Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware but scanners dont start/are interrupted or dont find anything


  • This topic is locked This topic is locked
25 replies to this topic

#1 EmyNL

EmyNL

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 16 February 2009 - 11:12 AM

Hi, I am Emy from the Netherlands. Wish you all a nice day!

I have troubles with - at least - one of the computers in the little network here. I will describe some of the troubles.
-Links to internetpages on the desktop dont work. I need to paste those in a blank window.
-2 weeks ago the home internetpage was blocked. After looking in a lot of forums I found how to change the homepage to Google. (by changing the registry)
-Online scanners for spyware dont start/are interrupted or dont find anything wrong
-Windows installer is coming up after every click I make to install Symantec Antivirus. But Symantec is already installed.
-I tried programs like Ccleaner and ATF; also Combofix. The last one was also interrupted (black screen). I installed the recovery console. Dont know how to delete this console.
-Even when I dont use this computer, it is like the computer is busy - at times (sounds like when using a program busy converting media files)
-I couldnt activate my membership. Not using the first link, nor the second one. Got a message that something wrong.
-I found srchassctl in the registry. Erased the Search Assistant. After rebooting ACMRU was gone, but SrchAssCtl is here again
-I found msmsgs a lot of times on this computer. I think the problems started with a message in the Live messenger.

Now I will paste the properly files to this topic. DDS and Attach


DDS (Ver_09-02-01.01) - NTFSx86
Run by nel at 16:12:09.10 on 2009-02-16
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.219 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\GFI\FAXmaker Client\fmstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Advanced SystemCare 3\AWC.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\nel\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
mStart Page = hxxp://www.msn.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Advanced SystemCare 3] "c:\program files\advanced systemcare 3\AWC.exe" /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [FMStart] "c:\program files\gfi\faxmaker client\fmstart.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234781125218
DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://alexion.2circle.it/msrdp.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {966D5E12-AF5A-4290-8437-ECA52CFE49C0} = 213.51.144.37,213.51.129.37
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-8 28544]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2001-11-2 114749]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-10 255600]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-10 243312]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-12-30 1107784]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090215.002\naveng.sys [2009-2-16 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090215.002\navex15.sys [2009-2-16 876112]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\vdn\vcdrom.sys --> c:\program files\vdn\VCdRom.sys [?]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2005-11-6 16269]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-10 87664]
S3 CW50;CW50 Device;c:\windows\system32\drivers\cw50.sys --> c:\windows\system32\drivers\CW50.sys [?]
S3 M;M;c:\docume~1\nel\locals~1\temp\m.exe --> c:\docume~1\nel\locals~1\temp\M.exe [?]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-12-30 153416]

============== File Associations ===============

txtfile=c:\windows\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-02-14 00:32 <DIR> --d-hr-- c:\documents and settings\nel\Onlangs geopend
2009-02-13 17:53 <DIR> --d----- C:\toev
2009-02-12 11:58 <DIR> --d----- c:\docume~1\nel\applic~1\Belastingdienst
2009-02-11 15:02 <DIR> --d----- c:\program files\Advanced SystemCare 3
2009-02-10 11:47 <DIR> --d----- c:\program files\CCleaner
2009-02-02 17:07 16,022 a------- c:\windows\Run32A50.mch
2009-02-02 17:06 35 a------- c:\windows\A5W.INI
2009-02-02 17:06 <DIR> --d----- c:\windows\A5W_DATA
2009-01-28 20:13 <DIR> --d----- c:\docume~1\nel\applic~1\IObit

