Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-downloader.delf And/or Boaxxe.dll


  • This topic is locked This topic is locked
28 replies to this topic

#1 ghoul

ghoul

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 25 June 2008 - 04:10 PM

sofar tried a number of tools to get rid of the infected file dsdmoi.dll in folder C:\windows\system32 (detected as boaxxe.dll by McAfee).
a.o. Super antispyware, combofix, malwarebytes anti-malware, spybot S&D, AdAware and McAfee anti-virus scanner. None of these tools was able to remove, clean or quarantine this file.

Could anyone please have a look at this log and and give me some advice?

Deckard's System Scanner v20071014.68
Run by zuiderlingen on 2008-06-25 22:58:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2008-06-25 20:59:00 UTC - RP10 - Deckard's System Scanner Restore Point
9: 2008-06-25 10:33:12 UTC - RP9 - Controlepunt van systeem
8: 2008-06-23 21:20:01 UTC - RP8 - Spyware Doctor: Cleaning Threats
7: 2008-06-23 18:43:06 UTC - RP7 - Installed SUPERAntiSpyware Free Edition
6: 2008-06-22 18:41:52 UTC - RP6 - Controlepunt van systeem


-- First Restore Point --
1: 2008-06-19 21:12:27 UTC - RP1 - Controlepunt van systeem


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as zuiderlingen.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:00:10, on 25-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Network Associates\Common Framework\FrameworkService.exe
F:\Network Associates\VirusScan\Mcshield.exe
F:\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
F:\Network Associates\VirusScan\SHSTAT.EXE
F:\Network Associates\Common Framework\UpdaterUI.exe
F:\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Microsoft Office\Office\1043\msoffice.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\zuiderlingen\Bureaublad\dss.exe
F:\HIJACK~1\zuiderlingen.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/default....;l=nl&s=gen
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {327A2340-82F3-423A-B812-616E7A238224} - c:\windows\system32\jfqqoiw.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF} - C:\WINDOWS\system32\dsdmoi.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "F:\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "F:\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Ontvang alle bestanden door Net Transport - F:\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Ontvangst door Net Transport - F:\NetTransport 2\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O20 - Winlogon Notify: !SASWinLogon - F:\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - F:\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - F:\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - F:\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - f:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7851 bytes

-- HijackThis Fixed Entries (F:\HIJACK~1\backups\) -----------------------------

backup-20080619-195658-168 O4 - HKLM\..\Run: [kcskamifb] C:\WINDOWS\system32\kcskamifb.exe
backup-20080619-195658-803 O4 - HKCU\..\Run: [kcskamifb] C:\WINDOWS\system32\kcskamifb.exe
backup-20080619-235723-660 O2 - BHO: (no name) - {ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF} - C:\WINDOWS\system32\dsdmoi.dll
backup-20080619-235822-486 O2 - BHO: (no name) - {ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF} - C:\WINDOWS\system32\dsdmoi.dll
backup-20080620-150051-567 O2 - BHO: (no name) - {327A2340-82F3-423A-B812-616E7A238224} - c:\windows\system32\jfqqoiw.dll
backup-20080622-002002-338 O2 - BHO: (no name) - {ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF} - C:\WINDOWS\system32\dsdmoi.dll
backup-20080622-002110-868 O2 - BHO: (no name) - {ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF} - C:\WINDOWS\system32\dsdmoi.dll
backup-20080622-002152-119 O2 - BHO: (no name) - {ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF} - C:\WINDOWS\system32\dsdmoi.dll
backup-20080622-002308-178 O2 - BHO: (no name) - {ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF} - C:\WINDOWS\system32\dsdmoi.dll

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - f:\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "f:\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 lwopveqo - c:\windows\system32\drivers\lwopveqo.sys <Not Verified; MCCI; Sony Ericsson K320 USB WMC OBEX Interface>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
R2 s24trans (WLAN-transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - f:\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "f:\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01CD1028&REV_02\4&2FE911E8&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01CD1028&REV_02\4&2FE911E8&0&00F0
Service: bcm4sbxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394-netwerkkaart
Device ID: V1394\NIC1394\6EF5A06E324FC000
Manufacturer: Microsoft
Name: 1394-netwerkkaart #3
PNP Device ID: V1394\NIC1394\6EF5A06E324FC000
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-06-25 22:46:15 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-05-25 and 2008-06-25 -----------------------------

2008-06-25 22:46:29 0 dr-h----- C:\Documents and Settings\zuiderlingen\Onlangs geopend
2008-06-25 22:42:01 0 d-------- C:\_backupD
2008-06-25 20:49:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-23 21:46:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-23 21:15:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-23 21:09:52 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-06-23 21:09:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-23 21:09:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-06-23 21:09:51 0 d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-06-23 21:09:51 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-23 21:09:51 0 dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-06-23 21:09:51 0 d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-06-23 21:09:51 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-23 21:09:51 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-23 21:09:51 0 dr------- C:\Documents and Settings\Administrator\Mijn documenten
2008-06-23 21:09:51 0 dr------- C:\Documents and Settings\Administrator\Menu Start
2008-06-23 21:09:51 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-23 21:09:51 0 dr------- C:\Documents and Settings\Administrator\Favorieten
2008-06-23 21:09:50 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-23 20:43:18 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-23 20:43:07 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\SUPERAntiSpyware.com
2008-06-23 20:42:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 18:54:57 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\Malwarebytes
2008-06-23 18:54:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 17:55:05 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\PC Tools
2008-06-21 16:47:05 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\WinRAR
2008-06-21 15:09:01 0 d-------- C:\Program Files\uTorrent
2008-06-21 15:08:53 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\uTorrent
2008-06-19 23:06:04 0 d-------- C:\cmdcons
2008-06-19 23:04:55 68096 --a------ C:\WINDOWS\zip.exe
2008-06-19 23:04:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-19 23:04:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-19 23:04:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-19 23:04:55 98816 --a------ C:\WINDOWS\sed.exe
2008-06-19 23:04:55 80412 --a------ C:\WINDOWS\grep.exe
2008-06-19 23:04:55 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-19 22:44:53 16384 --a------ C:\WINDOWS\system32\restart.exe <Not Verified; WareSoft Software; restart>
2008-06-19 22:44:53 90112 --a------ C:\WINDOWS\system32\regdacl.exe <Not Verified; Frank Heyne Software; RegTools>
2008-06-19 22:44:53 4096 --a------ C:\WINDOWS\system32\reboot.exe
2008-06-19 22:44:53 53248 --a------ C:\WINDOWS\system32\process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-19 22:44:53 280286 --a------ C:\win32delfkil.exe <Not Verified; Marckie; >
2008-06-19 22:44:52 0 d-------- C:\WINDOWS\system32\regdacl
2008-06-15 19:54:02 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 18:27:48 0 d-------- C:\Documents and Settings\Janne\Application Data\Mozilla
2008-06-12 18:27:48 0 d-------- C:\Documents and Settings\Janne\Application Data\frfdkaea
2008-06-08 17:42:16 0 d-------- C:\Documents and Settings\zuiderlingen\.housecall6.6
2008-06-08 13:22:38 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea
2008-06-07 16:47:13 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-06-07 16:47:12 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-06-07 16:42:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-06-07 16:42:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data\frfdkaea
2008-06-06 20:12:52 0 d-------- C:\Program Files\Common Files\Mozilla Shared
2008-06-05 20:00:34 127488 --a------ C:\WINDOWS\system32\d3drampg.dll <Not Verified; Xngexacxqz Corporation; Microsoft® Windows® Operating System>
2008-06-05 20:00:03 88064 --a------ C:\WINDOWS\system32\dsdmoi.dll
2008-05-31 01:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-31 01:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-31 01:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-31 01:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-31 01:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>


