Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.FakeAlert/Rootkit.TDSS virus from AntiMalware


  • This topic is locked This topic is locked
25 replies to this topic

#1 Barcode

Barcode

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 19 December 2009 - 02:03 PM

Hello,

A few days ago, I suddenly got spammed by some fake antimalware program called "Antimalware".
This malicious malware was blocking entry to most programs like Internet and even things like the control panel.
I suspected it was fake so proceeded to boot up my pc in safe mode and Google the sollution.
From there I had read in similar situation that I should download "Malwarebyte's Anti-malware".
I updated it to version 1.42 and let it scan without any programs on safe mode. It found 34 or so infected files / viruses
and deleted them. After this I rebooted my pc and everything was working fine again, except that I couldnĺt
run checkdisk (ôcanĺt complete controlö) or defragmentation (ôcanĺt start defragmentationö). When I rebooted my PC again, the symptoms seemed to have come back; ôantimalwareö wasnĺt spamming me anymore but internet didn't work and my pc started crashing again when I tried to open simple applications. I rebooted it again in safe mode, scanned again and it found 3 files. Each time I delete these (called: 2x trojan.FakeAlert and Rootkit.TDSS) and reboot, the applications work fine, but if I then reboot AGAIN, the applications crash again, and when I scan again it again finds these 3 files. So it seems to reinsert itself after I delete it and blocks stuff after a reboot. So each time I need to scan and delete it in safe mode to be able to go on the internet.

DDS log:

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by lorenzo at 19:41:14,07 on za 19-12-2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.2047.1678 [GMT 1:00]

AV: AntiMalware *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\lorenzo\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.be/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptcl.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: {E8249E69-A809-4544-832F-64EB65747A92} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Creative WebCam Tray] c:\program files\creative\shared files\CAMTRAY.EXE
mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2008-6-4 38656]
S0 ffsqmavh;ffsqmavh;c:\windows\system32\drivers\jlptdj.sys --> c:\windows\system32\drivers\jlptdj.sys [?]
S0 kidlo;kidlo;c:\windows\system32\drivers\unocvcus.sys --> c:\windows\system32\drivers\unocvcus.sys [?]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-29 54752]
S2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-3-23 540776]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-1 203280]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-3-23 353368]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-17 99328]
S2 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-3-23 248416]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-3-23 144960]
S2 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-3-23 643664]
S3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2009-12-18 45232]
S3 fsssvc;De service Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-3-23 71496]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-3-23 34184]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-3-23 170408]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-3-23 32008]
S3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-3-23 37480]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [2002-9-9 17018]

=============== Created Last 30 ================

2009-12-19 18:39:04 0 d--h--r- c:\documents and settings\lorenzo\Onlangs geopend
2009-12-18 17:31:16 45232 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2009-12-18 17:31:10 0 d-----w- c:\program files\common files\Diskeeper Corporation
2009-12-18 17:31:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-12-18 17:31:09 0 d-----w- c:\program files\Windows Home Server
2009-12-18 17:31:09 0 d-----w- c:\program files\Diskeeper Corporation
2009-12-18 13:08:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-18 13:07:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-18 13:07:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 12:47:17 0 d-----w- C:\13b8df8a860605e9fe2764e7
2009-12-17 22:04:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-17 20:09:40 0 d-----w- c:\docume~1\lorenzo\applic~1\Malwarebytes
2009-12-17 19:53:03 0 d-----w- c:\program files\xMalwarebytes' Anti-Malware
2009-12-17 18:08:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-17 14:37:25 668 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-17 14:36:24 201 ----a-w- c:\windows\system32\srcr.dat

