53 AM

No reason for extreme measures. Let's use another tool.



Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Nelisje

Nelisje
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 18 June 2008 - 11:30 AM

Thanks :thumbup2:
It took only 4 minutes to scan/fix/delete and create a logfile :thumbsup:


I ran the program in safe mode, because it's the only mode where I can access bleepingcomputer.com and I was too lazy :) to run it in Normal Mode, if that is neccessary, I will run in on Normal Mode though.. I tried DSS now just in case and it works, do you want me to post those logs too ?
here it is:
(its in Dutch though for some reason) if need for translation please say so :spacer:

ComboFix 08-06-16.5 - Cornelis 2008-06-18 18:19:57.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1769 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Cornelis\Bureaublad\ComboFix.exe

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Cornelis\Mijn documenten\MANTEC~1
C:\Documents and Settings\Cornelis\Mijn documenten\MANTEC~1\??mantec\
C:\Documents and Settings\Cornelis\Mijn documenten\SSTEM~1
C:\Documents and Settings\Cornelis\Mijn documenten\SSTEM~1\r?ndll32.exe
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\AntiSpywareMaster
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\BMdfda14ac.xml
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\jkkHYOIx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nguismjn.dll
C:\WINDOWS\system32\njmsiugn.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\system32\tuvTlKBq.dll
C:\WINDOWS\system32\vnlvqtkj.ini
C:\WINDOWS\system32\wvUoLcaX.dll
C:\WINDOWS\system32\wywknjnn.dll
C:\WINDOWS\system32\XacLoUvw.ini
C:\WINDOWS\system32\XacLoUvw.ini2
C:\WINDOWS\system32\xykrspmi.dll
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR


(((((((((((((((((((( Bestanden Gemaakt van 2008-05-18 to 2008-06-18 ))))))))))))))))))))))))))))))
.