==================== Find3M ====================

2009-02-10 18:39 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-09 19:46 399,872 a------- c:\windows\system32\CF31638.exe
2009-01-09 19:46 399,872 a------- c:\windows\system32\CF31632.exe
2009-01-08 13:48 6,616 a------- c:\windows\system32\d3d9caps.dat
2009-01-08 12:19 52,232 a------- c:\windows\system32\drivers\REGSYS701.SYS
2009-01-07 21:38 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-02 20:32 179,003 a------- c:\windows\doc2txt.exe
2008-12-18 16:16 444,960 a------- c:\windows\system32\perfh013.dat
2008-12-18 16:16 70,426 a------- c:\windows\system32\perfc013.dat
2008-12-18 15:48 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-10-22 12:27 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-05-22 22:35 47,360 a------- c:\docume~1\nel\applic~1\pcouffin.sys
2008-03-27 16:45 14,960 a------- c:\program files\settings.dat
2007-09-29 18:26 50,688 a------- c:\program files\ATF-Cleaner.exe

============= FINISH: 16:12:34.71 ===============

I hope you can help me. Because I am searching for weeks now. Spent at least 80 hours searching about the same problems in a lot of forums and on sites of anti malware firms.

Many greetings from The Netherlands.

Emy (in fact: Amy) :thumbup2:

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:42 PM

Posted 28 February 2009 - 10:18 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 EmyNL

EmyNL
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 03 March 2009 - 06:31 AM

Good morning (from maybe far away)

The problems still exist. The only thing different from some weeks ago is that the computer(hardware) is cleaned from dust. All (hardware) connections were checked.
Still the same problems.

Maybe this is important. I have a laptop I didn't use it for years. One month ago Windwos is installed again. It functions on a wireless connection. It is possible to print using the Lan connection.
Because of the problems with this computer I use some programs to prevent from malware. One of these is ADS spy. Yesterday I used this program for the first time. This program found more than 1000 ads. Most of them in the hotmail directory. Could this be one of the problems on this computer?

OK.. again the DDS from today


DDS (Ver_09-02-01.01) - NTFSx86
Run by nel at 11:25:46.51 on 2009-03-03
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.154 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\GFI\FAXmaker Client\fmstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Advanced SystemCare 3\AWC.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\nel\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
mStart Page = hxxp://www.msn.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Advanced SystemCare 3] "c:\program files\advanced systemcare 3\AWC.exe" /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [FMStart] "c:\program files\gfi\faxmaker client\fmstart.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234781125218
DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://alexion.2circle.it/msrdp.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {966D5E12-AF5A-4290-8437-ECA52CFE49C0} = 213.51.144.37,213.51.129.37
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-8 28544]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2001-11-2 114749]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-10 255600]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-10 243312]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-12-30 1107784]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090301.005\naveng.sys [2009-3-2 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090301.005\navex15.sys [2009-3-2 876144]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\vdn\vcdrom.sys --> c:\program files\vdn\VCdRom.sys [?]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2005-11-6 16269]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-10 87664]
S3 CW50;CW50 Device;c:\windows\system32\drivers\cw50.sys --> c:\windows\system32\drivers\CW50.sys [?]
S3 M;M;c:\docume~1\nel\locals~1\temp\m.exe --> c:\docume~1\nel\locals~1\temp\M.exe [?]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-12-30 153416]

============== File Associations ===============

txtfile=c:\windows\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-02-14 00:32 <DIR> --d-hr-- c:\documents and settings\nel\Onlangs geopend
2009-02-13 17:53 <DIR> --d----- C:\toev
2009-02-12 11:58 <DIR> --d----- c:\docume~1\nel\applic~1\Belastingdienst
2009-02-11 15:02 <DIR> --d----- c:\program files\Advanced SystemCare 3
2009-02-10 11:47 <DIR> --d----- c:\program files\CCleaner
2009-02-02 17:07 16,022 a------- c:\windows\Run32A50.mch
2009-02-02 17:06 35 a------- c:\windows\A5W.INI
2009-02-02 17:06 <DIR> --d----- c:\windows\A5W_DATA