==================== Find3M ====================

2009-12-15 09:01:53 87480 ----a-w- c:\windows\system32\perfc013.dat
2009-12-15 09:01:53 501416 ----a-w- c:\windows\system32\perfh013.dat
2009-10-28 14:38:04 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:38:04 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 06:03:38 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:03:38 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 06:03:38 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:03:38 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:53:29 267264 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:53:29 267264 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:54:16 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:16 69632 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-12 13:54:16 112640 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54:16 112640 ------w- c:\windows\system32\dllcache\rastls.dll
2006-06-23 22:48:54 32768 -c--a-r- c:\windows\inf\UpdateUSB.exe
2006-05-12 14:50:35 104 -csh--r- c:\windows\system32\E5D5BCD3F6.sys

============= FINISH: 19:42:16,40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 19 December 2009 - 06:07 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

==========

Download and Run ComboFix (by sUBs)


Save it to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on kittyfix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

==========

Please re-run RootRepeal and post a log.

==========

With your next post please provide:

* Combofix.txt
* RootRepeal.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Barcode

Barcode
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 20 December 2009 - 05:49 AM

Hello and thanks for suck a speedy reply

I've tried to follow the steps as close as possible and it all went fine, except with
combofix. While scanning it had found:
C:\WINDOWNS\SYSTEM32\DRIVERS\H8SRToymqwrtlwa.sys
C:\WINDOWNS\SYSTEM32\DRIVERS\H8SRTbirjxdoyro.dll
C:\WINDOWNS\SYSTEM32\DRIVERS\H8SRTwkipfulrst.dat
C:\WINDOWNS\SYSTEM32\DRIVERS\H8SRThxvgjklylq.dll
then after a reboot it completed a bunch of parts and then after another reboot it
gave me the error "can"t find kittyfix/res.bat".

then I couldnt find any combofix log ...

Here's the 2nd rootrepeal report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/20 10:40
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4195000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA664000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB23C9000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 20 December 2009 - 10:41 AM

Well done. :(

Re-boot again.

Please look for these files and post the logs please.

C:\ComboFix.txt
C:\Qoobox\ComboFix-quarantined-files.txt

How is your computer running?

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 Barcode

Barcode
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 20 December 2009 - 12:08 PM

hello,

I'm sorry but it seems I can't find these logs anywhere after 2 reboots. I've looked in every file and even used search.
The only thing I found is:

ComboFix 09-12-18.06 - lorenzo 20-12-2009 2:00:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.2047.1694 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\lorenzo\Bureaublad\KittyFix.exe

And a log called "LogA" in the Qoobox:

\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************

Script file located at: \??\C:\KittyFix\ComboDel.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\QooBox
*******************

Beginning to process script file:

File move operation C:\WINDOWS\system32\DRIVERS\atapi.sys|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir_ completed successfully.
File move operation C:\KittyFix\atapi|C:\WINDOWS\system32\DRIVERS\atapi.sys completed successfully.
File move operation C:\WINDOWS\system32\drivers\H8SRToymqwrtlwa.sys|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\H8SRToymqwrtlwa.sys.vir completed successfully.
File move operation C:\WINDOWS\system32\H8SRTbirjxdoyro.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\H8SRTbirjxdoyro.dll.vir completed successfully.
File move operation C:\WINDOWS\system32\H8SRTwkipfulrst.dat|C:\QooBox\Quarantine\C\WINDOWS\system32\H8SRTwkipfulrst.dat.vir completed successfully.
File move operation C:\WINDOWS\system32\H8SRThxvgjklylq.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\H8SRThxvgjklylq.dll.vir completed successfully.
Program C:\WINDOWS\Regedit.exe" /s "C:\KittyFix\SW_atapi.reg successfully set up to run once on reboot.
Program C:\KittyFix\CF17757.cfxxe" /c "C:\KittyFix\C.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////


\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************


Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!

_____________________________

Maybe I could run combofix again? Won't do that without your permission though.

My pc is running great, I can open all applications including internet and 'my computer'. The only thing that's worrying me is that my pc's making quite a lot of noise - even without any active program.

Thanks

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 20 December 2009 - 12:16 PM

Your doing great! :(

A critical system file was fixed but a rootkit remains.

Yes. Let's run CF again.

