Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde Virus!


  • Please log in to reply
13 replies to this topic

#1 dopeyskydiver

dopeyskydiver

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 09 September 2008 - 11:18 PM

Help! not sure what the kids tried to install, but Scotty (WinPatrol) keeps warning me of the following two things:

1. A new auto Startup Program has been detected. This program will run each time you login or restart your machine.
Do you approve the addition of this program startup setting? Press YES if this program is expected and acceptable.
C:\WINDOWS\system32\mlJAqqRl.dll

2. Scotty the Windows Watchdog is on patrol and has detected a new Internet Explorer Add-On has been installed on your system.
Do you approve of the addition of this IE Helper? Press YES if this Internet Explorer Add-On is allowed.
C:\WINDOWS\system32\mlJAqqRl.dll

Any suggestions would be greatly appreciated! :thumbsup:


Here is my HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:06, on 10-9-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Palm\Palm\Hotsync.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
d:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.acer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [DVD43] "d:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Karen's Once-A-Day II] C:\Program Files\KarenWare CD\OAD\PTOAD.exe /auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Mikogo] "C:\Program Files\Mikogo\Mikogo.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24FFE04C-6991-415B-AA4B-DD415D11D942}: NameServer = 62.58.50.5,62.58.50.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 7620 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 10 September 2008 - 02:42 PM

Hi

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 dopeyskydiver

dopeyskydiver
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 11 September 2008 - 10:16 AM

Hey there SteamWiz,

I ran the Kaspersky Online Scan. Here is the log:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 10, 2008 14:56:32
Records in database: 1207325
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 96827
Threat name: 10
Infected objects: 12
Suspicious objects: 2
Duration of the scan: 03:01:41


File name / Threat name / Threats count
WINLOGON.EXE\mlJAqqRl.dll/WINLOGON.EXE\mlJAqqRl.dll Infected: Trojan.Win32.Monderb.gjo 1
C:\1.exe Infected: Trojan-Downloader.Win32.Agent.afly 1
C:\WINDOWS\system32\mx26754.dll Infected: Trojan.Win32.Vapsup.lae 1
C:\WINDOWS\system32\mmx26754.dll Infected: Trojan.Win32.Vapsup.lae 1
C:\WINDOWS\system32\rcgjnlpb.dll Infected: Trojan.Win32.Monder.mia 1
C:\WINDOWS\system32\qvxwxlvo.dll Infected: Trojan.Win32.Monder.mxs 1
C:\WINDOWS\system32\hctwgwjx.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.dpr 1
C:\WINDOWS\system32\sozzow.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.dpr 1
C:\Documents and Settings\F. Visscher\Local Settings\Temporary Internet Files\Content.IE5\OL4NO7CN\ppitor[1].exe Infected: Trojan-Downloader.Win32.Agent.afly 1
C:\Documents and Settings\F. Visscher\Local Settings\Temporary Internet Files\Content.IE5\WPUZSTM3\codec[1].exe Infected: Trojan.Win32.Small.xut 1
C:\Documents and Settings\F. Visscher\Local Settings\Application Data\Identities\{339E0810-62FD-49FE-9FCB-824363F4EA26}\Microsoft\Outlook Express\CKO.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\F. Visscher\Local Settings\Application Data\Identities\{339E0810-62FD-49FE-9FCB-824363F4EA26}\Microsoft\Outlook Express\Suite.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\F. Visscher\Application Data\Adobe\Manager.exe Infected: Trojan.Win32.Small.xsi 1
C:\System Volume Information\_restore{2394E65D-4727-448A-AD85-6BC1BAD9D80F}\RP501\A0071603.EXE Infected: not-a-virus:AdWare.Win32.Background 1

The selected area was scanned.


