Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus or Trojan, not sure. vaxasygh.dll blocked by protection software


  • This topic is locked This topic is locked
20 replies to this topic

#1 Garfinator

Garfinator

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 04 May 2009 - 12:44 PM

Malware has come with a large downloaded software file. Install of the software failed, instead malware was installed I figure.

A scan with Spyware Terminator found one Trojan, which has been removed.
A scan with Spybod S&D found some stuff, but the following symptopms were still apparent after:

Symptoms:
- Frequent pop-up with ad in Firefox and IE.
- Unable to download Internet items through Firefox, still works though when using IE.
- Computer slows down.
- At very regular intervals (every 1-2 minutes), Spyware Terminator automatically blocked C:\WINDOWS\system32\vaxasygh.dll.
- Previously, Spyware Terminator frequently automatically blocked C:\WINDOWS\system32\gjuuxdhd.dll and C:\WINDOWS\system32\efcBRjJa.dll.

I then did a scan with Ad-Aware, which only deleted 4 tracking cookies and 2 MRU Objects:
- [408990] Browser: Internet Explorer Cookie: C:\Documents and Settings\AVuylsteke\Cookies\index.dat metriweb.be MetriWeb /
- [408813] Browser: Internet Explorer Cookie: C:\Documents and Settings\AVuylsteke\Cookies\index.dat serve.skykingscasino.com IMPRESSION /
- [408990] Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat metriweb.be MetriWeb /
- [408950] Browser: Internet Explorer Cookie: C:\Documents and Settings\Administrator\Cookies\index.dat 127.0.0.1 session_id /
- [1] MRU Path: C:\Documents and Settings\AVuylsteke\Onlangs geopend Count: 27
- [3] MRU Registry Key: S-1-5-21-1214440339-2146941213-725345543-1005\Software\Microsoft\Internet Explorer\TypedURLs Count: 2

Since then, I have not had any of the above symptoms anymore except for not being able to download files in Firefox and use the "Browse files..." button.

Still, I have the feeling this malware is still presents. Thanks a lot of having a look at my logs and I'll be happy to provide further information.


DDS (Ver_09-03-16.01) - NTFSx86
Run by AVuylsteke at 19:13:36,89 on ma 04/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.228 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Software\ PC mgmt\Copernic Desktop Search 2\DesktopSearchService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Software\PC mgmt\Diskeeper Pro\DkService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Software\ PC mgmt\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Software\Barca2\Barca.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Software\Hotmail Popper\hotpop.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Software\ PC mgmt\Mozilla Firefox\firefox.exe
C:\Software\PC mgmt\AdAware2008\aawservice.exe
C:\Software\FeedDemon\FeedDemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\AVuylsteke\Bureaublad\Clean computer\speedupmypc.exe
C:\DOCUME~1\AVUYLS~1\LOCALS~1\Temp\mia3A5.tmp\speedupmypc2009.exe
C:\DOCUME~1\AVUYLS~1\LOCALS~1\Temp\mia1\DotNetFx35ClientSetup.exe
d:\5145d93f8afe25a4ace9\setup.exe
C:\DOCUME~1\AVUYLS~1\LOCALS~1\Temp\dotnetfx35setup.exe
d:\e55de56f98595f81c26abace9cd0\setup.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Documents and Settings\AVuylsteke\Bureaublad\Clean computer\dds.scr
C:\WINDOWS\system32\rundll32.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: {1495085d-4411-40c2-a1d4-881b4fbe639a} - c:\windows\system32\efcBRjJa.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\software\ multimedia\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {0025859f-c23e-911a-41a4-cf1ec9d422de}: {ed224d9c-e1fc-4a14-a119-e32cf9585200} - c:\windows\system32\pfobro.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\software\ pc mgmt\copernic desktop search 2\toolbar\ToolbarContainer101000311.dll
TB: {A057A204-BACC-4D26-8287-79A187E26987} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\software\ pc mgmt\copernic desktop search 2\toolbar\ToolbarContainer101000311.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\software\ pc mgmt\copernic desktop search 2\DeskbandIntegration302000044.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\avuylsteke\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Copernic Desktop Search - Home] "c:\software\ pc mgmt\copernic desktop search 2\DesktopSearchService.exe" /tray
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 7.0] "c:\software\a pc mgmt\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [QuickTime Task] "c:\software\a multimedia\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [988da973] rundll32.exe "c:\windows\system32\vaxasygh.dll",b
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Convert link target to Adobe PDF - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: tsinghua.edu.cn\login
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: awtsPGWm - awtsPGWm.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {019a4afe-e751-b6eb-bb94-293b4326bf58}: {85fb6234-b392-49bb-be6b-157eefa4a910} - c:\windows\system32\pfobro.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcBRjJa

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\avuyls~1\applic~1\mozilla\firefox\profiles\zgf7b1o5.default\
FF - prefs.js: browser.startup.homepage - hxxps://netlogin.kuleuven.be
FF - component: c:\software\ multimedia\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\software\ pc mgmt\copernic desktop search 2\firefoxconnector\components\CSPXPCOMBridge.dll
FF - component: c:\software\ pc mgmt\mozilla firefox\components\browserdirprovider.dll
FF - component: c:\software\ pc mgmt\mozilla firefox\components\brwsrcmp.dll
FF - plugin: c:\documents and settings\avuylsteke\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\avuylsteke\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\software\ multimedia\netscape6\nppl3260.dll
FF - plugin: c:\software\ multimedia\netscape6\nprjplug.dll
FF - plugin: c:\software\ multimedia\netscape6\nprpjplug.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\nppl3260.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\nprjplug.dll
FF - plugin: c:\software\ pc mgmt\mozilla firefox\plugins\nprpjplug.dll
FF - plugin: c:\software\a multimedia\divx\divx web player\npdivx32.dll
FF - plugin: c:\software\a multimedia\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin6.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\software\a multimedia\quicktime\plugins\npqtplugin7.dll
FF - plugin: c:\software\a multimedia\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\software\a multimedia\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\software\a multimedia\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\software\a pc mgmt\adobe\acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: c:\software\adobe\reader 8.0\reader\browser\nppdf32.dll