-- Find3M Report ---------------------------------------------------------------

2008-06-23 20:42:27 0 d-------- C:\Program Files\Common Files
2008-06-15 19:55:10 437324 --a----c- C:\WINDOWS\system32\perfh013.dat
2008-06-15 19:55:10 67794 --a----c- C:\WINDOWS\system32\perfc013.dat
2008-06-08 14:43:31 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\Netscape
2008-06-08 13:22:40 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\Mozilla
2008-05-23 00:22:18 3596288 --a----c- C:\WINDOWS\system32\qt-dx331.dll
2008-05-23 00:19:46 196608 --a----c- C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-23 00:19:46 81920 --a----c- C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-23 00:18:54 12288 --a----c- C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 22:53:13 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\GrabIt
2008-04-16 23:36:52 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{327A2340-82F3-423A-B812-616E7A238224}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [16-11-2005 22:35 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [12-08-2005 15:43]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [29-11-2005 05:56]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [28-12-2005 12:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [10-06-2005 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [10-06-2005 11:44]
"ShStatEXE"="F:\Network Associates\VirusScan\SHSTAT.exe" [15-10-2003 07:10]
"McAfeeUpdaterUI"="F:\Network Associates\Common Framework\UpdaterUI.exe" [09-06-2004 03:12]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [04-12-2003 12:34]
"RegistryMechanic"="" []
"ZoneAlarm Client"="F:\Zone Labs\ZoneAlarm\zlclient.exe" [02-04-2008 21:07]
"QuickTime Task"="F:\QuickTime\qttask.exe" [31-08-2006 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 13:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - C:\Microsoft Office\Office\OSA9.EXE [21-1-2000 20:15:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 F:\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^zuiderlingen^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2342e05f.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\Quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"f:\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]
NOT_IN_USE_DUMMY_PATH

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"F:\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"F:\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
F:\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8744 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-25 23:03:40 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Dutch

CPU 0: Genuine Intel® CPU T2300 @ 1.66GHz
CPU 1: Genuine Intel® CPU T2300 @ 1.66GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 1022.37 MiB / 342.12 MiB
Pagefile Memory (total/avail): 2459.59 MiB / 1859.86 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.07 MiB

C: is Fixed (NTFS) - 11.72 GiB total, 3.04 GiB free.
D: is CDROM (No Media)
F: is Fixed (NTFS) - 24.5 GiB total, 8.99 GiB free.
G: is Fixed (NTFS) - 33.81 GiB total, 15.32 GiB free.

\\.\PHYSICALDRIVE0 - Hitachi HTS541080G9SA00 - 73.13 GiB - 5 partitions
\PARTITION0 - Unknown - 86.26 MiB
\PARTITION1 (bootable) - Installable File System - 11.72 GiB - C:
\PARTITION2 - Unknown - 3 GiB
\PARTITION3 - Extended w/Extended Int 13 - 58.31 GiB - F: - G:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.473.000 (Check Point, LTD.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Disabled:Microsoft Fax Console"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"F:\\Pinnacle\\Studio 11\\programs\\RM.exe"="F:\\Pinnacle\\Studio 11\\programs\\RM.exe:*:Enabled:Render Manager"
"F:\\Pinnacle\\Studio 11\\programs\\Studio.exe"="F:\\Pinnacle\\Studio 11\\programs\\Studio.exe:*:Enabled:Studio"
"F:\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"="F:\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"F:\\Pinnacle\\Studio 11\\programs\\umi.exe"="F:\\Pinnacle\\Studio 11\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\zuiderlingen\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DELL
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\zuiderlingen
LOGONSERVER=\\DELL
NewEnvironment1=C:\Program Files\ATI Technologies\ATI.ACE\
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;F:\QuickTime\QTSystem;F:\Zone;F:\Pinnacle\Shared Files;F:\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=c:\Temp
TMP=c:\Temp
tvdumpflags=8
USERDOMAIN=DELL
USERNAME=zuiderlingen
USERPROFILE=C:\Documents and Settings\zuiderlingen
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