==================== Find3M ====================

2009-02-10 18:39 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-09 19:46 399,872 a------- c:\windows\system32\CF31638.exe
2009-01-09 19:46 399,872 a------- c:\windows\system32\CF31632.exe
2009-01-08 13:48 6,616 a------- c:\windows\system32\d3d9caps.dat
2009-01-08 12:19 52,232 a------- c:\windows\system32\drivers\REGSYS701.SYS
2009-01-07 21:38 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-02 20:32 179,003 a------- c:\windows\doc2txt.exe
2008-12-18 16:16 444,960 a------- c:\windows\system32\perfh013.dat
2008-12-18 16:16 70,426 a------- c:\windows\system32\perfc013.dat
2008-12-18 15:48 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-10-22 12:27 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-05-22 22:35 47,360 a------- c:\docume~1\nel\applic~1\pcouffin.sys
2008-03-27 16:45 14,960 a------- c:\program files\settings.dat
2007-09-29 18:26 50,688 a------- c:\program files\ATF-Cleaner.exe

============= FINISH: 11:25:55.46 ===============

That's it.
I really hope you can help me. It is almost awfull to sit behind this computer.
Thank you!

Emy (Amy)

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 AM

Posted 03 March 2009 - 10:33 AM

Hi Emy :thumbup2:

ComboFix shouldn't be run without guidance. Do you have its log (ComboFix.txt file) still around somewhere on your hard drive? If you do, please post the contents back here.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 EmyNL

EmyNL
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 03 March 2009 - 07:39 PM

Hi Blade.

Thank you for your post.

I know it was wrong to use combofix. I have got a black screen with a long list with text like starting in safe mode. After a while the program crashed while still listing.
There was no difference after using this program. Still the same problems.

So I started to read everywhere. After maybe 10 hours reading I found a solution for one problem. I couldn't change the homepage in internet explorer. A weird page started when I started internet explorer. This problem was exactly written in one of the forums. To change this I had to change a few things in the registry. I did very carefull - not like handling combofix - and this problem was solved and I could change the homepage to google again.

Emy .... in fact Amy's (old ??) grandma

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 AM

Posted 04 March 2009 - 11:11 AM

Hi

Visible problem may be gone. However, according to the latest DDS log there's still bad stuff there. Let's see what ComboFix tells this time.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 EmyNL

EmyNL
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 05 March 2009 - 08:20 AM

Hi Blade

Thank you for your response.

I downloaded Combofix. read everything I needed to use it.

The program started fine. I have got no question about the recovery console. It is already installed on this computer.
The program started.... I waited almost an hour. But nothing happened. I had to use the on/off to restart the computer. I didn't find a logfile.

Emy

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 AM

Posted 05 March 2009 - 11:38 AM

Hi

Please post a fresh DDS.txt log. I'll see if ComboFix removed anything or not :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 EmyNL

EmyNL
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 06 March 2009 - 04:54 AM

Good morning Blade

I think you are a real movie lover. That's nice.


Thanks for your response.

A brand new DDS log


DDS (Ver_09-02-01.01) - NTFSx86
Run by nel at 10:35:22.60 on 2009-03-06
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.168 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\GFI\FAXmaker Client\fmstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Advanced SystemCare 3\AWC.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\nel\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
mStart Page = hxxp://www.msn.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Advanced SystemCare 3] "c:\program files\advanced systemcare 3\AWC.exe" /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [FMStart] "c:\program files\gfi\faxmaker client\fmstart.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234781125218
DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://alexion.2circle.it/msrdp.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {966D5E12-AF5A-4290-8437-ECA52CFE49C0} = 213.51.144.37,213.51.129.37
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-8 28544]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2001-11-2 114749]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-10 255600]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-10 243312]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-12-30 1107784]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090305.002\naveng.sys [2009-3-5 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090305.002\navex15.sys [2009-3-5 876144]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\vdn\vcdrom.sys --> c:\program files\vdn\VCdRom.sys [?]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2005-11-6 16269]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-10 87664]
S3 CW50;CW50 Device;c:\windows\system32\drivers\cw50.sys --> c:\windows\system32\drivers\CW50.sys [?]
S3 M;M;c:\docume~1\nel\locals~1\temp\m.exe --> c:\docume~1\nel\locals~1\temp\M.exe [?]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-12-30 153416]