2008-06-17 16:55 . 2008-06-17 16:55 <DIR> d-------- C:\Deckard
2008-06-16 21:26 . 2008-06-17 13:30 <DIR> dr-h----- C:\Documents and Settings\L.J. Poppema\Onlangs geopend
2008-06-16 19:07 . 2008-06-17 16:53 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-16 18:43 . 2008-06-16 18:44 96,381 --a------ C:\WINDOWS\hpqins11.dat
2008-06-16 15:46 . 2008-06-16 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 15:23 . 2008-06-16 15:31 1,984 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-16 15:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-16 15:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-16 15:22 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-16 15:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-16 15:22 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-16 15:22 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-16 15:22 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-16 15:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-16 15:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-16 14:33 . 2008-06-16 14:33 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-06-16 13:19 . 2008-06-16 13:19 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-06-16 13:18 . 2008-06-16 14:23 <DIR> d-------- C:\Program Files\Hitman Pro
2008-06-16 13:06 . 2008-05-26 11:27 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> d-------- C:\Documents and Settings\Administrator\Mijn documenten
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-06-16 13:06 . 2008-06-16 13:07 <DIR> d-------- C:\Documents and Settings\Administrator\Favorieten
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-06-16 13:06 . 2008-06-16 13:06 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-16 12:57 . 2008-06-17 22:17 <DIR> d-------- C:\Program Files\XoftSpySE
2008-06-16 12:52 . 2008-06-16 19:25 <DIR> d--hs---- C:\WINDOWS\TC5KLiBQb3BwZW1h
2008-06-16 12:52 . 2008-06-16 12:52 <DIR> d-------- C:\WINDOWS\system32\netrax01
2008-06-16 12:52 . 2008-06-16 12:52 <DIR> d-------- C:\WINDOWS\system32\ncT
2008-06-16 12:52 . 2008-06-16 19:25 <DIR> d-------- C:\WINDOWS\system32\MRI
2008-06-16 12:52 . 2008-06-16 12:52 <DIR> d-------- C:\WINDOWS\system32\goc
2008-06-16 12:52 . 2008-06-16 19:25 <DIR> d-------- C:\WINDOWS\system32\ert
2008-06-16 12:52 . 2008-06-16 12:52 <DIR> d-------- C:\Temp\itmp4
2008-06-16 12:52 . 2008-06-18 18:20 <DIR> d-------- C:\Temp
2008-06-16 12:52 . 2008-06-16 12:52 <DIR> dr------- C:\Documents and Settings\NetworkService\Favorieten
2008-06-16 12:52 . 2008-06-16 12:52 25,600 --a------ C:\WINDOWS\system32\hgGAtusS.dll__DELETE_ON_REBOOT
2008-06-16 12:50 . 2008-06-16 12:50 <DIR> d-------- C:\WINDOWS\Torrents
2008-06-16 12:49 . 2008-06-16 13:37 42,392 --a------ C:\WINDOWS\msoupdater.config
2008-06-16 12:49 . 2008-06-16 12:49 3,262 --a------ C:\WINDOWS\system32\sex3.ico
2008-06-16 12:49 . 2008-06-16 12:49 3,262 --a------ C:\WINDOWS\system32\sex2.ico
2008-06-16 12:48 . 2008-06-16 12:48 3,262 --a------ C:\WINDOWS\system32\sex1.ico
2008-06-14 21:11 . 2008-06-14 21:11 <DIR> d-------- C:\Documents and Settings\Cornelis\Application Data\ClonySoft
2008-06-10 09:59 . 2008-06-10 09:59 <DIR> d-------- C:\WINDOWS\Sun
2008-06-09 20:15 . 2008-06-09 20:15 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-08 04:13 . 2008-06-08 04:13 32,768 --a------ C:\WINDOWS\system32\netrax01\netrax011065.exe
2008-06-07 17:03 . 2008-06-07 17:03 244 --ah----- C:\sqmnoopt01.sqm
2008-06-07 17:03 . 2008-06-07 17:03 232 --ah----- C:\sqmdata01.sqm
2008-06-05 15:09 . 2008-06-05 15:09 <DIR> d-------- C:\Documents and Settings\Adrian\Application Data\HP
2008-06-03 02:56 . 2008-06-03 02:56 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-06-02 10:20 . 2008-06-02 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-02 09:15 . 2008-06-17 21:57 <DIR> d-------- C:\Documents and Settings\Cornelis\Application Data\uTorrent
2008-05-31 19:53 . 2008-05-31 19:53 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-05-27 17:00 . 2001-09-06 19:04 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-27 17:00 . 2001-09-06 19:04 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-27 17:00 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-05-27 17:00 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-05-27 14:59 . 2008-05-27 14:59 <DIR> d---s---- C:\Documents and Settings\L.J. Poppema\UserData
2008-05-27 09:31 . 2008-06-10 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-27 09:29 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-05-27 09:29 . 2008-06-07 16:45 395 --a------ C:\WINDOWS\ODBC.INI
2008-05-27 09:28 . 2008-05-27 09:31 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-27 09:28 . 2008-05-27 09:28 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-27 09:28 . 2008-05-27 09:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-27 09:26 . 2008-05-27 09:26 <DIR> dr-h----- C:\MSOCache
2008-05-27 09:26 . 2008-05-27 09:26 <DIR> d-------- C:\Documents and Settings\L.J. Poppema\Application Data\DAEMON Tools