zuiderlingen (admin)
Janne
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F003EA4-C704-4DAD-8535-AE841BC7A674}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> F:\Lavasoft\AD-AWA~1\UNWISE.EXE F:\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe GoLive 5.0 --> MsiExec.exe /I{FBCCF9CE-61EE-425E-BE4D-959D76FA7701}
Adobe GoLive SDK 5.0r4 --> C:\WINDOWS\unvise32.exe f:\Adobe\Adobe GoLive SDK 5.0r4\uninstal.log
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"f:\Adobe\Photoshop 6.0\Uninst.isu" -c"f:\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 8.1.2 - Nederlands --> MsiExec.exe /I{AC76BA86-7AD7-1043-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
ARTEuro --> MsiExec.exe /I{1D3C662A-F6C6-4767-A788-7AA43A9A1317}
Ashampoo MP3 Check & Convert 2 --> F:\Ashampoo\ASHAMP~2\UNWISE.EXE F:\Ashampoo\ASHAMP~2\INSTALL.LOG
ATI Catalyst Control Center --> MsiExec.exe /I{0D251F37-10CB-46DF-BFA0-4702218DB0B6}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Beveiligingsupdate voor Windows XP (KB896358) -->
Beveiligingsupdate voor Windows XP (KB896422) -->
Beveiligingsupdate voor Windows XP (KB896423) -->
Beveiligingsupdate voor Windows XP (KB896424) -->
Beveiligingsupdate voor Windows XP (KB899588) -->
Beveiligingsupdate voor Windows XP (KB899591) -->
Beveiligingsupdate voor Windows XP (KB901214) -->
Beveiligingsupdate voor Windows XP (KB904706) -->
Beveiligingsupdate voor Windows XP (KB905915) -->
Beveiligingsupdate voor Windows XP (KB908519) -->
Beveiligingsupdate voor Windows XP (KB912919) -->
Broadcom Management Programs --> MsiExec.exe /I{26E1BFB0-E87E-4696-9F89-B467F01F81E5}
CCleaner (remove only) --> "f:\CCleaner\uninst.exe"
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
ContentSAFER for Wizmax -->
Delta Force 2 --> C:\WINDOWS\IsUninst.exe -fg:\DeltaForce\Uninst.isu
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x13 ControlPanel
DivX Codec --> F:\DivX\DivX Codec\DivX\DivXCodecUninstall.exe /CODEC
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Guitar Pro 5.0 --> "G:\Guitar Pro 5\unins000.exe"
HijackThis 2.0.2 --> "F:\HiJackThis\HijackThis.exe" /uninstall
Hotfix voor Windows XP (KB896256) -->
Hotfix voor Windows XP (KB906569) -->
Hotfix voor Windows XP (KB908673) -->
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Malwarebytes' Anti-Malware --> "f:\Malwarebytes' Anti-Malware\unins000.exe"
McAfee VirusScan Enterprise --> MsiExec.exe /I{5A28A881-1B9A-4184-98F2-6C625BDE662C}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
MCU --> MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Bootvis --> MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010413-78E1-11D2-B60F-006097C998E7}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero 6 Ultra Edition --> f:\ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x13 ControlPanel
PDFCreator --> "f:\PDFCreator\unins000.exe"
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\setup.exe" -l0x13 UNINSTALL
PowerDVD 5.9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerQuest PartitionMagic 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E5007FA-DA5E-4EDD-BDE5-14D128D66887}\Setup.exe"
proDAD Heroglyph 2.5 --> "C:\Program Files\proDAD\Heroglyph-2.5\uninstall.exe" uninstall spcp PATHVERSION 2.5 MAINNAME Heroglyph
proDAD Vitascene 1.0 --> "C:\Program Files\proDAD\Vitascene-1.0\uninstall.exe" uninstall spcp PATHVERSION 1.0 MAINNAME Vitascene
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1043
Registry Mechanic 7.0 --> "f:\Registry Mechanic\unins000.exe"
SamsungMediaStudio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{289CA3B4-9525-4B31-B58F-D76B2B52EA5A}\Setup.exe" -l0x9
Sony Ericsson PC Suite --> MsiExec.exe /I{5F0FC860-ADE1-4B2D-B0A9-CB9FB17C46E8}
Spybot - Search & Destroy --> "f:\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> f:\Spyware Doctor\unins000.exe /LOG
Studio 11 --> C:\Program Files\InstallShield Installation Information\{110B1ADF-2EAE-4E8F-B501-D2A1E6D8ED9D}\Setup2.exe -runfromtemp -l0x0013 UNINSTALL -removeonly
Studio 11 Bonus DVD --> C:\Program Files\InstallShield Installation Information\{45A1BF92-700A-4408-B95E-79F462E3D67D}\setup.exe -runfromtemp -l0x0013 UNINSTALL -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Webclient voor Terminal Services --> rundll32 advpack.dll,LaunchINFSection C:\InetPub\wwwroot\TSWeb\setup.inf,DefaultUninstall,,
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live Messenger --> MsiExec.exe /I{9816B8B8-4B53-4D3D-9235-AD931252001D}
WinRAR --> f:\WinRAR\uninstall.exe
XviD MPEG-4 Video Codec --> f:\XviD\unins000.exe
Yahoo! Desktop Login --> MsiExec.exe /I{F9AEEC34-CF00-4CBD-9E36-DF9DC4002685}
ZoneAlarm --> F:\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4987 / Warning
Event Submitted/Written: 06/25/2008 08:46:59 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows kan het klassenregisterbestand niet uit het geheugen verwijderen omdat het momenteel door een andere toepassing of service wordt gebruikt. Het bestand wordt uit het geheugen verwijderd als het niet meer wordt gebruikt.

Event Record #/Type4981 / Warning
Event Submitted/Written: 06/24/2008 11:35:15 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows kan het klassenregisterbestand niet uit het geheugen verwijderen omdat het momenteel door een andere toepassing of service wordt gebruikt. Het bestand wordt uit het geheugen verwijderd als het niet meer wordt gebruikt.

Event Record #/Type4980 / Error
Event Submitted/Written: 06/24/2008 03:30:59 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Vastgelopen toepassing: OUTLOOK.EXE, versie: 9.0.0.2416, vastgelopen module: hungapp, versie: 0.0.0.0, vastgelopen op: 0x00000000.

Event Record #/Type4979 / Error
Event Submitted/Written: 06/24/2008 03:30:03 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Vastgelopen toepassing: OUTLOOK.EXE, versie: 9.0.0.2416, vastgelopen module: hungapp, versie: 0.0.0.0, vastgelopen op: 0x00000000.

Event Record #/Type4978 / Error
Event Submitted/Written: 06/24/2008 03:23:59 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Vastgelopen toepassing: OUTLOOK.EXE, versie: 9.0.0.2416, vastgelopen module: hungapp, versie: 0.0.0.0, vastgelopen op: 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type119645 / Error
Event Submitted/Written: 06/25/2008 10:45:06 PM
Event ID/Source: 10021 / DCOM
Event Description:
De security descriptor voor starten en activeren voor de COM-servertoepassing met CLSID
{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}
is ongeldig. Deze bevat ACE's met machtigingen die ongeldig zijn. De aangevraagde actie is daarom niet uitgevoerd. Deze beveiligingsmachtiging kan worden gecorrigeerd met het beheerdershulpprogramma van Component Services.

Event Record #/Type119644 / Error
Event Submitted/Written: 06/25/2008 10:45:06 PM
Event ID/Source: 10021 / DCOM
Event Description:
De security descriptor voor starten en activeren voor de COM-servertoepassing met CLSID
{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}
is ongeldig. Deze bevat ACE's met machtigingen die ongeldig zijn. De aangevraagde actie is daarom niet uitgevoerd. Deze beveiligingsmachtiging kan worden gecorrigeerd met het beheerdershulpprogramma van Component Services.

Event Record #/Type119643 / Error
Event Submitted/Written: 06/25/2008 10:45:06 PM
Event ID/Source: 10021 / DCOM
Event Description:
De security descriptor voor starten en activeren voor de COM-servertoepassing met CLSID
{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}
is ongeldig. Deze bevat ACE's met machtigingen die ongeldig zijn. De aangevraagde actie is daarom niet uitgevoerd. Deze beveiligingsmachtiging kan worden gecorrigeerd met het beheerdershulpprogramma van Component Services.

Event Record #/Type119642 / Error
Event Submitted/Written: 06/25/2008 10:45:05 PM
Event ID/Source: 10021 / DCOM
Event Description:
De security descriptor voor starten en activeren voor de COM-servertoepassing met CLSID
{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}
is ongeldig. Deze bevat ACE's met machtigingen die ongeldig zijn. De aangevraagde actie is daarom niet uitgevoerd. Deze beveiligingsmachtiging kan worden gecorrigeerd met het beheerdershulpprogramma van Component Services.

Event Record #/Type119629 / Error
Event Submitted/Written: 06/25/2008 10:43:31 PM
Event ID/Source: 10021 / DCOM
Event Description:
De security descriptor voor starten en activeren voor de COM-servertoepassing met CLSID
{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}
is ongeldig. Deze bevat ACE's met machtigingen die ongeldig zijn. De aangevraagde actie is daarom niet uitgevoerd. Deze beveiligingsmachtiging kan worden gecorrigeerd met het beheerdershulpprogramma van Component Services.