============== File Associations ===============

txtfile=c:\windows\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-03-05 13:09 399,872 a------- c:\windows\system32\CF5454.exe
2009-03-05 13:09 <DIR> --d----- C:\ComboFix
2009-03-03 14:05 188,831 a------- C:\59076736.TMP
2009-03-03 14:05 8,192 a------- C:\59077077.TMP
2009-03-03 14:05 2,048 a------- C:\59076738.TMP
2009-02-14 00:32 <DIR> --d-hr-- c:\documents and settings\nel\Onlangs geopend
2009-02-13 17:53 <DIR> --d----- C:\toev
2009-02-12 11:58 <DIR> --d----- c:\docume~1\nel\applic~1\Belastingdienst
2009-02-11 15:02 <DIR> --d----- c:\program files\Advanced SystemCare 3
2009-02-10 11:47 <DIR> --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-02-10 18:39 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-09 19:46 399,872 a------- c:\windows\system32\CF31638.exe
2009-01-09 19:46 399,872 a------- c:\windows\system32\CF31632.exe
2009-01-08 13:48 6,616 a------- c:\windows\system32\d3d9caps.dat
2009-01-08 12:19 52,232 a------- c:\windows\system32\drivers\REGSYS701.SYS
2009-01-07 21:38 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-02 20:32 179,003 a------- c:\windows\doc2txt.exe
2008-12-18 16:16 444,960 a------- c:\windows\system32\perfh013.dat
2008-12-18 16:16 70,426 a------- c:\windows\system32\perfc013.dat
2008-12-18 15:48 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-22 12:27 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-05-22 22:35 47,360 a------- c:\docume~1\nel\applic~1\pcouffin.sys
2008-03-27 16:45 14,960 a------- c:\program files\settings.dat
2007-09-29 18:26 50,688 a------- c:\program files\ATF-Cleaner.exe

============= FINISH: 10:35:44.54 ===============

Thanks in advanced.

Have a nice day.
Emy ( grandma)

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 AM

Posted 06 March 2009 - 12:31 PM

Hi again :thumbup2:


Let's try following way.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofixfrom any of the links below. You mustrename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Make sure Symantec Antivirus is disabled and then double click on Combo-Fix.exe& follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a fresh dds.txt logso we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



If ComboFix still doesn't work right then try running it in safe mode

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 EmyNL

EmyNL
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 11 March 2009 - 06:15 AM

Hello

I turned off symantec before using combofix. Dont ask me hoiw I did it finally.

Here is the result


ComboFix 09-03-10.02 - nel 2009-03-11 11:54:20.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.208 [GMT 1:00]
Gestart vanuit: c:\documents and settings\nel\Bureaublad\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Voorgaande Run -------
.
c:\windows\system32\Agent.OMZ.Fix.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-02-11 to 2009-03-11 ))))))))))))))))))))))))))))))
.

2009-03-10 13:56 . 2009-03-10 13:56 0 --a------ c:\windows\VPC32.oud.INI
2009-03-10 12:53 . 2009-03-10 12:53 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-03 14:05 . 2009-03-03 14:05 188,831 --a------ C:\59076736.TMP
2009-03-03 14:05 . 2009-03-03 14:05 8,192 --a------ C:\59077077.TMP
2009-03-03 14:05 . 2009-03-03 14:05 2,048 --a------ C:\59076738.TMP
2009-02-25 15:08 . 2009-02-25 15:08 1,374 --a------ c:\windows\imsins.BAK
2009-02-14 00:32 . 2009-03-10 13:55 <DIR> dr-h----- c:\documents and settings\nel\Onlangs geopend
2009-02-13 17:53 . 2009-02-13 17:59 <DIR> d-------- C:\toev
2009-02-12 11:58 . 2009-03-05 14:54 <DIR> d-------- c:\documents and settings\nel\Application Data\Belastingdienst
2009-02-11 15:02 . 2009-03-11 11:51 <DIR> d-------- c:\program files\Advanced SystemCare 3

