Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacklog Popups


  • This topic is locked This topic is locked
8 replies to this topic

#1 gjkroes

gjkroes

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 02 August 2008 - 01:57 PM

hello,

I have problems with popups that appear out of nothing on my computer. So here is my log, hope that someone can help me. Thanks in advance.

gjkroes


Deckard's System Scanner v20071014.68
Run by mads on 2008-08-02 20:47:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as mads.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:49:31, on 2-8-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\acovcnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mads\Bureaublad\dss.exe
C:\hjk\mads.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: dcads - {864a5f04-1d11-7417-9d4b-8acec60fbc89} - C:\WINDOWS\system32\nsu40.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Automatisch EPSON Stylus D68 Series (Kopie 1) op WOONKAMER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P58 "Automatisch EPSON Stylus D68 Series (Kopie 1) op WOONKAMER" /O20 "\\WOONKAMER\Printer2" /M "Stylus D68"
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [Comp about extra bin] C:\Documents and Settings\All Users\Application Data\Roam Program Comp About\BAT ATOM.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [Automatisch EPSON Stylus D68 Series op WOONKAMER] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P48 "Automatisch EPSON Stylus D68 Series op WOONKAMER" /O20 "\\WOONKAMER\Printer3" /M "Stylus D68"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [01 64] C:\DOCUME~1\mads\APPLIC~1\ANTIMO~1\army sect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [LaunchList] C:\Program Files\Pinnacle\Studio 11\LaunchList2.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187382420453
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{07D43583-E4D7-47EA-92E7-733830D84822}: NameServer = 195.121.1.34,195.121.1.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: iifcccd - iifcccd.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Centrale besturing (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 11322 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - txtfile - shell\open\command - notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 s24trans (WLAN-transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>

S2 tmcomm - c:\windows\system32\drivers\tmcomm.sys (file missing)
S3 BT4501D (SpeedTouch 120g Wireless USB Adapter Driver) - c:\windows\system32\drivers\bt4501d.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 npkcrypt - c:\program files\lineage ii\system\npkcrypt.sys (file missing)
S3 XDva005 - c:\windows\system32\xdva005.sys (file missing)
S3 XDva007 - c:\windows\system32\xdva007.sys (file missing)
S3 XDva030 - c:\windows\system32\xdva030.sys (file missing)
S3 XDva068 - c:\windows\system32\xdva068.sys (file missing)
S3 zlportio - c:\program files\ultrastar deluxe\zlportio.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>

S2 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
S3 Boonty Games - "c:\program files\common files\boonty shared\service\boonty.exe" <Not Verified; BOONTY; Boonty Games>
S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_10451043&REV_10\4&3029DB9D&0&00F0
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_10451043&REV_10\4&3029DB9D&0&00F0
Service: RTL8023xp