I then ran a scan with Malwarebytes' Anti-Malware and here is the log:


Malwarebytes' Anti-Malware 1.28
Database version: 1137
Windows 5.1.2600 Service Pack 2

11-9-2008 6:08:54
mbam-log-2008-09-11 (06-08-44).txt

Scan type: Quick Scan
Objects scanned: 69492
Time elapsed: 18 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\gwkmvesc.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mlJCUOgF.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mlJAqqRl.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d201546-5cd0-4256-921b-bd68bfbb0e22} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d201546-5cd0-4256-921b-bd68bfbb0e22} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{adefcc73-bd41-44f8-8a2f-5dfb45ebd59b} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljaqqrl (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{adefcc73-bd41-44f8-8a2f-5dfb45ebd59b} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8dcbe800-56ff-4838-acae-e479d1032eeb} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{37686e4d-30dc-42f6-86e4-8bd45d4670f4} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8869deb0-908c-452b-a628-f3292bfe7ae3} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{adefcc73-bd41-44f8-8a2f-5dfb45ebd59b} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mljcuogf -> No action taken.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" /s) Good: ("%1" /S) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljcuogf -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mlJCUOgF.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\FgOUCJlm.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\FgOUCJlm.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mlJAqqRl.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\qvxwxlvo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ovlxwxvq.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\gwkmvesc.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\csevmkwg.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mx26754.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\mmx26754.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\rcgjnlpb.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vrsjgtlj.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gddxpi.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hctwgwjx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\sozzow.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\jvguddol.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hcnffw.dll (Trojan.Vundo) -> No action taken.
C:\1.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\F. Visscher\Local Settings\Temporary Internet Files\Content.IE5\54OZDHWX\upd105320[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\F. Visscher\Local Settings\Temporary Internet Files\Content.IE5\0FTBMYFP\nd82m0[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\F. Visscher\Local Settings\Temporary Internet Files\Content.IE5\OL4NO7CN\ppitor[1].exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\F. Visscher\Local Settings\Temporary Internet Files\Content.IE5\WPUZSTM3\codec[1].exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\Documents and Settings\F. Visscher\Application Data\Adobe\Manager.exe (Trojan.Agent) -> No action taken.


And finally, I ran Combofix. It automatically ran itself in Dutch - (I live in Holland) is there a way to change the default language to english, or will you be okay with this? Here is the log:

ComboFix 08-09-10.04 - F. Visscher 2008-09-11 16:51:21.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1625 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\F. Visscher\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\F. Visscher\Bureaublad\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Nieuw herstelpunt werd aangemaakt
* Resident AV is active

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\F. Visscher\Application Data\Adobe\crc.dat
C:\Documents and Settings\F. Visscher\Cookies\f. visscher@metrics.adobe[1].txt
C:\Documents and Settings\F. Visscher\Cookies\f. visscher@metrics.adobe[2].txt
C:\Documents and Settings\F. Visscher\Cookies\MM2048.DAT
C:\Documents and Settings\F. Visscher\Cookies\MM256.DAT

----- BITS: Mogelijk geïnfecteerde sites -----

http://pornotube30.net
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-08-11 to 2008-09-11 ))))))))))))))))))))))))))))))
.

2008-09-11 05:31 . 2008-09-11 05:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 05:31 . 2008-09-11 05:31 <DIR> d-------- C:\Documents and Settings\F. Visscher\Application Data\Malwarebytes
2008-09-11 05:31 . 2008-09-11 05:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 05:31 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 05:31 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d--hs---- C:\FOUND.002
2008-09-10 05:58 . 2008-09-10 05:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-09 20:15 . 2008-09-10 18:09 145 --a------ C:\WINDOWS\wininit.ini
2008-09-09 17:44 . 2008-09-09 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-09 17:42 . 2008-09-09 17:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-08 15:55 . 2008-09-08 15:55 <DIR> d-------- C:\Documents and Settings\F. Visscher\Application Data\Ambient Design
2008-09-04 12:55 . 2008-09-04 12:55 <DIR> d--hs---- C:\FOUND.001
2008-09-04 11:41 . 2008-09-04 11:41 <DIR> d-------- C:\Documents and Settings\F. Visscher\Application Data\BitTorrent
2008-09-04 11:40 . 2008-09-04 11:40 <DIR> d-------- C:\Program Files\BitTorrent
2008-08-24 10:48 . 2008-08-24 10:48 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-08-23 16:36 . 2008-08-23 16:36 275 --a------ C:\WINDOWS\NIJNTJE.INI
2008-08-21 18:40 . 2008-08-21 18:40 582 --a------ C:\WINDOWS\eReg.dat
2008-08-21 18:18 . 2008-08-21 18:18 <DIR> d-------- C:\Program Files\Maxis
2008-08-17 10:50 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-11 21:07 . 2008-08-11 21:07 <DIR> d-------- C:\FGCDIR
2008-08-11 19:20 . 2008-08-11 19:20 <DIR> d-------- C:\Program Files\Fortres Grand