Do it like this.....

Right click and delete kittyfix.exe.

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from here:

Link

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 Barcode

Barcode
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 20 December 2009 - 12:50 PM

yey I've got a combofix log ^^

ComboFix 09-12-19.03 - lorenzo 20-12-2009 18:42:20.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.2047.1486 [GMT 1:00]
Gestart vanuit: c:\documents and settings\lorenzo\Bureaublad\thcbytes.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Voorgaande Run -------
.
C:\Thumbs.db
c:\windows\Downloaded Program Files\Install.inf
c:\windows\kb913800.exe
c:\windows\system32\drivers\H8SRToymqwrtlwa.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\H8SRTbirjxdoyro.dll
c:\windows\system32\H8SRThxvgjklylq.dll
c:\windows\system32\H8SRTwkipfulrst.dat
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\logs
c:\windows\system32\SrchSTS.exe
c:\windows\system32\srcr.dat
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


(((((((((((((((((((( Bestanden Gemaakt van 2009-11-20 to 2009-12-20 ))))))))))))))))))))))))))))))
.

2009-12-20 17:26 . 2009-06-30 13:01 715520 ----a-r- c:\windows\system32\drivers\rt2870.sys
2009-12-20 17:17 . 2009-06-30 13:01 221184 ----a-r- c:\windows\system32\RaCoInst.dll
2009-12-20 17:17 . 2009-06-30 13:01 13931 ----a-r- c:\windows\system32\RaCoInst.dat
2009-12-20 10:33 . 2009-12-20 10:33 -------- d-----w- C:\Diskeeper
2009-12-19 18:39 . 2009-12-20 17:15 -------- d--h--r- c:\documents and settings\lorenzo\Onlangs geopend
2009-12-18 17:31 . 2009-10-21 00:04 45232 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2009-12-18 17:31 . 2009-12-18 17:31 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-12-18 17:31 . 2009-12-18 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-12-18 17:31 . 2009-12-18 17:31 -------- d-----w- c:\program files\Windows Home Server
2009-12-18 17:31 . 2009-12-18 17:31 -------- d-----w- c:\program files\Diskeeper Corporation
2009-12-18 13:08 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-18 13:07 . 2009-12-18 13:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 13:07 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-18 12:47 . 2009-12-18 12:47 -------- d-----w- C:\13b8df8a860605e9fe2764e7
2009-12-17 22:04 . 2009-12-19 22:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-17 20:09 . 2009-12-17 20:09 -------- d-----w- c:\documents and settings\lorenzo\Application Data\Malwarebytes
2009-12-17 19:53 . 2009-12-17 20:09 -------- d-----w- c:\program files\xMalwarebytes' Anti-Malware
2009-12-17 18:08 . 2009-12-17 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 17:41 . 2008-03-02 18:00 -------- d-----w- c:\documents and settings\lorenzo\Application Data\Skype
2009-12-20 17:34 . 2005-09-02 01:05 87480 ----a-w- c:\windows\system32\perfc013.dat
2009-12-20 17:34 . 2005-09-02 01:05 501416 ----a-w- c:\windows\system32\perfh013.dat
2009-12-20 17:18 . 2006-04-10 12:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-20 16:35 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\lorenzo\Application Data\skypePM
2009-12-20 01:00 . 2006-04-04 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-20 01:00 . 2006-04-04 14:18 -------- d-----w- c:\program files\McAfee
2009-12-20 01:00 . 2006-04-04 14:16 -------- d-----w- c:\program files\McAfee.com
2009-12-19 18:13 . 2007-08-03 00:13 -------- d-----w- c:\documents and settings\lorenzo\Application Data\IGN_DLM
2009-12-19 18:13 . 2006-04-28 23:25 -------- d-----w- c:\program files\DivX
2009-12-19 18:12 . 2009-06-25 16:48 -------- d-----w- c:\program files\BitLord
2009-12-17 23:10 . 2006-04-22 11:23 -------- d-----w- c:\program files\Google
2009-11-27 15:42 . 2008-10-01 18:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-09 14:05 . 2007-02-04 11:22 -------- d-----w- c:\program files\LimeWire
2009-10-29 07:46 . 2005-09-02 01:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-09-02 01:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-09-02 01:04 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:03 . 2005-09-02 01:05 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:03 . 2005-09-02 01:04 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-03 22:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2005-09-02 01:05 267264 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2005-09-02 01:05 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2005-09-02 01:05 112640 ----a-w- c:\windows\system32\rastls.dll
2009-09-29 14:31 . 2006-04-10 12:27 42376 -c--a-w- c:\documents and settings\lorenzo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-05-12 14:50 . 2006-04-10 12:27 104 -csh--r- c:\windows\system32\E5D5BCD3F6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-31 1935360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"nwiz"="nwiz.exe" [2007-06-28 1626112]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-02 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 09:44 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 09:44 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\World of Warcraft\\WoW-1.10.0-enGB-downloader.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\World of Warcraft\\WoW.exe"=
"c:\\World of Warcraft\\Repair.exe"=
"c:\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enGB-downloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1933:TCP"= 1933:TCP:Blizzar downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [29-9-2009 15:23 54752]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [4-6-2008 0:08 38656]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [18-12-2009 18:31 45232]
R3 rt2870;D-Link 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [20-12-2009 18:26 715520]
S0 ffsqmavh;ffsqmavh;c:\windows\system32\drivers\jlptdj.sys --> c:\windows\system32\drivers\jlptdj.sys [?]
S0 kidlo;kidlo;c:\windows\system32\drivers\unocvcus.sys --> c:\windows\system32\drivers\unocvcus.sys [?]
S3 fsssvc;De service Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [5-8-2009 21:48 704864]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [9-9-2002 19:53 17018]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7-8-2008 21:15 717296]
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.be/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS VERWIJDERD - - - -