2008-05-27 09:19 . 2008-05-27 09:19 <DIR> d-------- C:\Documents and Settings\L.J. Poppema\Application Data\HP
2008-05-26 19:01 . 2008-06-17 16:55 <DIR> d-------- C:\Documents and Settings\Cornelis\Application Data\HP
2008-05-26 18:51 . 2008-05-26 18:51 <DIR> d-------- C:\Documents and Settings\Annet\Application Data\HP
2008-05-26 18:51 . 2008-05-26 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-05-26 18:50 . 2008-05-26 18:51 <DIR> d-------- C:\Program Files\Common Files\HP
2008-05-26 18:49 . 2008-05-26 18:49 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-26 18:49 . 2008-05-26 18:49 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-05-26 18:48 . 2006-01-03 20:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2008-05-26 18:48 . 2006-04-12 14:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-05-26 18:48 . 2006-04-10 14:03 48,128 --a------ C:\WINDOWS\system32\hpzll054.dll
2008-05-26 18:48 . 2006-04-12 14:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-05-26 18:48 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-26 18:48 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-26 18:47 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-05-26 18:47 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-05-26 18:47 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-05-26 18:47 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-05-26 18:47 . 2007-08-09 09:27 73,728 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-05-26 18:47 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-05-26 18:47 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-05-26 18:46 . 2008-05-26 18:51 <DIR> d-------- C:\Program Files\HP
2008-05-26 18:46 . 2008-05-26 18:51 120,233 --a------ C:\WINDOWS\hpoins11.dat
2008-05-26 18:46 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-26 18:46 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-05-26 18:46 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-26 18:46 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-26 18:37 . 2008-05-26 11:27 <DIR> d--h----- C:\Documents and Settings\Annet\Sjablonen
2008-05-26 18:37 . 2008-06-07 16:55 <DIR> dr-h----- C:\Documents and Settings\Annet\Onlangs geopend
2008-05-26 18:37 . 2008-05-26 13:21 <DIR> d--h----- C:\Documents and Settings\Annet\Netwerkprinteromgeving
2008-05-26 18:37 . 2008-06-07 16:52 <DIR> dr------- C:\Documents and Settings\Annet\Mijn documenten
2008-05-26 18:37 . 2008-05-26 13:21 <DIR> dr------- C:\Documents and Settings\Annet\Menu Start
2008-05-26 18:37 . 2008-05-26 18:37 <DIR> dr------- C:\Documents and Settings\Annet\Favorieten
2008-05-26 18:37 . 2008-05-26 13:21 <DIR> d-------- C:\Documents and Settings\Annet\Bureaublad
2008-05-26 18:37 . 2008-05-26 18:37 <DIR> d-------- C:\Documents and Settings\Annet\Application Data\ATI
2008-05-26 18:37 . 2008-05-26 18:37 <DIR> d-------- C:\Documents and Settings\Annet
2008-05-26 18:36 . 2008-05-26 11:27 <DIR> d--h----- C:\Documents and Settings\Adrian\Sjablonen
2008-05-26 18:36 . 2008-05-26 18:36 <DIR> dr-h----- C:\Documents and Settings\Adrian\Onlangs geopend
2008-05-26 18:36 . 2008-05-26 13:21 <DIR> d--h----- C:\Documents and Settings\Adrian\Netwerkprinteromgeving
2008-05-26 18:36 . 2008-06-06 14:48 <DIR> dr------- C:\Documents and Settings\Adrian\Mijn documenten
2008-05-26 18:36 . 2008-05-26 13:21 <DIR> dr------- C:\Documents and Settings\Adrian\Menu Start
2008-05-26 18:36 . 2008-05-26 18:36 <DIR> dr------- C:\Documents and Settings\Adrian\Favorieten
2008-05-26 18:36 . 2008-05-26 13:21 <DIR> d-------- C:\Documents and Settings\Adrian\Bureaublad
2008-05-26 18:36 . 2008-05-26 18:36 <DIR> d-------- C:\Documents and Settings\Adrian\Application Data\ATI
2008-05-26 18:36 . 2008-05-26 18:36 <DIR> d-------- C:\Documents and Settings\Adrian
2008-05-26 14:03 . 2008-04-29 17:48 3,688,960 --a------ C:\WINDOWS\system32\drivers\RtHDMI.sys
2008-05-26 14:03 . 2008-04-02 09:27 1,196,032 --a------ C:\WINDOWS\RtkUpd.exe
2008-05-26 14:00 . 2008-05-26 14:00 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-26 14:00 . 2008-06-17 21:29 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-05-26 14:00 . 2008-05-26 14:00 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-05-26 14:00 . 2008-06-17 21:29 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-26 12:47 . 2008-05-26 12:47 <DIR> d-------- C:\Program Files\MSN BackUp
2008-05-26 12:41 . 2008-05-26 12:41 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-05-26 12:14 . 2008-05-26 12:14 <DIR> d-------- C:\Program Files\Foxit Software
2008-05-26 12:13 . 2006-03-02 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-26 12:12 . 2008-05-26 12:12 <DIR> d-------- C:\Documents and Settings\Cornelis\Contacts
2008-05-26 12:11 . 2008-05-26 13:43 <DIR> d-------- C:\Program Files\StuffPlug3
2008-05-26 12:11 . 2008-05-26 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-26 12:10 . 2008-05-26 12:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-26 12:10 . 2008-05-26 12:10 <DIR> d-------- C:\Program Files\Messenger Plus! Live