============= SERVICES / DRIVERS ===============

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-1-29 142592]
R2 aawservice;Lavasoft Ad-Aware Service;c:\software\pc mgmt\adaware2008\aawservice.exe [2008-5-12 611664]
R3 msvad_simple;SoliCall;c:\windows\system32\drivers\solicall.sys [2006-6-10 205312]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-8-30 26488]
S3 cglptnt;cglptnt;c:\software\ pc mgmt\totalcmd\CGLPTNT.SYS [2008-8-30 7888]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2009-1-8 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2009-1-8 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2009-1-8 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2009-1-8 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2009-1-8 98568]

=============== Created Last 30 ================

2009-05-04 18:13 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-04 18:13 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-04 18:13 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-04 18:13 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-04 18:13 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-04 18:13 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-04 18:13 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-04 17:14 <DIR> --d-hr-- C:\AHCache
2009-05-04 16:43 1,425,382 ---sh--- c:\windows\system32\hgysaxav.ini
2009-05-04 16:43 1,398,079 ---sh--- c:\windows\system32\qtaovjfx.ini
2009-05-04 16:43 43,873 a--sh--- c:\windows\system32\aJjRBcfe.ini2
2009-05-04 15:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-04 15:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-04 15:28 74,752 a------- c:\windows\system32\vaxasygh.dll
2009-05-04 15:27 11,442 a------- c:\windows\system32\barrwdkx.dll
2009-05-03 21:25 99,328 a------- c:\windows\system32\pfobro.dll
2009-05-03 21:25 99,328 a------- c:\windows\system32\ylicxrdq.dll
2009-05-03 21:22 74,752 -------- c:\windows\system32\xfjvoatq.dll
2009-05-03 19:33 <DIR> --d-hr-- c:\documents and settings\avuylsteke\Onlangs geopend
2009-05-03 18:37 1,908 a------- c:\windows\diagwrn.xml
2009-05-03 18:37 1,908 a------- c:\windows\diagerr.xml
2009-05-03 11:50 <DIR> --d----- c:\docume~1\avuyls~1\applic~1\Canneverbe_Limited
2009-05-02 21:34 38,912 a------- c:\windows\system32\rqRJDWOf.dll
2009-05-02 21:23 99,328 a------- c:\windows\system32\wzbgxm.dll
2009-05-02 21:23 99,328 a------- c:\windows\system32\rqijjnae.dll
2009-05-02 21:20 44,095 a--sh--- c:\windows\system32\aJjRBcfe.ini
2009-05-02 21:20 237,568 a------- c:\windows\system32\efcBRjJa.dll
2009-05-02 21:13 38,912 a------- c:\windows\system32\awtspgwm.dll.ren
2009-05-02 20:46 <DIR> --d----- c:\windows\Ahead Nero Burning Rom
2009-04-25 10:22 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-15 10:23 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 10:22 285,696 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 10:22 111,104 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 10:22 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 10:22 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 10:22 684,544 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 10:22 734,208 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 10:22 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 10:22 735,744 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 10:20 218,624 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-09 09:31 308 a------- c:\windows\system32\spupdsvc.inf

==================== Find3M ====================

2009-05-04 17:58 461,842 a------- c:\windows\system32\perfh013.dat
2009-05-04 17:58 78,674 a------- c:\windows\system32\perfc013.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 16:23 285,696 a------- c:\windows\system32\pdh.dll
2009-03-03 02:16 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 19:18 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-10 19:10 2,070,400 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-09 16:08 1,846,912 a------- c:\windows\system32\win32k.sys
2009-02-09 13:27 2,193,408 a------- c:\windows\system32\ntoskrnl.exe
2009-02-09 13:27 111,104 a------- c:\windows\system32\services.exe
2009-02-09 12:56 734,208 a------- c:\windows\system32\lsasrv.dll
2009-02-09 12:56 684,544 a------- c:\windows\system32\advapi32.dll
2009-02-09 12:56 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:56 735,744 a------- c:\windows\system32\ntdll.dll
2009-02-06 20:55 308,616 ac------ c:\windows\WLXPGSS.SCR
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 12:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 21:59 56,832 a------- c:\windows\system32\secur32.dll
2008-10-12 11:15 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008101220081013\index.dat

============= FINISH: 19:20:08,78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 05 May 2009 - 11:54 AM

Hello Garfinator,

Uninstall Java™ 6 Update 7



I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure.

This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot. It is not necessary to reboot to get the items to show up in HijackThis.


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by SifuMike, 05 May 2009 - 11:58 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Garfinator

Garfinator
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 05 May 2009 - 12:54 PM

Hi SifuMike,

Thanks a lot for your quick and perfectly clear reply.

These are the contents of checkup.txt:

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

ECHO is off (uit).
Error obtaining update status for antivirus!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
CA VMN Anti-Spyware (remove only)
Spyware Terminator
Spybot - Search & Destroy
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 13
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Spybot SDHelper is disabled!
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 194 seconds.
`````````End of Log```````````

And the MBAM log is:

Malwarebytes' Anti-Malware 1.36
Database versie: 2078
Windows 5.1.2600 Service Pack 3

5/05/2009 19:41:35
mbam-log-2009-05-05 (19-41-35).txt

Scan type: Snelle Scan
Objecten gescand: 86492
Verstreken tijd: 8 minute(s), 49 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 3
Registersleutels ge´nfecteerd: 8
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 2
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 9

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
C:\WINDOWS\system32\efcBRjJa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rtwygldy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vaxasygh.dll (Trojan.Vundo.H) -> Delete on reboot.

Registersleutels ge´nfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4f0e610c-f6e3-4590-8ec7-437949817970} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4f0e610c-f6e3-4590-8ec7-437949817970} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4f0e610c-f6e3-4590-8ec7-437949817970} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\efcbrjja -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\efcbrjja -> Delete on reboot.

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
C:\WINDOWS\system32\efcBRjJa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aJjRBcfe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aJjRBcfe.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rtwygldy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ydlgywtr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vaxasygh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hgysaxav.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\AVuylsteke\Local Settings\Temporary Internet Files\Content.IE5\6Q7GBWNL\qw[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRJDWOf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

--> Apparently this has deleted some of the files I was having problems with. Great!

Note: After the reboot, I did not notice that those 3 files were deleted when launching Windows. I also opened MBAM and closed it again. I guess they are deleted on the background but wanted to share this information anyway.

A new Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:52:05, on 5/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Software\PC mgmt\AdAware2008\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Software\PC mgmt\Diskeeper Pro\DkService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Software\ PC mgmt\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Software\ PC mgmt\Copernic Desktop Search 2\DesktopSearchService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Software\ PC mgmt\Mozilla Firefox\firefox.exe
C:\Software\ Multimedia\Winamp\winamp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Software\Barca2\Barca.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Software\Hotmail Popper\hotpop.exe
C:\Software\ Multimedia\Last.fm\LastFM.exe
C:\Software\ PC mgmt\totalcmd\TOTALCMD.EXE
C:\Software\ PC mgmt\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Software\ Multimedia\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4F0E610C-F6E3-4590-8EC7-437949817970} - C:\WINDOWS\system32\efcBRjJa.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search - Home Toolbar - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - C:\Software\ PC mgmt\Copernic Desktop Search 2\Toolbar\ToolbarContainer101000311.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Software\a Multimedia\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [988da973] rundll32.exe "C:\WINDOWS\system32\rtwygldy.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Software\ PC mgmt\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: awtsPGWm - awtsPGWm.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Software\PC mgmt\AdAware2008\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Software\PC mgmt\Diskeeper Pro\DkService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Software\ PC mgmt\CDBurnerXP\NMSAccessU.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: WLANKEEPER - Intel« Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10821 bytes

Many, many thanks!

Alexander

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 05 May 2009 - 01:54 PM

Hi,

I dont see an antivirus on your computer. :thumbup2: Are you running one?

Edited by SifuMike, 05 May 2009 - 01:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Garfinator

Garfinator
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 05 May 2009 - 03:59 PM

Hey Mike,

Well, doesn't Spyware Terminator protect me against virusses as well, in addition to spyware? Windows Security Center used to say I had a virus scanner, but actually now it says I don't...

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 05 May 2009 - 04:07 PM

No, it is only for spyware - not for viruses.


I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!:
This is somewhat suicidal in today's digital world. :thumbup2:
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not present which should be able to deal with most and prevent further reinfection.

Edited by SifuMike, 05 May 2009 - 04:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Garfinator

Garfinator
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 06 May 2009 - 06:59 AM

Hello,

I feel a little shamed right now :/ I sincerely thought I left the PC-newbie phase behind me :s.

Anyway, here's the Avira log (some files were deleted on reboot):

Avira AntiVir Personal
Report file date: woensdag 6 mei 2009 11:02

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ALEXANDE-3B5CF2

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 17-4-2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 17-4-2009 07:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27-2-2009 09:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20-2-2009 10:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27-2-2009 09:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27-10-2008 11:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11-2-2009 19:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3-3-2009 06:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 5-3-2009 13:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 27-1-2009 16:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 26-2-2009 19:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 12-2-2009 10:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 29-10-2008 17:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 4-3-2009 12:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 26-2-2009 19:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 25-2-2009 14:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 26-2-2009 19:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 4-3-2009 12:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 9-10-2008 13:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 17-2-2009 13:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 9-10-2008 13:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12-12-2008 07:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 5-12-2008 09:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20-1-2009 13:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 5-12-2008 09:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24-3-2009 14:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30-1-2009 09:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28-1-2009 14:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2-2-2009 07:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 5-12-2008 09:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 9-2-2009 10:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17-4-2009 09:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +SPR,

Start of the scan: woensdag 6 mei 2009 11:02

Starting search for hidden objects.
'38927' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'OfficeLiveSignIn.exe' - '1' Module(s) have been scanned
Scan process 'POWERPNT.EXE' - '1' Module(s) have been scanned
Scan process 'FeedDemon.exe' - '1' Module(s) have been scanned
Scan process 'wlcomm.exe' - '1' Module(s) have been scanned
Scan process 'hotpop.exe' - '1' Module(s) have been scanned