HKLM-Run-Creative WebCam Tray - c:\program files\Creative\Shared Files\CAMTRAY.EXE
AddRemove-IGN Download Manager - c:\program files\IGN\Download Manager\uninst.exe
AddRemove-New X Editor 3 - c:\program files\Microsoft Games\Age of Mythology\SXUNINST.EXE



**************************************************************************
scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden:

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-745787302-2696241262-1853562435-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-745787302-2696241262-1853562435-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e3,52,79,88,74,e2,95,07,03,35,22,c5,1c,31,93,b0,6c,92,cf,1a,6b,9b,f2,
9c,3b,77,93,30,40,d4,40,d7,e0,ab,8d,c5,d3,b6,40,d8,d8,ab,7c,cd,dd,a7,d8,b5,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-745787302-2696241262-1853562435-1005\Software\SecuROM\License information*]
"datasecu"=hex:24,d9,54,df,9d,d0,49,d1,55,2f,dc,47,33,96,56,b6,32,c0,0a,d3,d8,
85,e3,69,f3,8e,54,3f,ad,b0,3d,b0,d5,a6,fb,e1,97,7c,2d,15,1e,84,ac,9a,0f,76,\
"rkeysecu"=hex:74,2b,85,e9,97,70,e6,6e,4a,d1,9c,07,8d,18,d4,7d

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ěĽÇ|    ĽÇ|¨Ľ9~*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(3060)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSNL.DLL
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Voltooingstijd: 2009-12-20 18:46:24
ComboFix-quarantined-files.txt 2009-12-20 17:46

Pre-Run: 36.032.401.408 bytes beschikbaar
Post-Run: 36.030.590.976 bytes beschikbaar

- - End Of File - - EB63C7588ECCAA432A4FA6408061EC8E

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 20 December 2009 - 01:29 PM

Got that rootkit! :(
Still infected though.

What language are those headers? I might be a malware expert but I am just uni-lingual. :) I might need your help with translation.

==========

Let's continue....