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 09:25 35,296 ----a-w C:\WINDOWS\system32\drivers\Dvd43.sys
2008-08-11 18:13 2,855 ----a-w C:\WINDOWS\PIF\SIMCITY.PIF
2008-08-06 11:17 --------- d-----w C:\Program Files\Minimem
2008-07-30 15:25 --------- d-----w C:\Documents and Settings\F. Visscher\Application Data\TuxPaint
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-08 12:05 921,632 ----a-w C:\PA7311.DAT
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:49 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-06-20 17:43 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:43 247,296 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:43 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:00 272,640 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2003-06-21 13:52 32 --sha-w C:\WINDOWS\{5BE8BCC2-3B23-4EBC-95BD-3B8A78FA3C8D}.dat
2006-11-27 14:52 108 --sha-r C:\WINDOWS\neoqaz2.dll
2003-06-21 13:52 32 --sha-w C:\WINDOWS\system32\{C3B82161-9FB6-4E2E-990C-86E5F743FF17}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Gadwin PrintScreen 3.1"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2005-09-27 1073152]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 204288]
"Mikogo"="C:\Program Files\Mikogo\Mikogo.exe" [2008-06-18 2285568]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [X]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 315392]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-11-15 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-11-18 561152]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2003-01-27 303104]
"AcerNotebookManager"="C:\Program Files\Acer\Notebook Manager\almxptray.exe" [2003-02-16 504832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 282624]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 292152]
"DVD43"="d:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" [2004-10-22 278016]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Karen's Once-A-Day II"="C:\Program Files\KarenWare CD\OAD\PTOAD.exe" [2007-06-14 552960]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 C:\WINDOWS\system32\Ati2mdxx.exe]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 C:\WINDOWS\AGRSMMSG.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Palm\Hotsync.exe [2004-06-09 471040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "D:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^F. Visscher^Menu Start^Programma's^Opstarten^PowerReg SchedulerV2.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2000-08-29 17:56 28739 C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 acernbm;acernbm;C:\WINDOWS\system32\drivers\acernbm.sys [2003-01-13 6538]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2002-12-13 227887]
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2008-08-31 35296]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
R3 mbxfilt;mbxfilt;C:\WINDOWS\system32\drivers\MbxFilt.sys [2002-12-09 5441]
R3 PAC7311;Trust WB-3400T Webcam;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2007-03-14 449024]
S3 FGCWL;FGCWL;D:\Program Files\Fortres Grand\Virtual Sandbox 1.0\FGCWL.sys [ ]
S3 LEX_AS_NIC_SERVICE;LAN-Express IEEE 802.11a/b Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\Expsab2.sys [2002-12-10 218240]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhoud van de 'Gedeelde Taken' map
.
- - - - ORPHANS REMOVED - - - -

BHO-{5765EB8F-9639-48EF-BCA6-5466C1153AF4} - (no file)
BHO-{659225B5-60C9-34B2-A05E-55373019C5F7} - (no file)
BHO-{6D201546-5CD0-4256-921B-BD68BFBB0E22} - (no file)
BHO-{ADEFCC73-BD41-44F8-8A2F-5DFB45EBD59B} - (no file)
HKCU-Run-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
HKLM-Run-NWEReboot - (no file)
Notify-mlJAqqRl - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\F. Visscher\Application Data\Mozilla\Firefox\Profiles\i278brzt.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - D:\Program Files\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 16:54:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-09-11 16:55:23
ComboFix-quarantined-files.txt 2008-09-11 14:55:20

Pre-Run: 11,722,194,944 bytes beschikbaar
Post-Run: 12,349,276,160 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

200 --- E O F --- 2008-08-17 10:00:05


I haven't seen the annoying popups since ComboFix was run. :thumbsup: How do things look now?
Thanks again,
Travis


#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 11 September 2008 - 05:10 PM

Hi Travis

And finally, I ran Combofix. It automatically ran itself in Dutch - (I live in Holland) is there a way to change the default language to english, or will you be okay with this?