Scan process 'javaw.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'TOTALCMD.EXE' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'wmiapsrv.exe' - '1' Module(s) have been scanned
Scan process 'DesktopSearchService.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'SpywareTerminatorShield.Exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'quickset.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'sp_rsser.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'NMSAccessU.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'DkService.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process '1XConfig.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'WLKEEPER.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
62 processes with 62 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
C:\WINDOWS\system32\rtwygldy.dll
[DETECTION] Is the TR/Trash.Gen Trojan

The registry was scanned ( '57' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\AVuylsteke\Local Settings\Temporary Internet Files\Content.IE5\RUKLQWNH\qw[1]
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\Documents and Settings\AVuylsteke\Local Settings\Temporary Internet Files\Content.IE5\YQV3MNMY\index[1]
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{3518E033-B714-41A2-89C0-10F4AA2C1DA5}\RP209\A0031724.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{3518E033-B714-41A2-89C0-10F4AA2C1DA5}\RP209\A0031945.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{3518E033-B714-41A2-89C0-10F4AA2C1DA5}\RP212\A0032323.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\System Volume Information\_restore{3518E033-B714-41A2-89C0-10F4AA2C1DA5}\RP214\A0032618.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\awtspgwm.dll.ren
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\dycwptkk.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\efcBRjJa.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\pfobro.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\rqijjnae.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\rtwygldy.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\ujclzx.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\vaxasygh.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\wzbgxm.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
C:\WINDOWS\system32\ylicxrdq.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
Begin scan in 'D:\'
D:\1- Series\vlcc-setup.exe
[0] Archive type: RAR SFX (self extracting)
--> vlccsetup.exe
[DETECTION] Is the TR/Downloader.Gen Trojan
D:\MyDocs\Barca2 Backup folder\Barca.bak\Attach\nov26-5.txt
[0] Archive type: RAR
--> ExtraLabs Skype Recorder v1.7.1 by AHCU.exe.1
[DETECTION] Is the TR/Dropper.Gen Trojan
D:\MyDocs\Programmabestanden\Barca2\Attach\nov26-5.txt
[0] Archive type: RAR
--> ExtraLabs Skype Recorder v1.7.1 by AHCU.exe.1
[DETECTION] Is the TR/Dropper.Gen Trojan

Beginning disinfection:
C:\WINDOWS\system32\rtwygldy.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a7878a8.qua'!
C:\Documents and Settings\AVuylsteke\Local Settings\Temporary Internet Files\Content.IE5\RUKLQWNH\qw[1]
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a5c78ac.qua'!
C:\Documents and Settings\AVuylsteke\Local Settings\Temporary Internet Files\Content.IE5\YQV3MNMY\index[1]
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a6578a3.qua'!
C:\System Volume Information\_restore{3518E033-B714-41A2-89C0-10F4AA2C1DA5}\RP209\A0031724.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a317865.qua'!
C:\System Volume Information\_restore{3518E033-B714-41A2-89C0-10F4AA2C1DA5}\RP209\A0031945.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bb1484e.qua'!
C:\System Volume Information\_restore{3518E033-B714-41A2-89C0-10F4AA2C1DA5}\RP212\A0032323.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '497a3c8e.qua'!
C:\System Volume Information\_restore{3518E033-B714-41A2-89C0-10F4AA2C1DA5}\RP214\A0032618.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4bb04f96.qua'!
C:\WINDOWS\system32\awtspgwm.dll.ren
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a7578ac.qua'!
C:\WINDOWS\system32\dycwptkk.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a6478ae.qua'!
C:\WINDOWS\system32\efcBRjJa.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a64789b.qua'!
C:\WINDOWS\system32\pfobro.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a70789b.qua'!
C:\WINDOWS\system32\rqijjnae.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a6a78a6.qua'!
C:\WINDOWS\system32\rtwygldy.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.
C:\WINDOWS\system32\ujclzx.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '49283402.qua'!
C:\WINDOWS\system32\vaxasygh.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a7978a9.qua'!
C:\WINDOWS\system32\wzbgxm.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a6378c2.qua'!
C:\WINDOWS\system32\ylicxrdq.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a6a78b4.qua'!
D:\1- Series\vlcc-setup.exe
[NOTE] The file was moved to '4a6478b4.qua'!
D:\MyDocs\Barca2 Backup folder\Barca.bak\Attach\nov26-5.txt
[NOTE] The file was moved to '4a7778b8.qua'!
D:\MyDocs\Programmabestanden\Barca2\Attach\nov26-5.txt
[NOTE] The file was moved to '49271369.qua'!


End of the scan: woensdag 6 mei 2009 13:45
Used time: 1:11:11 Hour(s)

The scan has been done completely.

6892 Scanned directories
296562 Files were scanned
20 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
19 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
296540 Files not concerned
4540 Archives were scanned
4 Warnings
22 Notes
38927 Objects were scanned with rootkit scan
0 Hidden objects were found

And Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:57:39, on 6/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Software\PC mgmt\AdAware2008\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Software\PC mgmt\Diskeeper Pro\DkService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Software\ PC mgmt\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Software\ PC mgmt\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Software\ PC mgmt\totalcmd\TOTALCMD.EXE
C:\Software\ PC mgmt\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Software\Barca2\Barca.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Software\Hotmail Popper\hotpop.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Software\ PC mgmt\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Software\ Multimedia\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4F0E610C-F6E3-4590-8EC7-437949817970} - C:\WINDOWS\system32\efcBRjJa.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search - Home Toolbar - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - C:\Software\ PC mgmt\Copernic Desktop Search 2\Toolbar\ToolbarContainer101000311.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Software\a Multimedia\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [988da973] rundll32.exe "C:\WINDOWS\system32\rtwygldy.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Software\ PC mgmt\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: awtsPGWm - awtsPGWm.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Software\PC mgmt\AdAware2008\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Software\PC mgmt\Diskeeper Pro\DkService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Software\ PC mgmt\CDBurnerXP\NMSAccessU.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: WLANKEEPER - Intel« Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11234 bytes

Thanks for guiding me in this proces.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 06 May 2009 - 08:55 AM

Hi Garfinator,

You are still infected so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira Antivir Antivirus and Spyware Terminator before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:áá
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


To disaable Spyware Terminator Real-time Protection
Click on the "Real-time Protection" tab, uncheck the "Use Real-time Protection" box and click on the "Save Changes" button.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Garfinator

Garfinator
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 06 May 2009 - 12:04 PM

Hey Mike,

The ComboFix scan went fine. Here's the log. It's partly in Dutch, I hope you are able to make sense of it. Otherwise, do not hesitate to let me know how I can have ComboFix run in English. Many thanks.


ComboFix 09-05-05.05 - AVuylsteke 06/05/2009 18:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.689 [GMT 2:00]
Gestart vanuit: c:\documents and settings\AVuylsteke\Bureaublad\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aJjRBcfe.ini
c:\windows\system32\aJjRBcfe.ini2
c:\windows\system32\lsprst7.dll
c:\windows\system32\ntnet.drv
c:\windows\system32\prsgrc.dll