==========

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Bitlord
Limewire


These are probably what got you infected in the 1st place!!!!!!

Additional instructions can be found here if needed.

==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/280044/infected-with-trojanfakealertrootkittdss-virus-from-antimalware/

File::
c:\windows\system32\E5D5BCD3F6.sys
c:\windows\system32\winsys2.exe
c:\windows\system32\drivers\jlptdj.sys
c:\windows\system32\drivers\unocvcus.sys

Folder::
C:\13b8df8a860605e9fe2764e7

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSys2"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

Suspect::[89]
c:\windows\system32\drivers\fssfltr_tdi.sys

Driver::
ffsqmavh
kidlo


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Update and re-run MBAM. Post a log.

==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* Combofix.txt
* MBAM log
* OTL.txt
* Extra.txt
* Gmer log
* Still running ok?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 Barcode

Barcode
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 20 December 2009 - 06:59 PM

Hello,

The language of the headers is Dutch. Just tell me what to translate and I'll happilly do it for you.
I think i uninstalled Bitlord and Limewire a while back. Can't find them in the software window neither so I think it's gone.
Also, my pc is still running fine (better then before).

Here are the requested logs:


Combofix
ComboFix 09-12-19.03 - lorenzo 20-12-2009 19:48:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.2047.1533 [GMT 1:00]
Gestart vanuit: c:\documents and settings\lorenzo\Bureaublad\thcbytes.exe
gebruikte Opdracht switches :: c:\documents and settings\lorenzo\Bureaublad\CFScript.txt

FILE ::
"c:\windows\system32\drivers\jlptdj.sys"
"c:\windows\system32\drivers\unocvcus.sys"
"c:\windows\system32\E5D5BCD3F6.sys"
"c:\windows\system32\winsys2.exe"

file zipped: c:\windows\system32\drivers\fssfltr_tdi.sys
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\13b8df8a860605e9fe2764e7
c:\13b8df8a860605e9fe2764e7\$shtdwn$.req
c:\13b8df8a860605e9fe2764e7\mrt.exe
c:\13b8df8a860605e9fe2764e7\mrtstub.exe
c:\windows\system32\E5D5BCD3F6.sys
c:\windows\system32\winsys2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ffsqmavh
-------\Service_kidlo


(((((((((((((((((((( Bestanden Gemaakt van 2009-11-20 to 2009-12-20 ))))))))))))))))))))))))))))))
.