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 19:55 --------- d-----w C:\Documents and Settings\Cornelis\Application Data\Xfire
2008-06-17 19:44 --------- d-----w C:\Program Files\WarRock
2008-06-10 10:42 --------- d-----w C:\Program Files\Xfire
2008-05-26 11:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 11:22 --------- d-----w C:\Documents and Settings\L.J. Poppema\Application Data\ATI
2008-05-26 11:20 --------- d-----w C:\Program Files\Realtek
2008-05-26 11:16 --------- d-----w C:\Documents and Settings\Cornelis\Application Data\CyberLink
2008-05-26 11:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-26 11:14 --------- d-----w C:\Program Files\BearShare Pro
2008-05-26 11:13 --------- d-----w C:\Program Files\Webteh
2008-05-26 11:04 --------- d-----w C:\Program Files\Intel
2008-05-26 09:55 --------- d-----w C:\Documents and Settings\Cornelis\Application Data\InstallShield
2008-05-26 09:55 --------- d-----w C:\Documents and Settings\Cornelis\Application Data\ATI
2008-05-26 09:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-05-26 09:53 --------- d-----w C:\Program Files\ATI Technologies
2008-05-26 09:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-26 09:36 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-26 09:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-12 16:30 3,007,488 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-04-07 14:06 9,715,200 ----a-r C:\WINDOWS\RTLCPL.exe
2008-04-07 14:06 86,016 ----a-r C:\WINDOWS\SoundMan.exe
2008-04-07 14:06 2,808,832 ----a-r C:\WINDOWS\alcwzrd.exe
2008-04-07 14:06 2,165,760 ----a-r C:\WINDOWS\MicCal.exe
2008-04-07 14:06 16,859,136 ----a-r C:\WINDOWS\RTHDCPL.exe
2008-04-07 14:06 1,826,816 ----a-r C:\WINDOWS\SkyTel.exe
2008-04-07 14:06 1,191,936 ----a-r C:\WINDOWS\RtlUpd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Judxl"="C:\Documents and Settings\Cornelis\Mijn documenten\s?stem\r?ndll32.exe" [ ]
"Soab"="C:\DOCUME~1\Cornelis\MIJNDO~1\MANTEC~1\wuauclt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16:06 16859136 C:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Cornelis^Menu Start^Programma's^Opstarten^Deewoo.lnk]
path=C:\Documents and Settings\Cornelis\Menu Start\Programma's\Opstarten\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cornelis^Menu Start^Programma's^Opstarten^DW_Start.lnk]
path=C:\Documents and Settings\Cornelis\Menu Start\Programma's\Opstarten\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\tcntaxdn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\system32\winupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{92-27-79-9F-DW}]
C:\windows\system32\rwwnw64d.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\MSN BackUp\\MSNBackup.exe"=
"C:\\Program Files\\BearShare Pro\\Bearshare.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Documents and Settings\\Cornelis\\Bureaublad\\Music project\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R3 RTHDMIAzAudService;Service for HDMI;C:\WINDOWS\system32\drivers\RtHDMI.sys [2008-04-29 17:48]