c:\windows\system32\qtaovjfx.ini

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-04-06 to 2009-05-06 ))))))))))))))))))))))))))))))
.

2009-05-06 08:58 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-06 08:57 . 2009-05-06 08:57 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-06 08:57 . 2009-05-06 08:57 -------- d-----w c:\program files\Avira
2009-05-05 17:28 . 2009-05-05 17:28 -------- d-----w c:\documents and settings\AVuylsteke\Application Data\Malwarebytes
2009-05-05 17:27 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 17:26 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 17:26 . 2009-05-05 17:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-04 16:13 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-04 16:13 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-04 16:13 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-04 16:13 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-04 16:13 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-04 16:13 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-04 16:13 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-04 15:14 . 2009-05-04 15:14 -------- d--h--r C:\AHCache
2009-05-04 13:49 . 2009-05-04 14:03 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-04 13:49 . 2009-05-04 14:03 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 13:27 . 2009-05-04 13:27 11442 ----a-w c:\windows\system32\barrwdkx.dll
2009-05-03 17:33 . 2009-05-06 16:51 -------- d--h--r c:\documents and settings\AVuylsteke\Onlangs geopend
2009-05-03 09:50 . 2009-05-03 09:50 -------- d-----w c:\documents and settings\AVuylsteke\Application Data\Canneverbe_Limited
2009-05-02 18:46 . 2009-05-02 18:46 -------- d-----w c:\windows\Ahead Nero Burning Rom
2009-04-25 08:22 . 2009-04-25 08:22 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-15 08:23 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 08:22 . 2009-03-06 14:23 285696 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 08:22 . 2009-02-09 11:27 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 08:22 . 2009-02-09 10:56 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 08:22 . 2009-02-09 10:56 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 08:22 . 2009-02-09 10:56 684544 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 08:22 . 2009-02-09 10:56 734208 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 08:22 . 2009-02-09 10:56 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 08:22 . 2009-02-09 10:56 735744 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 08:20 . 2008-04-21 21:16 218624 -c----w c:\windows\system32\dllcache\wordpad.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 11:49 . 2009-01-30 06:17 -------- d-----w c:\program files\WinClamAVShield
2009-05-05 17:06 . 2008-08-30 19:01 -------- d-----w c:\program files\MSBuild
2009-05-04 15:58 . 2004-08-04 12:00 78674 ----a-w c:\windows\system32\perfc013.dat
2009-05-04 15:58 . 2004-08-04 12:00 461842 ----a-w c:\windows\system32\perfh013.dat
2009-05-04 13:59 . 2009-01-29 13:28 -------- d-----w c:\program files\Spyware Terminator
2009-03-31 19:32 . 2008-08-30 18:28 -------- d-----w c:\program files\Java
2009-03-19 20:15 . 2009-03-19 20:15 -------- d-----r c:\program files\Skype
2009-03-19 20:15 . 2009-03-19 20:15 -------- d-----w c:\program files\Common Files\Skype
2009-03-11 17:29 . 2009-03-11 17:26 -------- d-----w c:\program files\Microsoft
2009-03-11 17:29 . 2009-03-11 17:29 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-03-11 17:28 . 2008-08-30 18:21 -------- d-----w c:\program files\Windows Live
2009-03-11 17:27 . 2009-03-11 17:27 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-11 17:25 . 2009-03-11 17:25 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-11 11:11 . 2009-03-11 11:11 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-09 03:19 . 2008-12-14 10:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:23 . 2004-08-04 12:00 285696 ----a-w c:\windows\system32\pdh.dll
2009-03-03 16:28 . 2008-08-30 20:26 69872 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 00:16 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 13:51 . 2009-02-27 13:51 1024 ----a-w c:\windows\system32\grcauth2.dll
2009-02-27 13:51 . 2009-02-27 13:51 1024 ----a-w c:\windows\system32\grcauth1.dll
2009-02-27 13:39 . 2009-02-27 13:39 1025 ----a-w c:\windows\system32\sysprs7.dll
2009-02-20 17:18 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-10 17:10 . 2004-08-04 00:58 2070400 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 14:08 . 2004-08-04 12:00 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:27 . 2004-08-04 12:00 2193408 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:27 . 2004-08-04 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:56 . 2004-08-04 12:00 734208 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:56 . 2004-08-04 12:00 684544 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:56 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:56 . 2004-08-04 12:00 735744 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 18:55 . 2009-02-06 18:55 308616 -c--a-w c:\windows\WLXPGSS.SCR
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Google Update"="c:\documents and settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-15 133104]
"Copernic Desktop Search - Home"="c:\software\ PC mgmt\Copernic Desktop Search 2\DesktopSearchService.exe" [2009-03-19 1602048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\software\a PC mgmt\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"QuickTime Task"="c:\software\a Multimedia\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-29 185872]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-01-29 2267136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Menu Start\Programma's\Opstarten\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 14:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= sysaudio.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Software\\ Multimedia\\SopCast\\adv\\SopAdver.exe"=
"c:\\Software\\ Multimedia\\SopCast\\SopCast.exe"=
"c:\\Software\\ Multimedia\\Zattoo\\zattood.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Software\\a Multimedia\\iTunes\\iTunes.exe"=
"c:\\Software\\a File transfer\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Software\\ PC mgmt\\totalcmd\\TOTALCMD.EXE"=
"c:\\Software\\ Multimedia\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Software\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Software\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\AVuylsteke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\AVuylsteke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [29/01/2009 15:28 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/05/2009 10:57 108289]
R3 msvad_simple;SoliCall;c:\windows\system32\drivers\solicall.sys [10/06/2006 17:19 205312]
S3 cglptnt;cglptnt;c:\software\ PC mgmt\totalcmd\CGLPTNT.SYS [30/08/2008 18:25 7888]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [8/01/2009 15:28 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [8/01/2009 15:28 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [8/01/2009 15:28 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [8/01/2009 15:29 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [8/01/2009 15:29 98568]
.
Inhoud van de 'Gedeelde Taken' map

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-22 23:34]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2146941213-725345543-1005.job
- c:\documents and settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-15 09:56]
.
- - - - ORPHANS VERWIJDERD - - - -

BHO-{4F0E610C-F6E3-4590-8EC7-437949817970} - c:\windows\system32\efcBRjJa.dll
WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file)
HKLM-Run-988da973 - c:\windows\system32\rtwygldy.dll
ShellExecuteHooks-{d1263b5d-33d6-45c4-9505-6b579e39eb46} - c:\windows\system32\ujclzx.dll
Notify-awtsPGWm - awtsPGWm.dll


.
------- Bijkomende Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: tsinghua.edu.cn\login
FF - ProfilePath - c:\documents and settings\AVuylsteke\Application Data\Mozilla\Firefox\Profiles\zgf7b1o5.default\
FF - prefs.js: browser.startup.homepage - hxxps://netlogin.kuleuven.be
FF - component: c:\software\ Multimedia\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\software\ PC mgmt\Copernic Desktop Search 2\FirefoxConnector\components\CSPXPCOMBridge.dll
FF - plugin: c:\documents and settings\AVuylsteke\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\AVuylsteke\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\software\ Multimedia\Netscape6\nppl3260.dll
FF - plugin: c:\software\ Multimedia\Netscape6\nprjplug.dll
FF - plugin: c:\software\ Multimedia\Netscape6\nprpjplug.dll