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 10:48 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-11 10:44 --------- d-----w c:\program files\Symantec
2009-03-06 15:16 --------- d-----w c:\documents and settings\nel\Application Data\Vso
2009-02-16 10:38 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-16 10:11 --------- d-----w c:\program files\eMule
2009-02-10 17:39 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-10 10:47 --------- d-----w c:\program files\CCleaner
2009-02-02 17:23 --------- d-----w c:\program files\Google
2009-02-02 14:28 --------- d-----w c:\program files\Java
2009-02-02 14:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-29 11:57 --------- d-----w c:\documents and settings\nel\Application Data\skypePM
2009-01-29 11:57 --------- d-----w c:\documents and settings\nel\Application Data\Skype
2009-01-29 11:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-28 23:02 --------- d-----w c:\program files\PowerMenu
2009-01-28 22:51 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-28 22:41 --------- d-----w c:\documents and settings\nel\Application Data\IObit
2009-01-07 20:38 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-02 19:32 179,003 ----a-w c:\windows\doc2txt.exe
2008-10-22 11:27 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-05-22 21:35 47,360 ----a-w c:\documents and settings\nel\Application Data\pcouffin.sys
2008-03-27 15:45 14,960 ----a-w c:\program files\settings.dat
2007-09-29 17:26 50,688 ----a-w c:\program files\ATF-Cleaner.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-31 68856]
"Advanced SystemCare 3"="c:\program files\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 67184]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-03-10 120640]
"FMStart"="c:\program files\GFI\FAXmaker Client\fmstart.exe" [2000-05-10 56832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 10:51 24638 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"vidc.CDVC"= cdvccodc.dll
"vidc.dvsd"= hldvsd.dll
"vidc.cmic"= cmiccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\\\nt02\\nel\\DVDprog\\Programs\\RadLight 4.0\\rlkernel.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-08 28544]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\VDN\VCdRom.sys --> c:\program files\VDN\VCdRom.sys [?]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2005-11-06 16269]
S3 CW50;CW50 Device;c:\windows\system32\DRIVERS\CW50.sys --> c:\windows\system32\DRIVERS\CW50.sys [?]
S3 M;M;c:\docume~1\nel\LOCALS~1\Temp\M.exe --> c:\docume~1\nel\LOCALS~1\Temp\M.exe [?]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec AntiVirus\SavRoam.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c78e127-8255-11dd-8473-0011d8a4fc4f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Inhoud van de 'Gedeelde Taken' map

2009-03-03 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []
.
- - - - ORPHANS VERWIJDERD - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
mStart Page = hxxp://www.msn.com
TCP: {966D5E12-AF5A-4290-8437-ECA52CFE49C0} = 213.51.144.37,213.51.129.37
DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab
.
.
------- Bestandsassociaties -------
.
txtfile=c:\windows\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 11:56:14
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||9~*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Voltooingstijd: 2009-03-11 11:57:58
ComboFix-quarantined-files.txt 2009-03-11 10:57:36

Pre-Run: 163,827,191,808 bytes beschikbaar
Post-Run: 163,822,219,264 bytes beschikbaar

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
149 --- E O F --- 2009-02-25 14:08:26


Thank you.

Emy
:thumbup2:

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:42 AM

Posted 11 March 2009 - 10:37 AM

Good. Now we continue :thumbup2:


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
M

File::
C:\59076736.TMP
C:\59077077.TMP
C:\59076738.TMP
c:\docume~1\nel\LOCALS~1\Temp\M.exe

DDS::
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No File
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!



Download ATF (Atribune Temp File) Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 EmyNL

EmyNL
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 12 March 2009 - 09:34 PM

Hello :thumbup2:

Thanks for your reply.

A lot of stuff this time

combofix log

ComboFix 09-03-10.03 - nel 2009-03-12 17:33:58.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.240 [GMT 1:00]
Gestart vanuit: c:\documents and settings\nel\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\nel\Bureaublad\CFscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Nieuw herstelpunt werd aangemaakt

FILE ::
C:\59076736.TMP
C:\59076738.TMP
C:\59077077.TMP
c:\docume~1\nel\LOCALS~1\Temp\M.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\59076736.TMP
C:\59076738.TMP
C:\59077077.TMP

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_M
-------\Service_?