I'm fine with it, I see logs in many different languages :thumbsup:

-
Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

-

I take it you saved the Malwarebytes' Anti-Malware log before letting it remove all it found (Make sure that everything is checked, and click Remove Selected.) ?

Please run all 3 programs again and post the new logs, so that I can see if anything was missed ...

That's :-

1. KASPERSKY ONLINE SCANNER
2. Malwarebytes' Anti-Malware
3. Combofix

Also please post a new hijackthis log :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 dopeyskydiver

dopeyskydiver
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 14 September 2008 - 03:00 AM

Hey Steam,

Sorry for the delay. I have the following info for you to review:

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 13, 2008 14:46:04
Records in database: 1220742
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 74584
Threat name: 6
Infected objects: 6
Suspicious objects: 2
Duration of the scan: 03:03:35


File name / Threat name / Threats count
C:\Documents and Settings\F. Visscher\Local Settings\Application Data\Identities\{339E0810-62FD-49FE-9FCB-824363F4EA26}\Microsoft\Outlook Express\CKO.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\F. Visscher\Local Settings\Application Data\Identities\{339E0810-62FD-49FE-9FCB-824363F4EA26}\Microsoft\Outlook Express\Suite.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\System Volume Information\_restore{2394E65D-4727-448A-AD85-6BC1BAD9D80F}\RP501\A0071603.EXE Infected: not-a-virus:AdWare.Win32.Background 1
C:\System Volume Information\_restore{2394E65D-4727-448A-AD85-6BC1BAD9D80F}\RP502\A0071645.DLL Infected: Trojan.Win32.Monder.mxs 1
C:\System Volume Information\_restore{2394E65D-4727-448A-AD85-6BC1BAD9D80F}\RP502\A0071647.dll Infected: Trojan.Win32.Vapsup.lae 1
C:\System Volume Information\_restore{2394E65D-4727-448A-AD85-6BC1BAD9D80F}\RP502\A0071648.dll Infected: Trojan.Win32.Vapsup.lae 1
C:\System Volume Information\_restore{2394E65D-4727-448A-AD85-6BC1BAD9D80F}\RP502\A0071654.EXE Infected: Trojan-Downloader.Win32.Agent.afly 1
C:\System Volume Information\_restore{2394E65D-4727-448A-AD85-6BC1BAD9D80F}\RP502\A0071657.sys Infected: Hoax.Win32.Agent.fu 1

The selected area was scanned.


Malwarebytes' Anti-Malware log:

Malwarebytes' Anti-Malware 1.28
Database version: 1147
Windows 5.1.2600 Service Pack 2

14-9-2008 8:19:55
mbam-log-2008-09-14 (08-19-55).txt

Scan type: Quick Scan
Objects scanned: 47425
Time elapsed: 13 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Combofix log:

ComboFix 08-09-13.05 - F. Visscher 2008-09-14 9:50:16.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1544 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\F. Visscher\Bureaublad\Maintenance Programs\ComboFix.exe
* Resident AV is active

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-08-14 to 2008-09-14 ))))))))))))))))))))))))))))))
.