FF - plugin: c:\software\a Multimedia\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\software\a multimedia\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\software\a multimedia\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\software\a multimedia\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\software\a multimedia\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\software\a multimedia\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\software\a multimedia\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\software\a multimedia\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 18:58
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(4016)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\software\PC mgmt\AdAware2008\aawservice.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\software\PC mgmt\Diskeeper Pro\DkService.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\software\ PC mgmt\CDBurnerXP\NMSAccessU.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2009-05-06 19:00 - machine werd herstart
ComboFix-quarantined-files.txt 2009-05-06 17:00

Pre-Run: 827.322.368 bytes beschikbaar
Post-Run: 951.840.768 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

260 --- E O F --- 2009-04-30 01:10

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 06 May 2009 - 07:43 PM

Hi Garfinator,

No problem with Dutch. I know what it says by the location of the words.

You need to disable your Avira Antivir Antivirus and Spyware Terminator before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


To disaable Spyware Terminator Real-time Protection
Click on the "Real-time Protection" tab, uncheck the "Use Real-time Protection" box and click on the "Save Changes" button.



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\barrwdkx.dll

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by SifuMike, 06 May 2009 - 07:44 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Garfinator

Garfinator
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 07 May 2009 - 03:21 AM

Heyllo,

I dragged the script onto ComboFix.exe and the program launched. On startup it asked to update and I clicked yes, after which the program restarted. I'm not sure if it still remembered to run the script and I wasn't sure if it was "dangerous" if I ran ComboFix and the script twice, so I just ran ComboFix once and assumed it still knew to run the script after the autorestart.

No reboot was necessary after running ComboFix.

This is the log:

ComboFix 09-05-06.05 - AVuylsteke 07/05/2009 10:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.640 [GMT 2:00]
Gestart vanuit: c:\documents and settings\AVuylsteke\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\AVuylsteke\Bureaublad\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\barrwdkx.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\barrwdkx.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-04-07 to 2009-05-07 ))))))))))))))))))))))))))))))
.

2009-05-06 08:58 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-06 08:57 . 2009-05-06 08:57 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-06 08:57 . 2009-05-06 08:57 -------- d-----w c:\program files\Avira
2009-05-05 17:28 . 2009-05-05 17:28 -------- d-----w c:\documents and settings\AVuylsteke\Application Data\Malwarebytes
2009-05-05 17:27 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 17:26 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 17:26 . 2009-05-05 17:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-04 16:13 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-04 16:13 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-04 16:13 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-04 16:13 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-04 16:13 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-04 16:13 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-04 16:13 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-04 15:14 . 2009-05-04 15:14 -------- d--h--r C:\AHCache
2009-05-04 13:49 . 2009-05-04 14:03 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-04 13:49 . 2009-05-04 14:03 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 17:33 . 2009-05-07 08:09 -------- d--h--r c:\documents and settings\AVuylsteke\Onlangs geopend
2009-05-03 09:50 . 2009-05-03 09:50 -------- d-----w c:\documents and settings\AVuylsteke\Application Data\Canneverbe_Limited
2009-05-02 18:46 . 2009-05-02 18:46 -------- d-----w c:\windows\Ahead Nero Burning Rom
2009-04-25 08:22 . 2009-04-25 08:22 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-15 08:23 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 08:22 . 2009-03-06 14:23 285696 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 08:22 . 2009-02-09 11:27 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 08:22 . 2009-02-09 10:56 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 08:22 . 2009-02-09 10:56 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 08:22 . 2009-02-09 10:56 684544 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 08:22 . 2009-02-09 10:56 734208 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 08:22 . 2009-02-09 10:56 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 08:22 . 2009-02-09 10:56 735744 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 08:20 . 2008-04-21 21:16 218624 -c----w c:\windows\system32\dllcache\wordpad.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 07:50 . 2009-01-30 06:17 -------- d-----w c:\program files\WinClamAVShield
2009-05-05 17:06 . 2008-08-30 19:01 -------- d-----w c:\program files\MSBuild
2009-05-04 15:58 . 2004-08-04 12:00 78674 ----a-w c:\windows\system32\perfc013.dat
2009-05-04 15:58 . 2004-08-04 12:00 461842 ----a-w c:\windows\system32\perfh013.dat
2009-05-04 13:59 . 2009-01-29 13:28 -------- d-----w c:\program files\Spyware Terminator
2009-03-31 19:32 . 2008-08-30 18:28 -------- d-----w c:\program files\Java
2009-03-19 20:15 . 2009-03-19 20:15 -------- d-----r c:\program files\Skype
2009-03-19 20:15 . 2009-03-19 20:15 -------- d-----w c:\program files\Common Files\Skype
2009-03-11 17:29 . 2009-03-11 17:26 -------- d-----w c:\program files\Microsoft
2009-03-11 17:29 . 2009-03-11 17:29 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-03-11 17:28 . 2008-08-30 18:21 -------- d-----w c:\program files\Windows Live
2009-03-11 17:27 . 2009-03-11 17:27 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-11 17:25 . 2009-03-11 17:25 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-11 11:11 . 2009-03-11 11:11 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-09 03:19 . 2008-12-14 10:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:23 . 2004-08-04 12:00 285696 ----a-w c:\windows\system32\pdh.dll
2009-03-03 16:28 . 2008-08-30 20:26 69872 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 00:16 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 13:51 . 2009-02-27 13:51 1024 ----a-w c:\windows\system32\grcauth2.dll
2009-02-27 13:51 . 2009-02-27 13:51 1024 ----a-w c:\windows\system32\grcauth1.dll
2009-02-27 13:39 . 2009-02-27 13:39 1025 ----a-w c:\windows\system32\sysprs7.dll
2009-02-20 17:18 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-10 17:10 . 2004-08-04 00:58 2070400 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 14:08 . 2004-08-04 12:00 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:27 . 2004-08-04 12:00 2193408 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:27 . 2004-08-04 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:56 . 2004-08-04 12:00 734208 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:56 . 2004-08-04 12:00 684544 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:56 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:56 . 2004-08-04 12:00 735744 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 18:55 . 2009-02-06 18:55 308616 -c--a-w c:\windows\WLXPGSS.SCR
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-06_16.58.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-07 07:49 . 2009-05-07 07:49 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Google Update"="c:\documents and settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-15 133104]
"Copernic Desktop Search - Home"="c:\software\ PC mgmt\Copernic Desktop Search 2\DesktopSearchService.exe" [2009-03-19 1602048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\software\a PC mgmt\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"QuickTime Task"="c:\software\a Multimedia\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-29 185872]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-01-29 2267136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Menu Start\Programma's\Opstarten\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 14:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= sysaudio.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Software\\ Multimedia\\SopCast\\adv\\SopAdver.exe"=