(((((((((((((((((((( Bestanden Gemaakt van 2009-02-12 to 2009-03-12 ))))))))))))))))))))))))))))))
.

2009-03-10 13:56 . 2009-03-10 13:56 0 --a------ c:\windows\VPC32.oud.INI
2009-03-10 12:53 . 2009-03-10 12:53 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-25 15:08 . 2009-03-12 13:10 1,374 --a------ c:\windows\imsins.BAK
2009-02-14 00:32 . 2009-03-12 17:30 <DIR> dr-h----- c:\documents and settings\nel\Onlangs geopend
2009-02-13 17:53 . 2009-02-13 17:59 <DIR> d-------- C:\toev
2009-02-12 11:58 . 2009-03-05 14:54 <DIR> d-------- c:\documents and settings\nel\Application Data\Belastingdienst

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 16:39 --------- d-----w c:\program files\Advanced SystemCare 3
2009-03-12 14:51 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-12 12:09 --------- d-----w c:\program files\Symantec
2009-03-06 15:16 --------- d-----w c:\documents and settings\nel\Application Data\Vso
2009-02-16 10:38 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-16 10:11 --------- d-----w c:\program files\eMule
2009-02-10 17:39 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-10 10:47 --------- d-----w c:\program files\CCleaner
2009-02-02 17:23 --------- d-----w c:\program files\Google
2009-02-02 14:28 --------- d-----w c:\program files\Java
2009-02-02 14:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-29 11:57 --------- d-----w c:\documents and settings\nel\Application Data\skypePM
2009-01-29 11:57 --------- d-----w c:\documents and settings\nel\Application Data\Skype
2009-01-29 11:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-28 23:02 --------- d-----w c:\program files\PowerMenu
2009-01-28 22:51 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-28 22:41 --------- d-----w c:\documents and settings\nel\Application Data\IObit
2009-01-02 19:32 179,003 ----a-w c:\windows\doc2txt.exe
2008-10-22 11:27 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-05-22 21:35 47,360 ----a-w c:\documents and settings\nel\Application Data\pcouffin.sys
2008-03-27 15:45 14,960 ----a-w c:\program files\settings.dat
2007-09-29 17:26 50,688 ----a-w c:\program files\ATF-Cleaner.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-11_11.56.36.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 14:02:14 1,847,680 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:44:08 18,808 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:44:09 234,872 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:44:08 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:44:11 765,304 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:44:19 401,272 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 07:00:52 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:19:43 18,808 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:19:43 234,872 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:19:43 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:46 765,304 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:47 401,272 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
- 2000-08-31 07:00:00 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
+ 2008-12-05 06:58:53 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
- 2008-09-15 15:28:42 1,846,528 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 14:08:47 1,846,912 -c----w c:\windows\system32\dllcache\win32k.sys
- 2007-06-11 21:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 17:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2009-01-09 10:28:27 227,208 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-12 12:17:11 227,208 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-04-14 17:02:39 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:58:53 144,896 ----a-w c:\windows\system32\schannel.dll
- 2008-07-09 07:44:08 18,808 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:19:43 18,808 ------w c:\windows\system32\spmsg.dll
- 2007-08-10 18:52:04 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 08:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2008-09-15 15:28:42 1,846,528 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 14:08:47 1,846,912 ----a-w c:\windows\system32\win32k.sys
- 2007-06-11 21:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 17:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2009-03-12 16:38:00 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2d0.dat
+ 2008-04-15 17:51:53 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
-- Snapshot teruggezet naar huidige datum --
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-31 68856]
"Advanced SystemCare 3"="c:\program files\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 67184]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-03-10 120640]
"FMStart"="c:\program files\GFI\FAXmaker Client\fmstart.exe" [2000-05-10 56832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 10:51 24638 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"vidc.CDVC"= cdvccodc.dll
"vidc.dvsd"= hldvsd.dll
"vidc.cmic"= cmiccodc.dll
"vidc.CDVH"= cdvhcodc.dll
"vidc.CUVC"= cuvccodc.dll
"vidc.CLLC"= cllccodc.dll
"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\\\nt02\\nel\\DVDprog\\Programs\\RadLight 4.0\\rlkernel.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-08 28544]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\VDN\VCdRom.sys --> c:\program files\VDN\VCdRom.sys [?]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2005-11-06 16269]
S3 CW50;CW50 Device;c:\windows\system32\DRIVERS\CW50.sys --> c:\windows\system32\DRIVERS\CW50.sys [?]
S3 M;M;c:\docume~1\nel\LOCALS~1\Temp\M.exe --> c:\docume~1\nel\LOCALS~1\Temp\M.exe [?]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec AntiVirus\SavRoam.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c78e127-8255-11dd-8473-0011d8a4fc4f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Inhoud van de 'Gedeelde Taken' map