-- End of Deckard's System Scanner: finished at 2008-06-25 23:03:40 ------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 PM

Posted 25 June 2008 - 10:17 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\d3drampg.dll 
    C:\WINDOWS\system32\dsdmoi.dll
    c:\windows\system32\jfqqoiw.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 ghoul

ghoul
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 27 June 2008 - 05:34 AM

Sam
unfortunately they file dsdmoi.dll has not been removed and IE 7 wil not start up. Please see logs below. Will be standign by for new instructions.

LoadLibrary failed for C:\WINDOWS\system32\d3drampg.dll
C:\WINDOWS\system32\d3drampg.dll NOT unregistered.
C:\WINDOWS\system32\d3drampg.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\dsdmoi.dll
C:\WINDOWS\system32\dsdmoi.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\dsdmoi.dll scheduled to be moved on reboot.
LoadLibrary failed for c:\windows\system32\jfqqoiw.dll
c:\windows\system32\jfqqoiw.dll NOT unregistered.
File move failed. c:\windows\system32\jfqqoiw.dll scheduled to be moved on reboot.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06272008_115050

Files moved on Reboot...
LoadLibrary failed for C:\WINDOWS\system32\dsdmoi.dll
C:\WINDOWS\system32\dsdmoi.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\dsdmoi.dll scheduled to be moved on reboot.
LoadLibrary failed for c:\windows\system32\jfqqoiw.dll
c:\windows\system32\jfqqoiw.dll NOT unregistered.
File move failed. c:\windows\system32\jfqqoiw.dll scheduled to be moved on reboot.

Deckard's System Scanner v20071014.68
Run by zuiderlingen on 2008-06-27 12:30:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as zuiderlingen.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:27, on 27-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Network Associates\Common Framework\FrameworkService.exe
F:\Network Associates\VirusScan\Mcshield.exe
F:\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
F:\Network Associates\VirusScan\SHSTAT.EXE
F:\Network Associates\Common Framework\UpdaterUI.exe
F:\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Microsoft Office\Office\1043\msoffice.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\MICROS~1\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\zuiderlingen\Bureaublad\dss.exe
F:\HIJACK~1\ZUIDER~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/default....;l=nl&s=gen
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {327A2340-82F3-423A-B812-616E7A238224} - c:\windows\system32\jfqqoiw.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF} - C:\WINDOWS\system32\dsdmoi.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "F:\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "F:\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Ontvang alle bestanden door Net Transport - F:\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Ontvangst door Net Transport - F:\NetTransport 2\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O20 - Winlogon Notify: !SASWinLogon - F:\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - F:\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - F:\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - F:\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - f:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - f:\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7837 bytes

-- Files created between 2008-05-27 and 2008-06-27 -----------------------------

2008-06-25 22:46:29 0 dr-h----- C:\Documents and Settings\zuiderlingen\Onlangs geopend
2008-06-25 22:42:01 0 d-------- C:\_backupD
2008-06-25 20:49:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-23 21:46:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-23 21:15:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-23 21:09:52 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-06-23 21:09:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-23 21:09:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-06-23 21:09:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-06-23 21:09:51 0 d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-06-23 21:09:51 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-23 21:09:51 0 dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-06-23 21:09:51 0 d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-06-23 21:09:51 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-23 21:09:51 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-23 21:09:51 0 dr------- C:\Documents and Settings\Administrator\Mijn documenten
2008-06-23 21:09:51 0 dr------- C:\Documents and Settings\Administrator\Menu Start
2008-06-23 21:09:51 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-23 21:09:51 0 dr------- C:\Documents and Settings\Administrator\Favorieten
2008-06-23 21:09:50 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-23 20:43:18 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-23 20:43:07 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\SUPERAntiSpyware.com
2008-06-23 20:42:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 18:54:57 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\Malwarebytes
2008-06-23 18:54:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-21 17:55:05 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\PC Tools
2008-06-21 16:47:05 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\WinRAR
2008-06-21 15:09:01 0 d-------- C:\Program Files\uTorrent
2008-06-21 15:08:53 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\uTorrent
2008-06-19 23:06:04 0 d-------- C:\cmdcons
2008-06-19 23:04:55 68096 --a------ C:\WINDOWS\zip.exe
2008-06-19 23:04:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-19 23:04:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-19 23:04:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-19 23:04:55 98816 --a------ C:\WINDOWS\sed.exe
2008-06-19 23:04:55 80412 --a------ C:\WINDOWS\grep.exe
2008-06-19 23:04:55 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-19 22:44:53 16384 --a------ C:\WINDOWS\system32\restart.exe <Not Verified; WareSoft Software; restart>
2008-06-19 22:44:53 90112 --a------ C:\WINDOWS\system32\regdacl.exe <Not Verified; Frank Heyne Software; RegTools>
2008-06-19 22:44:53 4096 --a------ C:\WINDOWS\system32\reboot.exe
2008-06-19 22:44:53 53248 --a------ C:\WINDOWS\system32\process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-19 22:44:53 280286 --a------ C:\win32delfkil.exe <Not Verified; Marckie; >
2008-06-19 22:44:52 0 d-------- C:\WINDOWS\system32\regdacl
2008-06-15 19:54:02 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 18:27:48 0 d-------- C:\Documents and Settings\Janne\Application Data\Mozilla
2008-06-12 18:27:48 0 d-------- C:\Documents and Settings\Janne\Application Data\frfdkaea
2008-06-08 17:42:16 0 d-------- C:\Documents and Settings\zuiderlingen\.housecall6.6
2008-06-08 13:22:38 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea
2008-06-07 16:47:13 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-06-07 16:47:12 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-06-07 16:42:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-06-07 16:42:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data\frfdkaea
2008-06-06 20:12:52 0 d-------- C:\Program Files\Common Files\Mozilla Shared
2008-06-05 20:00:03 88064 --a------ C:\WINDOWS\system32\dsdmoi.dll
2008-05-31 01:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-31 01:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-31 01:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-31 01:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-31 01:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>