-- Scheduled Tasks -------------------------------------------------------------

2008-08-02 20:34:20 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-08-02 20:31:28 484 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-08-02 17:00:04 260 --ah----- C:\WINDOWS\Tasks\AB8F4C079184FF5F.job
2008-08-02 16:34:14 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-08-01 23:05:20 268 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-08-01 23:05:18 390 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-02 20:35:40 0 dr-h----- C:\Documents and Settings\mads\Onlangs geopend
2008-08-02 20:22:33 0 d-------- C:\Documents and Settings\mads\Application Data\Malwarebytes
2008-08-02 20:22:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 20:22:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 16:35:33 0 d-------- C:\Program Files\QuickTime
2008-08-02 16:33:35 0 d-------- C:\Program Files\Apple Software Update
2008-08-02 16:33:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-02 12:09:14 0 d-------- C:\hjk
2008-08-01 22:45:41 0 d-------- C:\Program Files\Lavasoft
2008-08-01 22:44:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 22:38:27 0 d-------- C:\Program Files\Windows Defender
2008-08-01 20:57:27 0 d-------- C:\Documents and Settings\mads\Application Data\Windows Desktop Search
2008-08-01 20:54:42 0 d-------- C:\Program Files\Windows Desktop Search
2008-08-01 20:40:53 0 d-------- C:\Program Files\Sports Interactive
2008-07-24 17:51:02 0 d-------- C:\Program Files\Maxis
2008-07-21 14:40:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Roam Program Comp About
2008-07-21 14:40:07 0 d-------- C:\Program Files\Anti Move
2008-07-21 11:56:29 45056 --a------ C:\WINDOWS\system32\acovcnt.exe
2008-07-21 10:04:37 82640 --a------ C:\WINDOWS\War3Unin.dat
2008-07-21 10:04:36 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-07-21 10:04:35 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-07-19 23:55:42 0 d-------- C:\Program Files\CCleaner
2008-07-19 23:37:56 0 d-------- C:\Program Files\Abexo
2008-07-15 14:30:52 313856 --a------ C:\WINDOWS\system32\nsu40.dll
2008-07-07 22:11:18 0 d-------- C:\Program Files\Google Video
2008-07-07 14:46:51 0 d-------- C:\Documents and Settings\mads\Application Data\Atari
2008-07-07 14:16:49 0 d-------- C:\Documents and Settings\mads\Application Data\Leadertech
2008-07-07 14:14:37 0 d-------- C:\Program Files\Atari
2008-07-05 21:51:16 0 d-------- C:\Documents and Settings\mads\Application Data\TuneUp Software
2008-07-05 20:27:44 0 d-------- C:\wildride
2008-07-03 14:57:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-08-01 20:55:06 535024 --a------ C:\WINDOWS\system32\perfh013.dat
2008-08-01 20:55:06 100912 --a------ C:\WINDOWS\system32\perfc013.dat
2008-07-24 17:51:10 846 --a------ C:\WINDOWS\eReg.dat
2008-07-16 16:39:32 102076 --a------ C:\WINDOWS\system32\dcads-remove.exe
2008-06-30 21:25:52 95 --a------ C:\AUTOEXEC.BAT
2008-06-29 20:20:36 0 d-------- C:\Documents and Settings\mads\Application Data\LaCie
2008-06-29 20:20:00 0 d-------- C:\Documents and Settings\mads\Application Data\InstallShield
2008-06-29 20:19:18 0 d-------- C:\Program Files\LaCie
2008-06-29 19:41:44 0 d-------- C:\Program Files\Common Files\Yahoo!
2008-06-25 19:06:16 0 d-------- C:\Program Files\Pinnacle
2008-06-24 10:16:20 0 d-------- C:\Documents and Settings\mads\Application Data\proDAD
2008-06-23 17:46:02 0 d-------- C:\Documents and Settings\mads\Application Data\Publish Providers
2008-06-23 16:34:18 0 d-------- C:\Program Files\Common Files\Vbox
2008-06-23 16:33:50 0 d-------- C:\Program Files\directx
2008-06-07 11:52:34 0 d-------- C:\Program Files\MessengerDiscovery
2008-06-02 18:56:06 8407 --a------ C:\WINDOWS\extend.dat
2008-06-02 17:13:58 2360 --a------ C:\WINDOWS\mozver.dat
2008-06-02 17:13:58 0 d-------- C:\Program Files\Virtools


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

8781 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-02 20:51:02 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: Dutch

CPU 0: Intel® Core™2 CPU T5200 @ 1.60GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 1015.29 MiB / 268.95 MiB
Pagefile Memory (total/avail): 2442.23 MiB / 1765.67 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.81 MiB

C: is Fixed (FAT32) - 42.37 GiB total, 10.41 GiB free.
D: is Fixed (FAT32) - 28.22 GiB total, 12.2 GiB free.
E: is CDROM (UDF)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST98823AS - 74.53 GiB - 3 partitions
\PARTITION0 - Unknown - 3.91 GiB
\PARTITION1 (bootable) - Unknown - 42.38 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 28.24 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mads\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DINY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mads
LOGONSERVER=\\DINY
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\mads\Application Data\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\mads\LOCALS~1\Temp
TMP=C:\DOCUME~1\mads\LOCALS~1\Temp
USERDOMAIN=DINY
USERNAME=mads
USERPROFILE=C:\Documents and Settings\mads
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

gerrit jan (admin)
mads (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type6059 / Error
Event Submitted/Written: 08/02/2008 08:31:20 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
De Windows Security Center-service kan geen gebeurtenisaanvragen in WMI maken om niet-Microsoft antivirus- en firewallprogramma's te controleren.

Event Record #/Type6052 / Error
Event Submitted/Written: 08/02/2008 08:29:54 PM
Event ID/Source: 1512 / Userenv
Event Description:
Windows kan het registerbestand niet uit het geheugen verwijderen. Het geheugen voor het register is niet volledig beschikbaar. Dit wordt mogelijk veroorzaakt door services die als een gebruikersaccount actief zijn. Probeer om de services zodanig te configureren dat deze als LocalService- of NetworkService-account worden gestart. Neem contact op met de netwerkbeheerder wanneer het probleem blijft bestaan.