.
Inhoud van de 'Gedeelde Taken' map
"2008-06-18 16:22:35 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-06-16 10:57:48 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 18:22:42
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Voltooingstijd: 2008-06-18 18:23:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 16:23:51

Pre-Run: 8,205,221,888 bytes beschikbaar
Post-Run: 8,206,381,056 bytes beschikbaar

347

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:47 PM

Posted 18 June 2008 - 04:25 PM

No, that's fine. We can work through it from the info on this log.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\TC5KLiBQb3BwZW1h
C:\WINDOWS\system32\netrax01
C:\WINDOWS\system32\ncT
C:\WINDOWS\system32\MRI
C:\WINDOWS\system32\goc
C:\WINDOWS\system32\ert
C:\Temp\itmp4
C:\Documents and Settings\NetworkService\Favorieten

File::
C:\WINDOWS\system32\hgGAtusS.dll__DELETE_ON_REBOOT
C:\WINDOWS\msoupdater.config
C:\WINDOWS\system32\sex3.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\netrax01\netrax011065.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Judxl"=-
"Soab"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{92-27-79-9F-DW}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Nelisje

Nelisje
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 19 June 2008 - 11:53 AM

Oke, Combofix.txt: :
ComboFix 08-06-16.5 - Cornelis 2008-06-19 17:04:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1648 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Cornelis\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cornelis\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
C:\WINDOWS\msoupdater.config
C:\WINDOWS\system32\hgGAtusS.dll__DELETE_ON_REBOOT
C:\WINDOWS\system32\netrax01\netrax011065.exe
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex3.ico
C:\Documents and Settings\NetworkService\Favorieten :#:
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Adrian\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Temp\itmp4
C:\Temp\itmp4\mkbv4i.log
C:\WINDOWS\msoupdater.config
C:\WINDOWS\system32\ert
C:\WINDOWS\system32\goc
C:\WINDOWS\system32\goc\vbashcom3.exe
C:\WINDOWS\system32\hgGAtusS.dll__DELETE_ON_REBOOT
C:\WINDOWS\system32\MRI
C:\WINDOWS\system32\ncT
C:\WINDOWS\system32\ncT\jarbootx.exe
C:\WINDOWS\system32\netrax01
C:\WINDOWS\system32\netrax01\netrax011065.exe
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex3.ico
C:\WINDOWS\TC5KLiBQb3BwZW1h

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-05-19 to 2008-06-19 ))))))))))))))))))))))))))))))
.