-- Find3M Report ---------------------------------------------------------------

2008-06-23 20:42:27 0 d-------- C:\Program Files\Common Files
2008-06-15 19:55:10 437324 --a----c- C:\WINDOWS\system32\perfh013.dat
2008-06-15 19:55:10 67794 --a----c- C:\WINDOWS\system32\perfc013.dat
2008-06-08 14:43:31 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\Netscape
2008-06-08 13:22:40 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\Mozilla
2008-05-23 00:22:18 3596288 --a----c- C:\WINDOWS\system32\qt-dx331.dll
2008-05-23 00:19:46 196608 --a----c- C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-23 00:19:46 81920 --a----c- C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-23 00:18:54 12288 --a----c- C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 22:53:13 0 d-------- C:\Documents and Settings\zuiderlingen\Application Data\GrabIt
2008-04-16 23:36:52 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{327A2340-82F3-423A-B812-616E7A238224}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [16-11-2005 22:35 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [12-08-2005 15:43]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [29-11-2005 05:56]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [28-12-2005 12:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [10-06-2005 11:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [10-06-2005 11:44]
"ShStatEXE"="F:\Network Associates\VirusScan\SHSTAT.exe" [15-10-2003 07:10]
"McAfeeUpdaterUI"="F:\Network Associates\Common Framework\UpdaterUI.exe" [09-06-2004 03:12]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [04-12-2003 12:34]
"RegistryMechanic"="" []
"ZoneAlarm Client"="F:\Zone Labs\ZoneAlarm\zlclient.exe" [02-04-2008 21:07]
"QuickTime Task"="F:\QuickTime\qttask.exe" [31-08-2006 22:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 13:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - C:\Microsoft Office\Office\OSA9.EXE [21-1-2000 20:15:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 F:\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^zuiderlingen^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2342e05f.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\Quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"f:\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]
NOT_IN_USE_DUMMY_PATH

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"F:\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"F:\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
F:\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-06-27 12:33:11 ------------

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 PM

Posted 27 June 2008 - 11:00 AM

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 ghoul

ghoul
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 27 June 2008 - 11:37 AM

sam

see log below. McAfee still detects trojan horse/IE 7 still doe not start.



ComboFix 08-06-19.1 - zuiderlingen 2008-06-27 18:27:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.586 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\zuiderlingen\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((( Bestanden Gemaakt van 2008-05-27 to 2008-06-27 ))))))))))))))))))))))))))))))
.

2008-06-27 18:30 . 2008-06-27 18:30 53,248 --a------ C:\Temp\catchme.dll
2008-06-27 14:07 . 2008-06-27 14:10 <DIR> dr-h----- C:\Documents and Settings\zuiderlingen\Onlangs geopend
2008-06-27 14:04 . 2008-06-27 14:04 16,384 --a----t- C:\Temp\Perflib_Perfdata_e20.dat
2008-06-27 14:04 . 2008-06-27 14:04 16,384 --a----t- C:\Temp\Perflib_Perfdata_a98.dat
2008-06-27 14:04 . 2008-06-27 14:04 16,384 --a----t- C:\Temp\Perflib_Perfdata_548.dat
2008-06-27 11:50 . 2008-06-27 11:50 <DIR> d-------- C:\_OTMoveIt
2008-06-25 22:58 . 2008-06-25 22:58 <DIR> d-------- C:\Deckard
2008-06-25 22:42 . 2008-06-25 22:42 <DIR> d-------- C:\_backupD
2008-06-23 23:23 . 2008-06-25 23:24 76 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-06-23 21:09 . 2008-06-23 21:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-23 20:43 . 2008-06-23 20:43 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\SUPERAntiSpyware.com
2008-06-23 20:43 . 2008-06-23 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-23 20:42 . 2008-06-23 20:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 18:54 . 2008-06-23 18:54 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\Malwarebytes
2008-06-23 18:54 . 2008-06-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 18:54 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-23 18:54 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 17:55 . 2008-06-21 17:55 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\PC Tools
2008-06-21 17:55 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-21 17:55 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-21 17:55 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-21 17:55 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-21 15:09 . 2008-06-21 15:09 <DIR> d-------- C:\Program Files\uTorrent
2008-06-21 15:08 . 2008-06-21 17:02 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\uTorrent
2008-06-19 22:44 . 2008-06-19 22:44 <DIR> d-------- C:\WINDOWS\system32\regdacl
2008-06-19 22:44 . 2008-06-19 22:44 280,286 --a------ C:\win32delfkil.exe
2008-06-19 22:44 . 2008-06-25 22:41 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2008-06-19 22:44 . 2008-06-25 22:41 53,248 --a------ C:\WINDOWS\system32\process.exe
2008-06-19 22:44 . 2008-06-25 22:41 16,384 --a------ C:\WINDOWS\system32\restart.exe
2008-06-19 22:44 . 2008-06-25 22:41 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2008-06-15 19:54 . 2008-06-25 23:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 18:27 . 2008-06-12 18:27 <DIR> d-------- C:\Documents and Settings\Janne\Application Data\frfdkaea
2008-06-11 21:49 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 21:49 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 17:43 . 2008-06-08 17:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-08 17:42 . 2008-06-08 17:44 <DIR> d-------- C:\Documents and Settings\zuiderlingen\.housecall6.6
2008-06-08 13:22 . 2008-06-08 13:22 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea
2008-06-07 16:42 . 2008-06-07 16:42 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\frfdkaea
2008-06-06 20:12 . 2008-06-07 16:42 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-06-05 20:00 . 2004-08-04 13:00 88,064 --a------ C:\WINDOWS\system32\dsdmoi.dll

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 16:30 21,332,000 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-27 11:33 253,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-23 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Albumprinter Pro Editor
2008-06-19 21:11 4,270,121 -c--a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-19 20:45 469,504 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-06-19 20:45 1,616,896 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-06-15 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 20:16 22,528 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-06-14 19:11 96,256 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-06-13 07:54 22,016 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-06-12 20:45 314,880 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-06-08 17:44 249,856 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-06-08 12:43 --------- d-----w C:\Documents and Settings\zuiderlingen\Application Data\Netscape
2008-06-03 20:11 275,968 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 20:53 --------- d-----w C:\Documents and Settings\zuiderlingen\Application Data\GrabIt
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 20:22 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:42 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:42 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-02 19:07 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-04-02 19:07 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2006-05-17 19:51 88 -csh--r C:\WINDOWS\system32\E466937696.sys
2007-02-04 09:37 3,610 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{327A2340-82F3-423A-B812-616E7A238224}]
2004-08-04 13:00 84992 --a------ c:\windows\system32\jfqqoiw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF}]
2004-08-04 13:00 88064 --a------ C:\WINDOWS\system32\dsdmoi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 397312 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43 45056]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 05:56 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ShStatEXE"="F:\Network Associates\VirusScan\SHSTAT.exe" [2003-10-15 07:10 81990]
"McAfeeUpdaterUI"="F:\Network Associates\Common Framework\UpdaterUI.exe" [2004-06-09 03:12 135224]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-12-04 12:34 406016]
"RegistryMechanic"="" []
"ZoneAlarm Client"="F:\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"QuickTime Task"="F:\QuickTime\qttask.exe" [2006-08-31 22:20 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - C:\Microsoft Office\Office\OSA9.EXE [2000-01-21 20:15:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 F:\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.I420"= vdrcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^zuiderlingen^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2342e05f.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a--c--- 2005-12-15 11:44 839680 C:\Program Files\Dell\QuickSet\Quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2006-04-06 10:51 49152 f:\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2005-12-28 12:56 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
-----c--- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a--c--- 2005-07-12 20:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
-----c--- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-08-31 22:20 282624 F:\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-07-12 04:00 132496 F:\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 F:\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 lwopveqo;lwopveqo;C:\WINDOWS\system32\drivers\lwopveqo.sys [2004-08-04 13:00]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 13:00]
S3 K320bus;Sony Ericsson K320 driver (WDM);C:\WINDOWS\system32\DRIVERS\K320bus.sys [2006-08-18 11:10]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\K320mdfl.sys [2006-08-18 11:10]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\K320mdm.sys [2006-08-18 11:10]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\K320mgmt.sys [2006-08-18 11:10]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\K320obex.sys [2006-08-18 11:10]