2009-12-20 17:41 . 2009-12-20 17:46 -------- d-----w- C:\thcbytes
2009-12-20 17:26 . 2009-06-30 13:01 715520 ----a-r- c:\windows\system32\drivers\rt2870.sys
2009-12-20 17:17 . 2009-06-30 13:01 221184 ----a-r- c:\windows\system32\RaCoInst.dll
2009-12-20 17:17 . 2009-06-30 13:01 13931 ----a-r- c:\windows\system32\RaCoInst.dat
2009-12-20 10:33 . 2009-12-20 10:33 -------- d-----w- C:\Diskeeper
2009-12-19 18:39 . 2009-12-20 18:47 -------- d--h--r- c:\documents and settings\lorenzo\Onlangs geopend
2009-12-18 17:31 . 2009-10-21 00:04 45232 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys
2009-12-18 17:31 . 2009-12-18 17:31 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-12-18 17:31 . 2009-12-18 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-12-18 17:31 . 2009-12-18 17:31 -------- d-----w- c:\program files\Windows Home Server
2009-12-18 17:31 . 2009-12-18 17:31 -------- d-----w- c:\program files\Diskeeper Corporation
2009-12-18 13:08 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-18 13:07 . 2009-12-18 13:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 13:07 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-17 22:04 . 2009-12-19 22:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-17 20:09 . 2009-12-17 20:09 -------- d-----w- c:\documents and settings\lorenzo\Application Data\Malwarebytes
2009-12-17 19:53 . 2009-12-17 20:09 -------- d-----w- c:\program files\xMalwarebytes' Anti-Malware
2009-12-17 18:08 . 2009-12-17 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 18:55 . 2008-03-02 18:00 -------- d-----w- c:\documents and settings\lorenzo\Application Data\Skype
2009-12-20 17:34 . 2005-09-02 01:05 87480 ----a-w- c:\windows\system32\perfc013.dat
2009-12-20 17:34 . 2005-09-02 01:05 501416 ----a-w- c:\windows\system32\perfh013.dat
2009-12-20 17:18 . 2006-04-10 12:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-20 16:35 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\lorenzo\Application Data\skypePM
2009-12-20 01:00 . 2006-04-04 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-20 01:00 . 2006-04-04 14:18 -------- d-----w- c:\program files\McAfee
2009-12-20 01:00 . 2006-04-04 14:16 -------- d-----w- c:\program files\McAfee.com
2009-12-19 18:13 . 2007-08-03 00:13 -------- d-----w- c:\documents and settings\lorenzo\Application Data\IGN_DLM
2009-12-19 18:13 . 2006-04-28 23:25 -------- d-----w- c:\program files\DivX
2009-12-19 18:12 . 2009-06-25 16:48 -------- d-----w- c:\program files\BitLord
2009-12-17 23:10 . 2006-04-22 11:23 -------- d-----w- c:\program files\Google
2009-11-27 15:42 . 2008-10-01 18:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-09 14:05 . 2007-02-04 11:22 -------- d-----w- c:\program files\LimeWire
2009-10-29 07:46 . 2005-09-02 01:05 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-09-02 01:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-09-02 01:04 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:03 . 2005-09-02 01:05 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:03 . 2005-09-02 01:04 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-03 22:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2005-09-02 01:05 267264 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2005-09-02 01:05 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2005-09-02 01:05 112640 ----a-w- c:\windows\system32\rastls.dll
2009-09-29 14:31 . 2006-04-10 12:27 42376 -c--a-w- c:\documents and settings\lorenzo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-31 1935360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"nwiz"="nwiz.exe" [2007-06-28 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-02 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 09:44 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 09:44 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\World of Warcraft\\WoW-1.10.0-enGB-downloader.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\World of Warcraft\\WoW.exe"=
"c:\\World of Warcraft\\Repair.exe"=
"c:\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enGB-downloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1933:TCP"= 1933:TCP:Blizzar downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [29-9-2009 15:23 54752]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [4-6-2008 0:08 38656]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [18-12-2009 18:31 45232]
R3 rt2870;D-Link 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [20-12-2009 18:26 715520]
S3 fsssvc;De service Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [5-8-2009 21:48 704864]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [9-9-2002 19:53 17018]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7-8-2008 21:15 717296]
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.be/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 19:52
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-745787302-2696241262-1853562435-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-745787302-2696241262-1853562435-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e3,52,79,88,74,e2,95,07,03,35,22,c5,1c,31,93,b0,6c,92,cf,1a,6b,9b,f2,
9c,3b,77,93,30,40,d4,40,d7,e0,ab,8d,c5,d3,b6,40,d8,d8,ab,7c,cd,dd,a7,d8,b5,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-745787302-2696241262-1853562435-1005\Software\SecuROM\License information*]
"datasecu"=hex:24,d9,54,df,9d,d0,49,d1,55,2f,dc,47,33,96,56,b6,32,c0,0a,d3,d8,
85,e3,69,f3,8e,54,3f,ad,b0,3d,b0,d5,a6,fb,e1,97,7c,2d,15,1e,84,ac,9a,0f,76,\
"rkeysecu"=hex:74,2b,85,e9,97,70,e6,6e,4a,d1,9c,07,8d,18,d4,7d

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ěĽÇ|    ĽÇ|¨Ľ9~*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(3760)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSNL.DLL
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\windows\system32\lxczcoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Voltooingstijd: 2009-12-20 19:56:58 - machine werd herstart
ComboFix-quarantined-files.txt 2009-12-20 18:56
ComboFix2.txt 2009-12-20 17:46