2008-06-17 16:55 . 2008-06-17 16:55 <DIR> d-------- C:\Deckard
2008-06-16 21:26 . 2008-06-17 13:30 <DIR> dr-h----- C:\Documents and Settings\L.J. Poppema\Onlangs geopend
2008-06-16 19:07 . 2008-06-17 16:53 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-16 18:43 . 2008-06-16 18:44 96,381 --a------ C:\WINDOWS\hpqins11.dat
2008-06-16 15:46 . 2008-06-16 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-16 15:23 . 2008-06-16 15:31 1,984 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-16 15:22 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-16 15:22 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-16 15:22 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-16 15:22 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-16 15:22 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-16 15:22 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-16 15:22 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-16 15:22 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-16 15:22 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-16 14:33 . 2008-06-16 14:33 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-06-16 13:19 . 2008-06-16 13:19 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-06-16 13:18 . 2008-06-16 14:23 <DIR> d-------- C:\Program Files\Hitman Pro
2008-06-16 13:06 . 2008-05-26 11:27 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> d-------- C:\Documents and Settings\Administrator\Mijn documenten
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-06-16 13:06 . 2008-06-16 13:07 <DIR> d-------- C:\Documents and Settings\Administrator\Favorieten
2008-06-16 13:06 . 2008-05-26 13:21 <DIR> d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-06-16 13:06 . 2008-06-16 13:06 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-16 12:57 . 2008-06-17 22:17 <DIR> d-------- C:\Program Files\XoftSpySE
2008-06-16 12:52 . 2008-06-19 17:04 <DIR> d-------- C:\Temp
2008-06-16 12:52 . 2008-06-16 12:52 <DIR> dr------- C:\Documents and Settings\NetworkService\Favorieten
2008-06-16 12:50 . 2008-06-16 12:50 <DIR> d-------- C:\WINDOWS\Torrents
2008-06-14 21:11 . 2008-06-14 21:11 <DIR> d-------- C:\Documents and Settings\Cornelis\Application Data\ClonySoft
2008-06-10 09:59 . 2008-06-10 09:59 <DIR> d-------- C:\WINDOWS\Sun
2008-06-09 20:15 . 2008-06-09 20:15 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-07 17:03 . 2008-06-07 17:03 244 --ah----- C:\sqmnoopt01.sqm
2008-06-07 17:03 . 2008-06-07 17:03 232 --ah----- C:\sqmdata01.sqm
2008-06-05 15:09 . 2008-06-05 15:09 <DIR> d-------- C:\Documents and Settings\Adrian\Application Data\HP
2008-06-03 02:56 . 2008-06-03 02:56 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-06-02 10:20 . 2008-06-02 10:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-02 09:15 . 2008-06-18 22:01 <DIR> d-------- C:\Documents and Settings\Cornelis\Application Data\uTorrent
2008-05-31 19:53 . 2008-05-31 19:53 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-05-27 17:00 . 2001-09-06 19:04 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-27 17:00 . 2001-09-06 19:04 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-27 17:00 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-05-27 17:00 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-05-27 14:59 . 2008-05-27 14:59 <DIR> d---s---- C:\Documents and Settings\L.J. Poppema\UserData
2008-05-27 09:31 . 2008-06-10 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-27 09:29 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-05-27 09:29 . 2008-06-07 16:45 395 --a------ C:\WINDOWS\ODBC.INI
2008-05-27 09:28 . 2008-05-27 09:31 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-27 09:28 . 2008-05-27 09:28 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-27 09:28 . 2008-05-27 09:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-27 09:26 . 2008-05-27 09:26 <DIR> dr-h----- C:\MSOCache
2008-05-27 09:26 . 2008-05-27 09:26 <DIR> d-------- C:\Documents and Settings\L.J. Poppema\Application Data\DAEMON Tools
2008-05-27 09:19 . 2008-05-27 09:19 <DIR> d-------- C:\Documents and Settings\L.J. Poppema\Application Data\HP
2008-05-26 19:01 . 2008-06-17 16:55 <DIR> d-------- C:\Documents and Settings\Cornelis\Application Data\HP
2008-05-26 18:51 . 2008-05-26 18:51 <DIR> d-------- C:\Documents and Settings\Annet\Application Data\HP
2008-05-26 18:51 . 2008-05-26 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-05-26 18:50 . 2008-05-26 18:51 <DIR> d-------- C:\Program Files\Common Files\HP
2008-05-26 18:49 . 2008-05-26 18:49 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-26 18:49 . 2008-05-26 18:49 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-05-26 18:48 . 2006-01-03 20:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2008-05-26 18:48 . 2006-04-12 14:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-05-26 18:48 . 2006-04-10 14:03 48,128 --a------ C:\WINDOWS\system32\hpzll054.dll
2008-05-26 18:48 . 2006-04-12 14:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-05-26 18:48 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-26 18:48 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-26 18:47 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-05-26 18:47 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-05-26 18:47 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-05-26 18:47 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-05-26 18:47 . 2007-08-09 09:27 73,728 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-05-26 18:47 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-05-26 18:47 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-05-26 18:46 . 2008-05-26 18:51 <DIR> d-------- C:\Program Files\HP
2008-05-26 18:46 . 2008-05-26 18:51 120,233 --a------ C:\WINDOWS\hpoins11.dat
2008-05-26 18:46 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-26 18:46 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-05-26 18:46 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-26 18:46 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-26 18:37 . 2008-05-26 11:27 <DIR> d--h----- C:\Documents and Settings\Annet\Sjablonen
2008-05-26 18:37 . 2008-06-07 16:55 <DIR> dr-h----- C:\Documents and Settings\Annet\Onlangs geopend
2008-05-26 18:37 . 2008-05-26 13:21 <DIR> d--h----- C:\Documents and Settings\Annet\Netwerkprinteromgeving
2008-05-26 18:37 . 2008-06-07 16:52 <DIR> dr------- C:\Documents and Settings\Annet\Mijn documenten
2008-05-26 18:37 . 2008-05-26 13:21 <DIR> dr------- C:\Documents and Settings\Annet\Menu Start
2008-05-26 18:37 . 2008-05-26 18:37 <DIR> dr------- C:\Documents and Settings\Annet\Favorieten
2008-05-26 18:37 . 2008-05-26 13:21 <DIR> d-------- C:\Documents and Settings\Annet\Bureaublad
2008-05-26 18:37 . 2008-05-26 18:37 <DIR> d-------- C:\Documents and Settings\Annet\Application Data\ATI
2008-05-26 18:37 . 2008-05-26 18:37 <DIR> d-------- C:\Documents and Settings\Annet
2008-05-26 18:36 . 2008-05-26 11:27 <DIR> d--h----- C:\Documents and Settings\Adrian\Sjablonen
2008-05-26 18:36 . 2008-06-19 11:47 <DIR> dr-h----- C:\Documents and Settings\Adrian\Onlangs geopend
2008-05-26 18:36 . 2008-05-26 13:21 <DIR> d--h----- C:\Documents and Settings\Adrian\Netwerkprinteromgeving
2008-05-26 18:36 . 2008-06-06 14:48 <DIR> dr------- C:\Documents and Settings\Adrian\Mijn documenten