*Newly Created Service* - CATCHME
.
Inhoud van de 'Gedeelde Taken' map
"2008-06-27 12:00:31 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 18:30:16
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-06-27 18:31:27
ComboFix-quarantined-files.txt 2008-06-27 16:31:20
ComboFix2.txt 2008-06-19 21:35:32
ComboFix3.txt 2008-06-19 21:17:34

Pre-Run: 3,107,241,984 bytes beschikbaar
Post-Run: 3,093,352,448 bytes beschikbaar

226 --- E O F --- 2008-06-27 07:53:08

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 PM

Posted 27 June 2008 - 01:48 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\jfqqoiw.dll
C:\WINDOWS\system32\dsdmoi.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{327A2340-82F3-423A-B812-616E7A238224}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 ghoul

ghoul
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 27 June 2008 - 03:53 PM

Sam

alas.....log says files could not be removed....looks quite hopeless

ComboFix 08-06-19.1 - zuiderlingen 2008-06-27 22:28:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.605 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\zuiderlingen\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\zuiderlingen\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

FILE ::
C:\WINDOWS\system32\dsdmoi.dll
c:\windows\system32\jfqqoiw.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dsdmoi.dll . . . . konden niet verwijderd worden
c:\windows\system32\jfqqoiw.dll . . . . konden niet verwijderd worden

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-05-27 to 2008-06-27 ))))))))))))))))))))))))))))))
.

2008-06-27 22:38 . 2008-06-27 22:38 16,384 --a----t- C:\Temp\Perflib_Perfdata_56c.dat
2008-06-27 22:36 . 2008-06-27 22:36 <DIR> d-------- C:\Temp\WPDNSE
2008-06-27 22:36 . 2008-06-27 22:36 53,248 --a------ C:\Temp\catchme.dll
2008-06-27 22:36 . 2008-06-27 22:36 16,384 --a----t- C:\Temp\Perflib_Perfdata_d70.dat
2008-06-27 22:35 . 2008-06-27 22:35 76 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-06-27 20:12 . 2008-06-27 22:26 <DIR> dr-h----- C:\Documents and Settings\zuiderlingen\Onlangs geopend
2008-06-27 19:53 . 2008-06-27 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-27 19:53 . 2008-06-27 19:52 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-27 19:52 . 2008-06-27 19:53 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-27 11:50 . 2008-06-27 11:50 <DIR> d-------- C:\_OTMoveIt
2008-06-25 22:58 . 2008-06-25 22:58 <DIR> d-------- C:\Deckard
2008-06-25 22:42 . 2008-06-25 22:42 <DIR> d-------- C:\_backupD
2008-06-23 21:09 . 2008-06-23 21:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-23 20:43 . 2008-06-23 20:43 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\SUPERAntiSpyware.com
2008-06-23 20:43 . 2008-06-23 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-23 20:42 . 2008-06-23 20:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 18:54 . 2008-06-23 18:54 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\Malwarebytes
2008-06-23 18:54 . 2008-06-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 18:54 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-23 18:54 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 17:55 . 2008-06-21 17:55 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\PC Tools
2008-06-21 17:55 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-21 17:55 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-21 17:55 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-21 17:55 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-21 15:09 . 2008-06-21 15:09 <DIR> d-------- C:\Program Files\uTorrent
2008-06-21 15:08 . 2008-06-21 17:02 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\uTorrent
2008-06-19 22:44 . 2008-06-19 22:44 <DIR> d-------- C:\WINDOWS\system32\regdacl
2008-06-19 22:44 . 2008-06-19 22:44 280,286 --a------ C:\win32delfkil.exe
2008-06-19 22:44 . 2008-06-25 22:41 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2008-06-19 22:44 . 2008-06-25 22:41 53,248 --a------ C:\WINDOWS\system32\process.exe
2008-06-19 22:44 . 2008-06-25 22:41 16,384 --a------ C:\WINDOWS\system32\restart.exe
2008-06-19 22:44 . 2008-06-25 22:41 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2008-06-15 19:54 . 2008-06-27 22:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 18:27 . 2008-06-12 18:27 <DIR> d-------- C:\Documents and Settings\Janne\Application Data\frfdkaea
2008-06-11 21:49 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 21:49 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 17:43 . 2008-06-08 17:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-08 17:42 . 2008-06-08 17:44 <DIR> d-------- C:\Documents and Settings\zuiderlingen\.housecall6.6
2008-06-08 13:22 . 2008-06-08 13:22 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea
2008-06-07 16:42 . 2008-06-07 16:42 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\frfdkaea
2008-06-06 20:12 . 2008-06-07 16:42 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-06-05 20:00 . 2004-08-04 13:00 88,064 --a------ C:\WINDOWS\system32\dsdmoi.dll

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 20:38 21,452,832 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-27 20:33 255,488 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-27 20:32 84,992 ----a-w C:\WINDOWS\system32\yijuwxm.dll
2008-06-23 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Albumprinter Pro Editor
2008-06-19 21:11 4,270,121 -c--a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-19 20:45 469,504 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-06-19 20:45 1,616,896 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-06-15 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 20:16 22,528 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-06-14 19:11 96,256 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-06-13 07:54 22,016 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-06-12 20:45 314,880 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-06-08 17:44 249,856 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-06-08 12:43 --------- d-----w C:\Documents and Settings\zuiderlingen\Application Data\Netscape
2008-06-03 20:11 275,968 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 -c--a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 -c--a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 20:53 --------- d-----w C:\Documents and Settings\zuiderlingen\Application Data\GrabIt
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 20:22 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:42 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:42 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-04-02 19:07 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-04-02 19:07 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2006-05-17 19:51 88 -csh--r C:\WINDOWS\system32\E466937696.sys
2007-02-04 09:37 3,610 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{327A2340-82F3-423A-B812-616E7A238224}]
2008-06-27 22:32 84992 --a------ c:\windows\system32\jfqqoiw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF}]
2004-08-04 13:00 88064 --a------ C:\WINDOWS\system32\dsdmoi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 397312 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43 45056]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 05:56 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ShStatEXE"="F:\Network Associates\VirusScan\SHSTAT.exe" [2003-10-15 07:10 81990]
"McAfeeUpdaterUI"="F:\Network Associates\Common Framework\UpdaterUI.exe" [2004-06-09 03:12 135224]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-12-04 12:34 406016]
"RegistryMechanic"="" []
"ZoneAlarm Client"="F:\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"QuickTime Task"="F:\QuickTime\qttask.exe" [2006-08-31 22:20 282624]
"ISTray"="f:\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"combofix"="C:\WINDOWS\system32\CF30487.exe" [2004-08-04 13:00 399360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - C:\Microsoft Office\Office\OSA9.EXE [2000-01-21 20:15:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 F:\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.I420"= vdrcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^zuiderlingen^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2342e05f.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a--c--- 2005-12-15 11:44 839680 C:\Program Files\Dell\QuickSet\Quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2006-04-06 10:51 49152 f:\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2005-12-28 12:56 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
-----c--- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a--c--- 2005-07-12 20:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
-----c--- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-08-31 22:20 282624 F:\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-07-12 04:00 132496 F:\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 F:\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 lwopveqo;lwopveqo;C:\WINDOWS\system32\drivers\lwopveqo.sys [2004-08-04 13:00]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-06-27 19:52]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 13:00]
S3 K320bus;Sony Ericsson K320 driver (WDM);C:\WINDOWS\system32\DRIVERS\K320bus.sys [2006-08-18 11:10]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\K320mdfl.sys [2006-08-18 11:10]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\K320mdm.sys [2006-08-18 11:10]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\K320mgmt.sys [2006-08-18 11:10]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\K320obex.sys [2006-08-18 11:10]