Detail: Er zijn onvoldoende systeembronnen beschikbaar om aan de aanvraag te voldoen.

Event Record #/Type6051 / Warning
Event Submitted/Written: 08/02/2008 08:29:53 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows kan het klassenregisterbestand niet uit het geheugen verwijderen omdat het momenteel door een andere toepassing of service wordt gebruikt. Het bestand wordt uit het geheugen verwijderd als het niet meer wordt gebruikt.

Event Record #/Type6038 / Error
Event Submitted/Written: 08/02/2008 08:09:57 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
De Windows Security Center-service kan geen gebeurtenisaanvragen in WMI maken om niet-Microsoft antivirus- en firewallprogramma's te controleren.

Event Record #/Type6023 / Error
Event Submitted/Written: 08/02/2008 10:18:42 AM
Event ID/Source: 0 / Spybot - Search & Destroy
Event Description:
Version: 1.6.0
Build: 20080707
Exception: Access violation at address 0051FB47 in module 'SpybotSD.exe'. Read of address 00000039



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type534 / Error
Event Submitted/Written: 08/02/2008 08:37:21 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
De Trend Micro Personal Firewall-service is afhankelijk van de Trend Micro Unauthorized Change Prevention Service-service, die vanwege de volgende fout niet kan worden gestart:
%%1068

Event Record #/Type533 / Error
Event Submitted/Written: 08/02/2008 08:37:21 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
De Trend Micro Unauthorized Change Prevention Service-service is afhankelijk van de tmactmon-service, die vanwege de volgende fout niet kan worden gestart:
%%1068

Event Record #/Type532 / Error
Event Submitted/Written: 08/02/2008 08:37:21 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
De tmactmon-service is afhankelijk van de tmevtmgr-service, die vanwege de volgende fout niet kan worden gestart:
%%1068

Event Record #/Type531 / Error
Event Submitted/Written: 08/02/2008 08:37:21 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
De tmevtmgr-service is afhankelijk van de tmcomm-service, die vanwege de volgende fout niet kan worden gestart:
%%2

Event Record #/Type530 / Error
Event Submitted/Written: 08/02/2008 08:37:21 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
De tmcomm-service kan vanwege de volgende fout niet worden gestart:
%%2



-- End of Deckard's System Scanner: finished at 2008-08-02 20:51:02 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:47 PM

Posted 03 August 2008 - 03:19 PM

Hello Gjkroes and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 gjkroes

gjkroes
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 03 August 2008 - 04:49 PM

Hello,

Done the first 3 points (MBAM didn't find anything at all, but I will post the log later). I am now halfway the final point, where I need to install the recovery console. Problem with that is that I don't I don't have the cd of XP MCE in reach (other place, other house). In that case the guide gives an alternative to install it with a setup you have the download from the microsoft-site. Only problem about this is that it gives the option to download the xp home or professional version, but i have xp media center edition, so I don't know which one I need to choose. Or do I need to do something else?

Gjkroes

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:47 PM

Posted 03 August 2008 - 05:07 PM

Hello Gjkroes,

WinXp Media users can download the WinXp SP2 file to install the Recovery Console. :thumbsup:

You may have to hold off downloading ComboFix for a while though.
It's been taken offline during updating, so you may get a 403 error.

Please try again in a few hours.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 gjkroes

gjkroes
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 04 August 2008 - 04:11 AM

Recovery Console installed. But everytime I try to run combofix it starts with loading itself and then just stops/disapears. All windows are closed, firewal, anti-spyware, anti-virus software is unabled. What do I do wrong?

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:47 PM

Posted 04 August 2008 - 05:08 AM

Hello Gjkroes,

If you keep having problems running ComboFix,
then try deleting it from your desktop first, and download the latest version.

If that one doesn't run properly either,
then reboot in safe mode and run it from there. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 gjkroes

gjkroes
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 AM

Posted 04 August 2008 - 06:19 AM

really strange, it just doesn't work whatever mirror I use.

Posted Image

The file is larger and has a different picture then the one in the guide, but I guess that has something to do with the update. Besides that, I get this loading and after it's complete it disappears and nothing happens anymore. I waited even for about 5 mins, but no results.

gjkroes

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:47 PM

Posted 05 August 2008 - 04:17 AM

Hello Gjkroes,

Download Combofix again to your desktop. You must however rename it before saving it.

Posted Image

Posted Image
--------------------------------------------------------------------

If you still can't run it properly, try running it in safe mode.

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick ComboFix's window while it's running. That may cause it to stall


Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:47 PM

Posted 02 September 2008 - 09:13 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users