2008-05-26 18:36 . 2008-05-26 13:21 <DIR> dr------- C:\Documents and Settings\Adrian\Menu Start
2008-05-26 18:36 . 2008-05-26 18:36 <DIR> dr------- C:\Documents and Settings\Adrian\Favorieten
2008-05-26 18:36 . 2008-05-26 13:21 <DIR> d-------- C:\Documents and Settings\Adrian\Bureaublad
2008-05-26 18:36 . 2008-05-26 18:36 <DIR> d-------- C:\Documents and Settings\Adrian\Application Data\ATI
2008-05-26 18:36 . 2008-05-26 18:36 <DIR> d-------- C:\Documents and Settings\Adrian
2008-05-26 14:03 . 2008-04-29 17:48 3,688,960 --a------ C:\WINDOWS\system32\drivers\RtHDMI.sys
2008-05-26 14:03 . 2008-04-02 09:27 1,196,032 --a------ C:\WINDOWS\RtkUpd.exe
2008-05-26 14:00 . 2008-05-26 14:00 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-26 14:00 . 2008-06-18 20:54 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-05-26 14:00 . 2008-05-26 14:00 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-05-26 14:00 . 2008-06-18 20:54 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-26 12:47 . 2008-05-26 12:47 <DIR> d-------- C:\Program Files\MSN BackUp
2008-05-26 12:41 . 2008-05-26 12:41 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-05-26 12:14 . 2008-05-26 12:14 <DIR> d-------- C:\Program Files\Foxit Software
2008-05-26 12:13 . 2006-03-02 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-26 12:12 . 2008-05-26 12:12 <DIR> d-------- C:\Documents and Settings\Cornelis\Contacts
2008-05-26 12:11 . 2008-05-26 13:43 <DIR> d-------- C:\Program Files\StuffPlug3
2008-05-26 12:11 . 2008-05-26 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-26 12:10 . 2008-05-26 12:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-26 12:10 . 2008-05-26 12:10 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-05-26 12:10 . 2008-05-26 12:10 268 --ah----- C:\sqmdata00.sqm
2008-05-26 12:10 . 2008-05-26 12:10 244 --ah----- C:\sqmnoopt00.sqm
2008-05-26 12:09 . 2008-05-26 12:09 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-26 12:09 . 2008-05-26 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-26 12:08 . 2008-05-26 12:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 12:08 . 2008-05-26 12:08 <DIR> d-------- C:\Program Files\Belastingdienst
2008-05-26 12:08 . 2008-05-26 12:08 <DIR> d-------- C:\Documents and Settings\Cornelis\Application Data\DAEMON Tools
2008-05-26 12:08 . 2008-05-26 12:08 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-26 12:07 . 2008-05-26 12:07 <DIR> d-------- C:\Program Files\Unlocker
2008-05-26 12:06 . 2008-05-26 12:10 <DIR> d-------- C:\Program Files\Windows Live
2008-05-26 12:06 . 2008-05-26 12:06 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-05-26 12:06 . 2008-05-26 12:09 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-26 12:06 . 2008-05-26 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 20:20 --------- d-----w C:\Program Files\WarRock
2008-06-18 18:01 --------- d-----w C:\Documents and Settings\Cornelis\Application Data\Xfire
2008-06-10 10:42 --------- d-----w C:\Program Files\Xfire
2008-05-26 11:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 11:22 --------- d-----w C:\Documents and Settings\L.J. Poppema\Application Data\ATI
2008-05-26 11:20 --------- d-----w C:\Program Files\Realtek
2008-05-26 11:18 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-05-26 11:16 --------- d-----w C:\Documents and Settings\Cornelis\Application Data\CyberLink
2008-05-26 11:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-26 11:14 --------- d-----w C:\Program Files\BearShare Pro
2008-05-26 11:13 --------- d-----w C:\Program Files\Webteh
2008-05-26 11:04 --------- d-----w C:\Program Files\Intel
2008-05-26 09:55 --------- d-----w C:\Documents and Settings\Cornelis\Application Data\InstallShield
2008-05-26 09:55 --------- d-----w C:\Documents and Settings\Cornelis\Application Data\ATI
2008-05-26 09:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-05-26 09:53 --------- d-----w C:\Program Files\ATI Technologies
2008-05-26 09:48 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-26 09:36 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-26 09:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-12 16:30 3,007,488 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-12 15:56 397,312 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-05-12 15:54 305,152 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-05-12 15:53 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-05-12 15:45 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-05-12 15:45 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-05-12 15:44 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-05-12 15:43 540,672 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-05-12 15:43 10,153,984 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-05-12 15:32 3,203,168 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-05-12 15:22 1,999,616 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-05-12 15:09 47,104 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-05-12 15:05 327,680 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-05-12 15:03 19,968 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-05-12 15:02 241,664 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-05-12 14:57 548,864 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-04-07 14:06 9,715,200 ----a-r C:\WINDOWS\RTLCPL.exe
2008-04-07 14:06 86,016 ----a-r C:\WINDOWS\SoundMan.exe
2008-04-07 14:06 49,152 ----a-r C:\WINDOWS\system32\ChCfg.exe
2008-04-07 14:06 2,808,832 ----a-r C:\WINDOWS\alcwzrd.exe
2008-04-07 14:06 2,165,760 ----a-r C:\WINDOWS\MicCal.exe
2008-04-07 14:06 16,859,136 ----a-r C:\WINDOWS\RTHDCPL.exe
2008-04-07 14:06 1,826,816 ----a-r C:\WINDOWS\SkyTel.exe
2008-04-07 14:06 1,191,936 ----a-r C:\WINDOWS\RtlUpd.exe
2008-03-26 17:48 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-03-26 17:48 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-03-26 17:45 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-03-26 17:11 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-03-26 10:59 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-18_18.23.46.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-18 16:22:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-19 10:53:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-17 20:20:27 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-06-18 16:34:47 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 16:06 16859136 C:\WINDOWS\RTHDCPL.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Cornelis^Menu Start^Programma's^Opstarten^Deewoo.lnk]
path=C:\Documents and Settings\Cornelis\Menu Start\Programma's\Opstarten\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cornelis^Menu Start^Programma's^Opstarten^DW_Start.lnk]
path=C:\Documents and Settings\Cornelis\Menu Start\Programma's\Opstarten\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Judxl]
C:\Documents and Settings\Cornelis\Mijn documenten\s?stem\r?ndll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\MSN BackUp\\MSNBackup.exe"=
"C:\\Program Files\\BearShare Pro\\Bearshare.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Documents and Settings\\Cornelis\\Bureaublad\\Music project\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\BitLord\\BitLord.exe"=