.
Inhoud van de 'Gedeelde Taken' map
"2008-06-27 20:37:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 22:37:01
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Network Associates\Common Framework\FrameworkService.exe
F:\NETWOR~1\COMMON~1\naPrdMgr.exe
F:\Network Associates\VirusScan\Mcshield.exe
F:\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
F:\Spyware Doctor\pctsAuxs.exe
F:\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Microsoft Office\Office\1043\MSOFFICE.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Voltooingstijd: 2008-06-27 22:40:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 20:40:33
ComboFix2.txt 2008-06-27 16:31:28
ComboFix3.txt 2008-06-19 21:35:32
ComboFix4.txt 2008-06-19 21:17:34

Pre-Run: 3,035,930,624 bytes beschikbaar
Post-Run: 3,038,052,352 bytes beschikbaar

262 --- E O F --- 2008-06-27 07:53:08

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 PM

Posted 27 June 2008 - 03:56 PM

Not hopeless, just challenging right now. I just need to find the rootkit and then we'll get rid of them.

Can you translate this for me?

konden niet verwijderd worden


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 ghoul

ghoul
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 27 June 2008 - 04:00 PM

could not be removed

#10 ghoul

ghoul
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 27 June 2008 - 04:01 PM

could not be removed



#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 PM

Posted 27 June 2008 - 04:02 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
lwopveqo

Dirlook::
C:\Documents and Settings\Janne\Application Data\frfdkaea
C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea
C:\Documents and Settings\NetworkService\Application Data\frfdkaea

File::
C:\WINDOWS\system32\drivers\lwopveqo.sys
c:\windows\system32\jfqqoiw.dll
C:\WINDOWS\system32\dsdmoi.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2342e05f.exe]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{327A2340-82F3-423A-B812-616E7A238224}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECADEB72-BF4C-4F2B-AF21-E622CB9B31DF}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 ghoul

ghoul
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 27 June 2008 - 04:26 PM

sam
after rebooting the system the wizard new hardware appeared. Is this a result of removing the file C:\WINDOWS\system32\drivers\lwopveqo.sys? Have no idea what hardware used this file .....
Anyway, IE 7 starts up: no messages from McAfee. Light at the end of the tunnel? Please see log below.

ComboFix 08-06-19.1 - zuiderlingen 2008-06-27 23:11:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.580 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\zuiderlingen\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\zuiderlingen\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

FILE ::
C:\WINDOWS\system32\drivers\lwopveqo.sys
C:\WINDOWS\system32\dsdmoi.dll
c:\windows\system32\jfqqoiw.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\lwopveqo.sys
C:\WINDOWS\system32\dsdmoi.dll
c:\windows\system32\jfqqoiw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LWOPVEQO
-------\Service_lwopveqo


(((((((((((((((((((( Bestanden Gemaakt van 2008-05-27 to 2008-06-27 ))))))))))))))))))))))))))))))
.

2008-06-27 23:17 . 2008-06-27 23:17 <DIR> d-------- C:\Temp\WPDNSE
2008-06-27 23:16 . 2008-06-27 23:16 53,248 --a------ C:\Temp\catchme.dll
2008-06-27 22:35 . 2008-06-27 22:35 76 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-06-27 20:12 . 2008-06-27 23:08 <DIR> dr-h----- C:\Documents and Settings\zuiderlingen\Onlangs geopend
2008-06-27 19:53 . 2008-06-27 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-27 19:53 . 2008-06-27 19:52 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-06-27 19:52 . 2008-06-27 19:53 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-27 11:50 . 2008-06-27 11:50 <DIR> d-------- C:\_OTMoveIt
2008-06-25 22:58 . 2008-06-25 22:58 <DIR> d-------- C:\Deckard
2008-06-25 22:42 . 2008-06-25 22:42 <DIR> d-------- C:\_backupD
2008-06-23 21:09 . 2008-06-23 21:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-23 20:43 . 2008-06-23 20:43 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\SUPERAntiSpyware.com
2008-06-23 20:43 . 2008-06-23 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-23 20:42 . 2008-06-23 20:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 18:54 . 2008-06-23 18:54 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\Malwarebytes
2008-06-23 18:54 . 2008-06-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 18:54 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-23 18:54 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 17:55 . 2008-06-21 17:55 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\PC Tools
2008-06-21 17:55 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-21 17:55 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-21 17:55 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-21 17:55 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-21 15:09 . 2008-06-21 15:09 <DIR> d-------- C:\Program Files\uTorrent
2008-06-21 15:08 . 2008-06-21 17:02 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\uTorrent
2008-06-19 22:44 . 2008-06-19 22:44 <DIR> d-------- C:\WINDOWS\system32\regdacl
2008-06-19 22:44 . 2008-06-19 22:44 280,286 --a------ C:\win32delfkil.exe
2008-06-19 22:44 . 2008-06-25 22:41 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2008-06-19 22:44 . 2008-06-25 22:41 53,248 --a------ C:\WINDOWS\system32\process.exe
2008-06-19 22:44 . 2008-06-25 22:41 16,384 --a------ C:\WINDOWS\system32\restart.exe
2008-06-19 22:44 . 2008-06-25 22:41 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2008-06-15 19:54 . 2008-06-27 23:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 18:27 . 2008-06-12 18:27 <DIR> d-------- C:\Documents and Settings\Janne\Application Data\frfdkaea
2008-06-11 21:49 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 21:49 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-08 17:43 . 2008-06-08 17:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-08 17:42 . 2008-06-08 17:44 <DIR> d-------- C:\Documents and Settings\zuiderlingen\.housecall6.6
2008-06-08 13:22 . 2008-06-08 13:22 <DIR> d-------- C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea
2008-06-07 16:42 . 2008-06-07 16:42 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\frfdkaea
2008-06-06 20:12 . 2008-06-07 16:42 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 21:17 21,501,984 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-27 21:13 256,088 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-23 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Albumprinter Pro Editor
2008-06-15 20:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 12:43 --------- d-----w C:\Documents and Settings\zuiderlingen\Application Data\Netscape
2008-05-08 20:53 --------- d-----w C:\Documents and Settings\zuiderlingen\Application Data\GrabIt
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-02 19:07 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2006-05-17 19:51 88 -csh--r C:\WINDOWS\system32\E466937696.sys
2007-02-04 09:37 3,610 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Janne\Application Data\frfdkaea ----