2009-03-03 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
mStart Page = hxxp://www.msn.com
TCP: {966D5E12-AF5A-4290-8437-ECA52CFE49C0} = 213.51.144.37,213.51.129.37
DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 17:41:04
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||9~*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec\pcAnywhere\awhost32.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2009-03-12 17:42:51 - machine werd herstart
ComboFix-quarantined-files.txt 2009-03-12 16:42:48
ComboFix2.txt 2009-03-11 10:57:59

Pre-Run: 163.701.321.728 bytes beschikbaar
Post-Run: 163,696,267,264 bytes beschikbaar

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
192 --- E O F --- 2009-03-12 12:10:56

============================================================
DDs Log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by nel at 2:53:35,60 on vr 13-03-2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.511.336 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\GFI\FAXmaker Client\fmstart.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\nel\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
mStart Page = hxxp://www.msn.com
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Advanced SystemCare 3] "c:\program files\advanced systemcare 3\AWC.exe" /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [FMStart] "c:\program files\gfi\faxmaker client\fmstart.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234781125218
DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} - hxxp://www.commandondemand.com/eval/cod/cabs/cssweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://alexion.2circle.it/msrdp.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {966D5E12-AF5A-4290-8437-ECA52CFE49C0} = 213.51.144.37,213.51.129.37
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-8 28544]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2000-9-11 10816]
R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2001-11-2 114749]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-10 255600]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-10 243312]
RUnknown is-GRFT0drv;is-GRFT0drv; [x]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys --> c:\program files\symantec antivirus\savrt.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\program files\vdn\vcdrom.sys --> c:\program files\vdn\VCdRom.sys [?]
S2 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\savrtpel.sys --> c:\program files\symantec antivirus\Savrtpel.sys [?]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2009-3-12 1107784]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2005-11-6 16269]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-10 87664]
S3 CW50;CW50 Device;c:\windows\system32\drivers\cw50.sys --> c:\windows\system32\drivers\CW50.sys [?]
S3 M;M;c:\docume~1\nel\locals~1\temp\m.exe --> c:\docume~1\nel\locals~1\temp\M.exe [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090311.003\naveng.sys [2009-3-12 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090311.003\navex15.sys [2009-3-12 876144]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\savroam.exe" --> c:\program files\symantec antivirus\SavRoam.exe [?]

============== File Associations ===============

txtfile=c:\windows\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-03-13 01:25 1,024,032 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-13 01:25 8,396 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-12 18:37 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-12 17:54 <DIR> --d----- c:\docume~1\nel\applic~1\Foxit
2009-03-12 17:53 <DIR> --d----- c:\program files\Foxit Software
2009-03-12 17:33 <DIR> --d----- C:\ComboFix
2009-03-10 13:56 0 a------- c:\windows\VPC32.oud.INI
2009-03-10 12:53 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-02-14 00:32 <DIR> --d-hr-- c:\documents and settings\nel\Onlangs geopend
2009-02-13 17:53 <DIR> --d----- C:\toev
2009-02-12 11:58 <DIR> --d----- c:\docume~1\nel\applic~1\Belastingdienst
2009-02-11 15:02 <DIR> --d----- c:\program files\Advanced SystemCare 3