R3 RTHDMIAzAudService;Service for HDMI;C:\WINDOWS\system32\drivers\RtHDMI.sys [2008-04-29 17:48]

*Newly Created Service* - CATCHME
.
Inhoud van de 'Gedeelde Taken' map
"2008-06-19 15:00:00 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-06-16 10:57:48 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 17:05:48
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-06-19 17:06:08
ComboFix-quarantined-files.txt 2008-06-19 15:06:07
ComboFix2.txt 2008-06-18 16:23:54

Pre-Run: 6,728,896,512 bytes beschikbaar
Post-Run: 6,765,084,672 bytes beschikbaar

299

Kaspersky Webscanner: :

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 19, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, June 19, 2008 14:28:06
Records in database: 879493
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 69248
Threat name: 8
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 01:39:26


File name / Threat name / Threats count
C:\Deckard\System Scanner\20080617165715\backup\DOCUME~1\Cornelis\LOCALS~1\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\Deckard\System Scanner\20080617165715\backup\DOCUME~1\Cornelis\LOCALS~1\Temp\NDRA.tmp Infected: Trojan-Downloader.Win32.PurityScan.fk 1
C:\Documents and Settings\Cornelis\Bureaublad\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Cornelis\Bureaublad\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\QooBox\Quarantine\C\Documents and Settings\Cornelis\Mijn documenten\SSTEM~1\rυndll32.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.id 1
C:\QooBox\Quarantine\C\WINDOWS\system32\goc\vbashcom3.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ncT\jarbootx.exe.vir Infected: Trojan-Downloader.Win32.Small.xhc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\netrax01\netrax011065.exe.vir Infected: Trojan-Downloader.Win32.VB.fao 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bn 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tcntaxdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wywknjnn.dll.vir Infected: Trojan.Win32.Monder.vn 1


The selected area was scanned.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:47 PM

Posted 19 June 2008 - 01:00 PM

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Judxl]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


How is your computer behaving now? Are you still getting popups?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Nelisje

Nelisje
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 20 June 2008 - 10:08 AM

I think almost everything was clean after running combofix and there were only some traces left, so there is no visible effect of this action :)

No popups, background doesnt change anymore to the 'warning' and no unwanted messages in the tray :thumbup2:

Thanks a lot :thumbsup:

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:47 PM

Posted 21 June 2008 - 07:28 AM

That's what I like to hear! :)

Just a few last things and you should be good to go! :thumbup2:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :spacer:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:47 PM

Posted 03 July 2008 - 05:43 PM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users