"c:\\Software\\ Multimedia\\SopCast\\SopCast.exe"=
"c:\\Software\\ Multimedia\\Zattoo\\zattood.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Software\\a Multimedia\\iTunes\\iTunes.exe"=
"c:\\Software\\a File transfer\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Software\\ PC mgmt\\totalcmd\\TOTALCMD.EXE"=
"c:\\Software\\ Multimedia\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Software\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Software\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\AVuylsteke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\AVuylsteke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [29/01/2009 15:28 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/05/2009 10:57 108289]
R3 msvad_simple;SoliCall;c:\windows\system32\drivers\solicall.sys [10/06/2006 17:19 205312]
S3 cglptnt;cglptnt;c:\software\ PC mgmt\totalcmd\CGLPTNT.SYS [30/08/2008 18:25 7888]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [8/01/2009 15:28 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [8/01/2009 15:28 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [8/01/2009 15:28 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [8/01/2009 15:29 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [8/01/2009 15:29 98568]
.
Inhoud van de 'Gedeelde Taken' map

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-22 23:34]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2146941213-725345543-1005.job
- c:\documents and settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-15 09:56]
.
.
------- Bijkomende Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: tsinghua.edu.cn\login
FF - ProfilePath - c:\documents and settings\AVuylsteke\Application Data\Mozilla\Firefox\Profiles\zgf7b1o5.default\
FF - prefs.js: browser.startup.homepage - hxxps://netlogin.kuleuven.be
FF - component: c:\software\ Multimedia\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\software\ PC mgmt\Copernic Desktop Search 2\FirefoxConnector\components\CSPXPCOMBridge.dll
FF - plugin: c:\documents and settings\AVuylsteke\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\AVuylsteke\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\software\ Multimedia\Netscape6\nppl3260.dll
FF - plugin: c:\software\ Multimedia\Netscape6\nprjplug.dll
FF - plugin: c:\software\ Multimedia\Netscape6\nprpjplug.dll
FF - plugin: c:\software\a Multimedia\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 10:14
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Voltooingstijd: 2009-05-07 10:16
ComboFix-quarantined-files.txt 2009-05-07 08:15
ComboFix2.txt 2009-05-06 17:00

Pre-Run: 1.002.483.712 bytes beschikbaar
Post-Run: 998.555.648 bytes beschikbaar

213 --- E O F --- 2009-04-30 01:10

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 07 May 2009 - 09:53 AM

Hi Garfinator,

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Garfinator

Garfinator
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 08 May 2009 - 06:49 AM

Hi Mike,

Here's the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, May 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 08, 2009 10:06:17
Records in database: 2144185
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 76554
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:54:29


File name / Threat name / Threats count
D:\RECYCLER\S-1-5-21-4179227258-1082734012-3998241974-1005\De30.doc Infected: Trojan.JS.Redirector.b 1

The selected area was scanned.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:43 PM

Posted 08 May 2009 - 08:42 AM

Hi Garfinator,

You need to disable your Avira Antivir Antivirus and Spyware Terminator before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


To disaable Spyware Terminator Real-time Protection
Click on the "Real-time Protection" tab, uncheck the "Use Real-time Protection" box and click on the "Save Changes" button.



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
D:\RECYCLER


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Garfinator

Garfinator
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 08 May 2009 - 01:46 PM

Hello,

ComboFix.txt:

ComboFix 09-05-07.A01 - AVuylsteke 08/05/2009 20:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.496 [GMT 2:00]
Gestart vanuit: c:\documents and settings\AVuylsteke\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\AVuylsteke\Bureaublad\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\RECYCLER
d:\recycler\S-1-5-21-1214440339-2146941213-725345543-1005\desktop.ini
d:\recycler\S-1-5-21-1214440339-2146941213-725345543-1005\INFO2
d:\recycler\S-1-5-21-1214440339-2146941213-725345543-500\Dd1.lnk
d:\recycler\S-1-5-21-1214440339-2146941213-725345543-500\Dd2.lnk
d:\recycler\S-1-5-21-1214440339-2146941213-725345543-500\Dd3.lnk
d:\recycler\S-1-5-21-1214440339-2146941213-725345543-500\Dd4.lnk
d:\recycler\S-1-5-21-1214440339-2146941213-725345543-500\Dd5.rtf
d:\recycler\S-1-5-21-1214440339-2146941213-725345543-500\desktop.ini
d:\recycler\S-1-5-21-1214440339-2146941213-725345543-500\INFO2
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd1.~ini
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd10.bmp
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd11.xls
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd12.xls
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd13.rtf
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd14.jpg
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd15.jpg
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd16.ppt
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd17.zip
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd18.rtf
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd19.lnk
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd2.~ini
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd3.~dat
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd4.~dat
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd5.rtf
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd6.doc
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd7.pdf
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd8.zip
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\Dd9.doc
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\desktop.ini
d:\recycler\S-1-5-21-1409082233-1645522239-839522115-1003\INFO2
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De1.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De10.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De11.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De12.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De13.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De14.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De15.JPG
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De16.JPG
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De17.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De18.doc
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De19.gif
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De2.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De20.pps
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De21.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De22.doc
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De23.doc
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De24.doc
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De25.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De26.eml
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De27.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De28.eml
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De29.doc
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De3.eml
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De30.doc
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De4.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De5.eml
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De6.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De7.eml
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De8.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\De9.txt
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\desktop.ini
d:\recycler\S-1-5-21-4179227258-1082734012-3998241974-1005\INFO2

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-04-08 to 2009-05-08 ))))))))))))))))))))))))))))))
.

2009-05-06 08:58 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-06 08:57 . 2009-05-06 08:57 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-06 08:57 . 2009-05-06 08:57 -------- d-----w c:\program files\Avira