2008-09-12 05:58 . 2008-09-12 05:58 <DIR> dr-h----- C:\Documents and Settings\F. Visscher\Onlangs geopend
2008-09-12 05:40 . 2008-09-12 05:40 <DIR> d-------- C:\Program Files\CCleaner
2008-09-11 05:31 . 2008-09-11 05:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-11 05:31 . 2008-09-11 05:31 <DIR> d-------- C:\Documents and Settings\F. Visscher\Application Data\Malwarebytes
2008-09-11 05:31 . 2008-09-11 05:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-11 05:31 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-11 05:31 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 16:36 . 2008-09-10 16:36 <DIR> d--hs---- C:\FOUND.002
2008-09-10 05:58 . 2008-09-10 05:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-09 20:15 . 2008-09-10 18:09 145 --a------ C:\WINDOWS\wininit.ini
2008-09-09 17:44 . 2008-09-09 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-09 17:42 . 2008-09-09 17:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-08 15:55 . 2008-09-08 15:55 <DIR> d-------- C:\Documents and Settings\F. Visscher\Application Data\Ambient Design
2008-09-04 12:55 . 2008-09-04 12:55 <DIR> d--hs---- C:\FOUND.001
2008-09-04 11:41 . 2008-09-04 11:41 <DIR> d-------- C:\Documents and Settings\F. Visscher\Application Data\BitTorrent
2008-09-04 11:40 . 2008-09-04 11:40 <DIR> d-------- C:\Program Files\BitTorrent
2008-08-24 10:48 . 2008-08-24 10:48 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-08-23 16:36 . 2008-08-23 16:36 275 --a------ C:\WINDOWS\NIJNTJE.INI
2008-08-21 18:40 . 2008-08-21 18:40 582 --a------ C:\WINDOWS\eReg.dat
2008-08-21 18:18 . 2008-08-21 18:18 <DIR> d-------- C:\Program Files\Maxis
2008-08-17 10:50 . 2008-05-01 16:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 09:25 35,296 ----a-w C:\WINDOWS\system32\drivers\Dvd43.sys
2008-08-11 18:13 2,855 ----a-w C:\WINDOWS\PIF\SIMCITY.PIF
2008-08-11 17:20 --------- d-----w C:\Program Files\Fortres Grand
2008-08-06 11:17 --------- d-----w C:\Program Files\Minimem
2008-07-30 15:25 --------- d-----w C:\Documents and Settings\F. Visscher\Application Data\TuxPaint
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-08 12:05 921,632 ----a-w C:\PA7311.DAT
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:24 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:49 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-06-20 17:43 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:43 247,296 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:43 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:00 272,640 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2003-06-21 13:52 32 --sha-w C:\WINDOWS\{5BE8BCC2-3B23-4EBC-95BD-3B8A78FA3C8D}.dat
2006-11-27 14:52 108 --sha-r C:\WINDOWS\neoqaz2.dll
2003-06-21 13:52 32 --sha-w C:\WINDOWS\system32\{C3B82161-9FB6-4E2E-990C-86E5F743FF17}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-09-11_16.54.50.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-11 12:46:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-14 06:25:14 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-11 12:46:42 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2008-09-14 06:25:14 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Gadwin PrintScreen 3.1"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2005-09-27 1073152]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 204288]
"Mikogo"="C:\Program Files\Mikogo\Mikogo.exe" [2008-06-18 2285568]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 315392]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-11-15 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-11-18 561152]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2003-01-27 303104]
"AcerNotebookManager"="C:\Program Files\Acer\Notebook Manager\almxptray.exe" [2003-02-16 504832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 282624]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 292152]
"DVD43"="d:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" [2004-10-22 278016]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Karen's Once-A-Day II"="C:\Program Files\KarenWare CD\OAD\PTOAD.exe" [2007-06-14 552960]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 C:\WINDOWS\system32\Ati2mdxx.exe]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2002-10-18 C:\WINDOWS\AGRSMMSG.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Palm\Hotsync.exe [2004-06-09 471040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "D:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJAqqRl]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^F. Visscher^Menu Start^Programma's^Opstarten^PowerReg SchedulerV2.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2000-08-29 17:56 28739 C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 acernbm;acernbm;C:\WINDOWS\system32\drivers\acernbm.sys [2003-01-13 6538]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2002-12-13 227887]
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2008-08-31 35296]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
R3 mbxfilt;mbxfilt;C:\WINDOWS\system32\drivers\MbxFilt.sys [2002-12-09 5441]
S3 FGCWL;FGCWL;D:\Program Files\Fortres Grand\Virtual Sandbox 1.0\FGCWL.sys [ ]
S3 LEX_AS_NIC_SERVICE;LAN-Express IEEE 802.11a/b Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\Expsab2.sys [2002-12-10 218240]
S3 PAC7311;Trust WB-3400T Webcam;C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS [2007-03-14 449024]
.
Inhoud van de 'Gedeelde Taken' map
.
- - - - ORPHANS REMOVED - - - -

BHO-{5765EB8F-9639-48EF-BCA6-5466C1153AF4} - (no file)
BHO-{659225B5-60C9-34B2-A05E-55373019C5F7} - (no file)
BHO-{6D201546-5CD0-4256-921B-BD68BFBB0E22} - (no file)
BHO-{ADEFCC73-BD41-44F8-8A2F-5DFB45EBD59B} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\F. Visscher\Application Data\Mozilla\Firefox\Profiles\i278brzt.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - D:\Program Files\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-14 09:51:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-09-14 9:52:51
ComboFix-quarantined-files.txt 2008-09-14 07:52:46
ComboFix4.txt 2008-09-11 14:55:26
ComboFix3.txt 2008-09-14 06:29:30
ComboFix2.txt 2008-09-14 07:48:12