==================== Find3M ====================

2009-03-12 18:36 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-10 18:39 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-02-09 15:08 1,846,912 a------- c:\windows\system32\win32k.sys
2009-01-08 13:48 6,616 a------- c:\windows\system32\d3d9caps.dat
2009-01-02 20:32 179,003 a------- c:\windows\doc2txt.exe
2008-12-18 16:16 444,960 a------- c:\windows\system32\perfh013.dat
2008-12-18 16:16 70,426 a------- c:\windows\system32\perfc013.dat
2008-12-18 15:48 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-22 12:27 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-05-22 22:35 47,360 a------- c:\docume~1\nel\applic~1\pcouffin.sys
2008-03-27 16:45 14,960 a------- c:\program files\settings.dat
2007-09-29 18:26 50,688 a------- c:\program files\ATF-Cleaner.exe

============= FINISH: 2:54:03,21 ===============

=========================================================
the last one was a pain...
Kaspersky was interrupted the 1th time after 34% (no malware)
The 2th time after 2%

I thought maybe the Kaspersky removal tool would do the same job. But it only scanned the c drive.. I will try the online scanner tomorrow...
This is the result of the Kaspersky removal tool..
Scan
----
Scanned: 295070
Detected: 1
Untreated: 0
Start time: 13-3-2009 01:32:52
Duration: 01:03:23
Finish time: 13-3-2009 02:36:15


Detected
--------
Status Object
------ ------
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\nel\Bureaublad\ComboFix.exe//PE_Patch.UPX/32788R22FWJFW\catchme.cfexe


Events
------
Time Name Status Reason
---- ---- ------ ------


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level High
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats Yes
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

============================================================
As I said I will try the online scanner from kaspersky again... tomorrow..

Dos is not very difficult to me. So it is possible to download and scan with SAVcli from Sophos and Sysclean form Trend Micro. (I made some batch files to update and run these programs. Could these be helpfull????) In the Sophos program I can scan with a lot of options. I didn't use these on this computer. But on the laptop I use one or both almost every day.

You know.. I am a grandma from the DOS area... haha

Hmm... I talk too much. Maybe beacuse it is 3.30 am now... Really need some sleep!!


I think smileys dont work in the middle of the night.


Thank you...
Emy's grandma... you know ... Amy is 2 years and almost 2 months old.... soooooo nice... she doesn't have problems with computers... haha
but this grandma....

BTW I still have to paste the internet adresses in internet explorer... and still use internet explorer 6.

Have a nice day, evening or night..

Emy's.......grandma

#14 EmyNL

EmyNL
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 13 March 2009 - 06:57 AM

Hello Blade

I used the online scan again. This time it was not interrupted. :thumbup2:
Here the report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 13, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 13, 2009 09:22:16
Records in database: 1895064
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
G:\
I:\

Scan statistics:
Files scanned: 110845
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:46:07

No malware has been detected. The scan area is clean.

The selected area was scanned.
-------------------------------------------------------------------------------------
Now I see it didnt scan the H drive...
I will use it again and scan this drive

I will report within an hour.

many greetings

Emy

#15 EmyNL

EmyNL
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 13 March 2009 - 08:06 AM

Hello again

Result of the scan H drive... Now the scanner found something...

Do I have to erase the file manually?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 13, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 13, 2009 12:11:17
Records in database: 1895525
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
H:\

Scan statistics:
Files scanned: 9455
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:30:23


File name / Threat name / Threats count
H:\Talen diverse\Zip- en ov.files\bp2setup.exe Infected: not-a-virus:AdWare.Win32.Aureate 1

The selected area was scanned.

----------

This H-drive is a network drive. Could it be possible that the other computers are infected too? One of them is an oldy... with windows 98


Now I feel like the following smiley:
:thumbup2:

Thank you!!!!!!!!!!!!!!!

Emy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users