2008-06-12 18:27 95669 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\xpti.dat
2008-06-12 18:27 65536 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\cert8.db
2008-06-12 18:27 367 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\prefs.js
2008-06-12 18:27 207 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\compatibility.ini
2008-06-12 18:27 2048 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\permissions.sqlite
2008-06-12 18:27 2048 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\cookies.sqlite
2008-06-12 18:27 16384 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\secmod.db
2008-06-12 18:27 16384 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\key3.db
2008-06-12 18:27 126976 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\places.sqlite
2008-06-12 18:27 126561 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\Profiles\f840itek.default\compreg.dat
2008-06-12 18:27 111 --a------ C:\Documents and Settings\Janne\Application Data\frfdkaea\profiles.ini

---- Directory of C:\Documents and Settings\NetworkService\Application Data\frfdkaea ----

2008-06-19 19:21 95669 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\xpti.dat
2008-06-19 19:21 367 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\prefs.js
2008-06-19 19:21 207 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\compatibility.ini
2008-06-19 19:21 126626 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\compreg.dat
2008-06-09 13:44 26624 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\formhistory.sqlite
2008-06-09 13:36 8469 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\pluginreg.dat
2008-06-09 13:36 126976 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\places.sqlite
2008-06-07 16:47 169 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\localstore.rdf
2008-06-07 16:42 65536 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\cert8.db
2008-06-07 16:42 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\permissions.sqlite
2008-06-07 16:42 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\cookies.sqlite
2008-06-07 16:42 16384 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\secmod.db
2008-06-07 16:42 16384 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\Profiles\96m4g693.default\key3.db
2008-06-07 16:42 111 --a------ C:\Documents and Settings\NetworkService\Application Data\frfdkaea\profiles.ini

---- Directory of C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea ----

2008-06-19 09:14 95669 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\xpti.dat
2008-06-19 09:14 417 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\prefs.js
2008-06-19 09:14 207 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\compatibility.ini
2008-06-19 09:14 126626 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\compreg.dat
2008-06-17 23:21 126976 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\places.sqlite
2008-06-08 18:17 20480 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\formhistory.sqlite
2008-06-08 18:08 8469 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\pluginreg.dat
2008-06-08 14:38 169 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\localstore.rdf
2008-06-08 13:22 65536 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\cert8.db
2008-06-08 13:22 2048 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\permissions.sqlite
2008-06-08 13:22 2048 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\cookies.sqlite
2008-06-08 13:22 16384 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\secmod.db
2008-06-08 13:22 16384 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\Profiles\y7a4ihxs.default\key3.db
2008-06-08 13:22 111 --a------ C:\Documents and Settings\zuiderlingen\Application Data\frfdkaea\profiles.ini


((((((((((((((((((((((((((((( snapshot@2008-06-27_22.39.51.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-27 20:34:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 21:14:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 397312 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43 45056]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 05:56 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"ShStatEXE"="F:\Network Associates\VirusScan\SHSTAT.exe" [2003-10-15 07:10 81990]
"McAfeeUpdaterUI"="F:\Network Associates\Common Framework\UpdaterUI.exe" [2004-06-09 03:12 135224]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-12-04 12:34 406016]
"RegistryMechanic"="" []
"ZoneAlarm Client"="F:\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"QuickTime Task"="F:\QuickTime\qttask.exe" [2006-08-31 22:20 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - C:\Microsoft Office\Office\OSA9.EXE [2000-01-21 20:15:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 F:\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.I420"= vdrcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^zuiderlingen^Menu Start^Programma's^Opstarten^.protected]
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a--c--- 2005-12-15 11:44 839680 C:\Program Files\Dell\QuickSet\Quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2006-04-06 10:51 49152 f:\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2005-12-28 12:56 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
-----c--- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a--c--- 2005-07-12 20:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
-----c--- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-08-31 22:20 282624 F:\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-07-12 04:00 132496 F:\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 F:\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"F:\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-06-27 19:52]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 13:00]
S3 K320bus;Sony Ericsson K320 driver (WDM);C:\WINDOWS\system32\DRIVERS\K320bus.sys [2006-08-18 11:10]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\K320mdfl.sys [2006-08-18 11:10]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\K320mdm.sys [2006-08-18 11:10]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\K320mgmt.sys [2006-08-18 11:10]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\K320obex.sys [2006-08-18 11:10]

*Newly Created Service* - LWOPVEQO
.
Inhoud van de 'Gedeelde Taken' map
"2008-06-27 21:17:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 23:16:10
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Network Associates\Common Framework\FrameworkService.exe
F:\Network Associates\VirusScan\Mcshield.exe
F:\NETWOR~1\COMMON~1\naPrdMgr.exe
F:\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Microsoft Office\Office\1043\MSOFFICE.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Voltooingstijd: 2008-06-27 23:19:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 21:19:48
ComboFix2.txt 2008-06-27 20:40:43
ComboFix3.txt 2008-06-27 16:31:28
ComboFix4.txt 2008-06-19 21:35:32
ComboFix5.txt 2008-06-19 21:17:34

Pre-Run: 2,988,777,472 bytes beschikbaar
Post-Run: 2,988,949,504 bytes beschikbaar

270 --- E O F --- 2008-06-27 07:53:08

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 PM

Posted 28 June 2008 - 11:11 AM

It sounds like it wants your computer to think it's associated with some needed hardware, but it was definitely the rootkit protecting those files. It looks like we got rid of them this time, but let's run a virus scan just to be sure to pick up anything left over.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Let me know how your computer is running now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 ghoul

ghoul
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 28 June 2008 - 02:37 PM

sam

see kaspersky scan log below. Seems okay, right?
Spyware Doctor detected and removed trojan-downloader.delf, trojan.popuper and application.NirCmd. Cannot determine whether these were 'irrelevant' warnings.
McAfee only shows EICAR-files.
Computer is running seemingly okay.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 28, 2008 17:43:15
Records in database: 895741
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\

Scan statistics:
Files scanned: 85920
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:11:23


File name / Threat name / Threats count
C:\quarantine\Av-test.txt.Vir.0.Vir.Vir Infected: EICAR-Test-File 1
C:\quarantine\Av-test.txt.Vir.Vir.Vir Infected: EICAR-Test-File 1

The selected area was scanned.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:00 PM

Posted 28 June 2008 - 02:42 PM

Looks good. Can you post a new log from DSS?
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users