Pre-Run: 12,197,724,160 bytes beschikbaar
Post-Run: 12,183,142,400 bytes beschikbaar

186 --- E O F --- 2008-08-17 10:00:05

FYI every time I run ComboFix, I get the following warning from McAfee:

McAffee has automatically blocked and quarantined an infected file on your computer.
You can restore quarantined items from the Restore pane in SecurityCenter.

About this Virus
Detected: EICAR test file (Virus)
Quarantined from: C:\ Documents and settings\F.Visscher\Local Settings\Temp\Av-test.txt

A virus is a self-replicating program that can harm your computer, compromise its security and damage valuable files.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:13, on 14-9-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Palm\Palm\Hotsync.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5765EB8F-9639-48EF-BCA6-5466C1153AF4} - (no file)
O2 - BHO: (no name) - {659225B5-60C9-34B2-A05E-55373019C5F7} - (no file)
O2 - BHO: (no name) - {6D201546-5CD0-4256-921B-BD68BFBB0E22} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {ADEFCC73-BD41-44F8-8A2F-5DFB45EBD59B} - (no file)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [DVD43] "d:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Karen's Once-A-Day II] C:\Program Files\KarenWare CD\OAD\PTOAD.exe /auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Mikogo] "C:\Program Files\Mikogo\Mikogo.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24FFE04C-6991-415B-AA4B-DD415D11D942}: NameServer = 62.58.50.5,62.58.50.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mlJAqqRl - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 8035 bytes



Let me know what I should do next...

Thanks in advance,
Travis

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 14 September 2008 - 03:31 PM

Hi

FYI every time I run ComboFix, I get the following warning from McAfee:

McAffee has automatically blocked and quarantined an infected file on your computer.
You can restore quarantined items from the Restore pane in SecurityCenter.

About this Virus
Detected: EICAR test file (Virus)
Quarantined from: C:\ Documents and settings\F.Visscher\Local Settings\Temp\Av-test.txt


One of the conditions for running Combofix, is to turn of real time protection including your av, as it can interfere with Combofix removing malware ... the file & warning is not malicious, just a way of reminding you that your av should not be running.

I want you to fix some entries in your hijackthis log, but before you can do this you need to stop Spybot's teatimer from running as it will stop the fixes.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

then run hijackthis

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5765EB8F-9639-48EF-BCA6-5466C1153AF4} - (no file)
O2 - BHO: (no name) - {659225B5-60C9-34B2-A05E-55373019C5F7} - (no file)
O2 - BHO: (no name) - {6D201546-5CD0-4256-921B-BD68BFBB0E22} - (no file)

O2 - BHO: (no name) - {ADEFCC73-BD41-44F8-8A2F-5DFB45EBD59B} - (no file)

O20 - Winlogon Notify: mlJAqqRl - C:\WINDOWS\

After you have completed the cleaning...

reverse the procedure to re-enable it...

Run hijackthis again & post a new log

C:\Documents and Settings\F. Visscher\Local Settings\Application Data\Identities\{339E0810-62FD-49FE-9FCB-824363F4EA26}\Microsoft\Outlook Express\CKO.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Documents and Settings\F. Visscher\Local Settings\Application Data\Identities\{339E0810-62FD-49FE-9FCB-824363F4EA26}\Microsoft\Outlook Express\Suite.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1


These are folders in Outlook Express which contain suspicious e-mails ...

Outlook Express\CKO
Outlook Express\Suite

I can tell you no more about them, you will have to check the contents of the folders, & if there is nothing you really want in them then delete the contents ...


How's the computer running now ?


steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 dopeyskydiver

dopeyskydiver
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 16 September 2008 - 05:21 AM

Okay Steam,

I deleted the Outlook Express files in question. I then turned off Spybot's teatimer and ran HijackThis.