2009-05-05 17:28 . 2009-05-05 17:28 -------- d-----w c:\documents and settings\AVuylsteke\Application Data\Malwarebytes
2009-05-05 17:27 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 17:26 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 17:26 . 2009-05-05 17:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-04 16:13 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-04 16:13 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-04 16:13 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-04 16:13 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-04 16:13 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-04 16:13 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-04 16:13 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-04 15:14 . 2009-05-04 15:14 -------- d--h--r C:\AHCache
2009-05-04 13:49 . 2009-05-04 14:03 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-04 13:49 . 2009-05-04 14:03 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-03 17:33 . 2009-05-08 18:37 -------- d--h--r c:\documents and settings\AVuylsteke\Onlangs geopend
2009-05-03 09:50 . 2009-05-03 09:50 -------- d-----w c:\documents and settings\AVuylsteke\Application Data\Canneverbe_Limited
2009-05-02 18:46 . 2009-05-02 18:46 -------- d-----w c:\windows\Ahead Nero Burning Rom
2009-04-25 08:22 . 2009-04-25 08:22 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-15 08:23 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 08:22 . 2009-03-06 14:23 285696 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 08:22 . 2009-02-09 11:27 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 08:22 . 2009-02-09 10:56 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 08:22 . 2009-02-09 10:56 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 08:22 . 2009-02-09 10:56 684544 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 08:22 . 2009-02-09 10:56 734208 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 08:22 . 2009-02-09 10:56 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 08:22 . 2009-02-09 10:56 735744 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 08:20 . 2008-04-21 21:16 218624 -c----w c:\windows\system32\dllcache\wordpad.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-08 12:20 . 2009-01-30 06:17 -------- d-----w c:\program files\WinClamAVShield
2009-05-05 17:06 . 2008-08-30 19:01 -------- d-----w c:\program files\MSBuild
2009-05-04 15:58 . 2004-08-04 12:00 78674 ----a-w c:\windows\system32\perfc013.dat
2009-05-04 15:58 . 2004-08-04 12:00 461842 ----a-w c:\windows\system32\perfh013.dat
2009-05-04 13:59 . 2009-01-29 13:28 -------- d-----w c:\program files\Spyware Terminator
2009-03-31 19:32 . 2008-08-30 18:28 -------- d-----w c:\program files\Java
2009-03-19 20:15 . 2009-03-19 20:15 -------- d-----r c:\program files\Skype
2009-03-19 20:15 . 2009-03-19 20:15 -------- d-----w c:\program files\Common Files\Skype
2009-03-11 17:29 . 2009-03-11 17:26 -------- d-----w c:\program files\Microsoft
2009-03-11 17:29 . 2009-03-11 17:29 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-03-11 17:28 . 2008-08-30 18:21 -------- d-----w c:\program files\Windows Live
2009-03-11 17:27 . 2009-03-11 17:27 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-11 17:25 . 2009-03-11 17:25 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-11 11:11 . 2009-03-11 11:11 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-09 03:19 . 2008-12-14 10:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:23 . 2004-08-04 12:00 285696 ----a-w c:\windows\system32\pdh.dll
2009-03-03 16:28 . 2008-08-30 20:26 69872 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 00:16 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-27 13:51 . 2009-02-27 13:51 1024 ----a-w c:\windows\system32\grcauth2.dll
2009-02-27 13:51 . 2009-02-27 13:51 1024 ----a-w c:\windows\system32\grcauth1.dll
2009-02-27 13:39 . 2009-02-27 13:39 1025 ----a-w c:\windows\system32\sysprs7.dll
2009-02-20 17:18 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-10 17:10 . 2004-08-04 00:58 2070400 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 14:08 . 2004-08-04 12:00 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:27 . 2004-08-04 12:00 2193408 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:27 . 2004-08-04 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:56 . 2004-08-04 12:00 734208 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:56 . 2004-08-04 12:00 684544 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:56 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:56 . 2004-08-04 12:00 735744 ----a-w c:\windows\system32\ntdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-06_16.58.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-08 08:34 . 2009-05-08 08:34 16384 c:\windows\Temp\Perflib_Perfdata_70c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Google Update"="c:\documents and settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-15 133104]
"Copernic Desktop Search - Home"="c:\software\ PC mgmt\Copernic Desktop Search 2\DesktopSearchService.exe" [2009-03-19 1602048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\software\a PC mgmt\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 344064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"QuickTime Task"="c:\software\a Multimedia\QuickTime\qttask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-29 185872]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-01-29 2267136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Menu Start\Programma's\Opstarten\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 14:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= sysaudio.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Software\\ Multimedia\\SopCast\\adv\\SopAdver.exe"=
"c:\\Software\\ Multimedia\\SopCast\\SopCast.exe"=
"c:\\Software\\ Multimedia\\Zattoo\\zattood.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Software\\a Multimedia\\iTunes\\iTunes.exe"=
"c:\\Software\\a File transfer\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Software\\ PC mgmt\\totalcmd\\TOTALCMD.EXE"=
"c:\\Software\\ Multimedia\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Software\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Software\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\AVuylsteke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\AVuylsteke\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [29/01/2009 15:28 142592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/05/2009 10:57 108289]
R3 msvad_simple;SoliCall;c:\windows\system32\drivers\solicall.sys [10/06/2006 17:19 205312]
S3 cglptnt;cglptnt;c:\software\ PC mgmt\totalcmd\CGLPTNT.SYS [30/08/2008 18:25 7888]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [8/01/2009 15:28 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [8/01/2009 15:28 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [8/01/2009 15:28 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [8/01/2009 15:29 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [8/01/2009 15:29 98568]
.
Inhoud van de 'Gedeelde Taken' map

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-22 23:34]

2009-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2146941213-725345543-1005.job
- c:\documents and settings\AVuylsteke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-15 09:56]
.
.
------- Bijkomende Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: tsinghua.edu.cn\login
FF - ProfilePath - c:\documents and settings\AVuylsteke\Application Data\Mozilla\Firefox\Profiles\zgf7b1o5.default\
FF - prefs.js: browser.startup.homepage - hxxps://netlogin.kuleuven.be
FF - component: c:\software\ Multimedia\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\software\ PC mgmt\Copernic Desktop Search 2\FirefoxConnector\components\CSPXPCOMBridge.dll
FF - plugin: c:\documents and settings\AVuylsteke\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\AVuylsteke\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\software\ Multimedia\Netscape6\nppl3260.dll
FF - plugin: c:\software\ Multimedia\Netscape6\nprjplug.dll
FF - plugin: c:\software\ Multimedia\Netscape6\nprpjplug.dll
FF - plugin: c:\software\a Multimedia\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\software\a Multimedia\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\software\a PC mgmt\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-08 20:43
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Voltooingstijd: 2009-05-08 20:44
ComboFix-quarantined-files.txt 2009-05-08 18:44
ComboFix2.txt 2009-05-07 08:16
ComboFix3.txt 2009-05-06 17:00

Pre-Run: 1.189.855.232 bytes beschikbaar
Post-Run: 1.261.674.496 bytes beschikbaar

272 --- E O F --- 2009-04-30 01:10


Many thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users