Here is the log before I fixed the selected files:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:26, on 16-9-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mikogo\Mikogo.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Palm\Palm\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5765EB8F-9639-48EF-BCA6-5466C1153AF4} - (no file)
O2 - BHO: (no name) - {659225B5-60C9-34B2-A05E-55373019C5F7} - (no file)
O2 - BHO: (no name) - {6D201546-5CD0-4256-921B-BD68BFBB0E22} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {ADEFCC73-BD41-44F8-8A2F-5DFB45EBD59B} - (no file)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [DVD43] "d:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Karen's Once-A-Day II] C:\Program Files\KarenWare CD\OAD\PTOAD.exe /auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Mikogo] "C:\Program Files\Mikogo\Mikogo.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24FFE04C-6991-415B-AA4B-DD415D11D942}: NameServer = 62.58.50.5,62.58.50.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mlJAqqRl - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 7412 bytes


And then here is a HijackThis log AFTER fixed the selected files:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:32, on 16-9-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mikogo\Mikogo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Palm\Palm\Hotsync.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [DVD43] "d:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Karen's Once-A-Day II] C:\Program Files\KarenWare CD\OAD\PTOAD.exe /auto
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Mikogo] "C:\Program Files\Mikogo\Mikogo.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24FFE04C-6991-415B-AA4B-DD415D11D942}: NameServer = 62.58.50.5,62.58.50.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6953 bytes


Seems to me the files that you wanted HijackThis to delete are stubborn... Other program ideas? As far as how the computer is running - no more annoying warnings from WinPatrol! Other than that - I don't notice anything out of the ordinary happening.

Till the next time,
Travis

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 16 September 2008 - 03:18 PM

Hi Travis

The only entry still showing in hijackthis is this one :-

R3 - Default URLSearchHook is missing

Hijackthis should be able to fix this, but let's have a look at what's in your registry ...

Open a new notepad & copy & paste the text from the code box below into it ...

regedit /e URLSearchHooks.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks"

save it on the desktop & save it as URLSearchHooks.bat

save as type: all files

doubleclick the URLSearchHooks.bat and a new text file will be created in the desktop URLSearchHooks.txt

please copy & paste the contents of the text file in your next reply...


steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 dopeyskydiver

dopeyskydiver
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 17 September 2008 - 05:59 PM

Hey Steam,

I did exactly what you said, but when I double-click on the .bat file, I get a quick splash of a MS-Dos screen, then it disappears and I have no .txt file to be found... :thumbsup:

What am I doing wrong?

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 18 September 2008 - 02:32 PM

HI

You're probably doing nothing wrong ...

Please do this :-

Open a new notepad & copy & paste the text from the code box below into it ...

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

save it on the desktop & save it as FixURLSearchHooks.reg

save as type: all files

Doubleclick the reg file & allow it to merge with the registry...

Try running the bat file again, this time it should produce a text file on the desktop ...

Then run hijackthis again and see if the entry R3 - Default URLSearchHook is missing is still there ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 dopeyskydiver

dopeyskydiver
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 22 September 2008 - 09:28 AM

Okay Steam,
No matter how I try to do it, I am unable to edit that folder in the registry. I have tried booting into safe mode also - no help. What I am able to ascertain, is that the part of the registry you want me to edit/verify/create: "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="" does not exist in my current registry. I tried to manually create this and I am still getting the same warning: that some keys are currently in use by the system or by another program - therefore it is not able to modify the registry. How do you suggest we tackle this SNAFU? :thumbsup:

Thanks in advance,
Trav

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 22 September 2008 - 11:23 AM

HI

I don't know what you've tried, I hope you didn't try to edit the registry yourself (unless you are very confident in what you are doing ?)

When I asked you to merge the reg file did you still have IE running ?

Please make sure you close ALL IE windows, then try to merge the reg file again ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 dopeyskydiver

dopeyskydiver
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 23 September 2008 - 09:36 AM

I tried merging the reg file with EVRYTHING closed. (also tried merging in safe mode to no avail)
Yes, I did try to edit the registry myself, and yes, I was very confident in what I was doing. ;-)
Just tried again with nothing running, but still get the same message that the file cannot be modified because it is being used by the system...

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 23 September 2008 - 01:48 PM

HI

OK please try this :-

Download and run: http://www.kellys-korner-xp.com/regs_edits...toreSearch2.REG

To restore your default Search functionality and reset your prefixes.

You'll will have to manually re-select any Search Customisations that you may have had.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users