Pre-Run: 36.045.447.168 bytes beschikbaar
Post-Run: 35.899.457.536 bytes beschikbaar

- - End Of File - - 1B4CF5566CB35FF76C99308F401CD119

Mbam
Malwarebytes' Anti-Malware 1.42
Database versie: 3392
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

20-12-2009 21:13:02
mbam-log-2009-12-20 (21-13-02).txt

Scan type: Volledige Scan (A:\|C:\|D:\|)
Objecten gescand: 218067
Verstreken tijd: 1 hour(s), 11 minute(s), 31 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 0
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 6

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
C:\System Volume Information\_restore{D26103C1-3760-4E9D-B6C7-BA3C8AD98EF9}\RP1117\A0172509.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D26103C1-3760-4E9D-B6C7-BA3C8AD98EF9}\RP1117\A0172511.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D26103C1-3760-4E9D-B6C7-BA3C8AD98EF9}\RP1117\A0172510.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTbirjxdoyro.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRThxvgjklylq.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\H8SRToymqwrtlwa.sys.vir (Malware.Packer) -> Quarantined and deleted successfully.

OTL
OTL logfile created on: 20-12-2009 21:19:09 - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\lorenzo\Bureaublad
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 74,00% Memory free
3,00 Gb Paging File | 2,00 Gb Available in Paging File | 82,00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144,33 Gb Total Space | 33,47 Gb Free Space | 23,19% Space Free | Partition Type: NTFS
Drive D: | 72,95 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DHCV762J
Current User Name: lorenzo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009-12-20 21:17:27 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\lorenzo\Bureaublad\OTL.exe
PRC - [2009-10-28 07:54:16 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009-10-23 19:44:36 | 01,732,960 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2009-07-31 10:08:33 | 01,935,360 | ---- | M] () -- C:\Program Files\Curse\CurseClient.exe
PRC - [2009-05-19 10:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009-02-06 17:21:00 | 00,224,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Toolbar\wltuser.exe
PRC - [2008-11-07 14:31:40 | 00,076,744 | R--- | M] (Skype Technologies) -- C:\Program Files\Skype\Plugin Manager\skypePM.exe
PRC - [2008-11-07 14:31:38 | 21,633,320 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2008-07-12 15:08:29 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
PRC - [2008-01-11 22:16:38 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2008-01-04 13:27:08 | 00,587,096 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2007-09-25 01:11:35 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
PRC - [2007-07-10 08:18:20 | 00,270,648 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007-07-10 08:18:14 | 00,501,048 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2007-07-09 17:46:50 | 00,106,496 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007-06-28 17:43:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007-06-13 14:24:02 | 01,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007-03-21 15:49:20 | 16,126,464 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2007-01-29 17:11:36 | 00,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxczcoms.exe
PRC - [2005-10-05 03:12:00 | 00,094,208 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2004-09-02 12:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe


========== Modules (SafeList) ==========

MOD - [2009-12-20 21:17:27 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\lorenzo\Bureaublad\OTL.exe
MOD - [2007-06-28 17:43:00 | 01,474,560 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2007-06-28 17:43:00 | 00,319,488 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwrsnl.dll
MOD - [2007-06-28 17:43:00 | 00,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll
MOD - [2006-08-25 16:51:53 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - File not found [Auto | Stopped] -- -- (MSK80Service)
SRV - File not found [Auto | Stopped] -- -- (MpfService)
SRV - File not found [Auto | Stopped] -- -- (McNASvc)
SRV - [2009-10-23 19:44:36 | 01,732,960 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2009-08-05 21:48:42 | 00,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009-05-19 10:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008-07-12 15:08:29 | 00,066,872 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2008-01-04 13:27:08 | 00,587,096 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2007-07-10 08:18:14 | 00,501,048 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007-07-09 17:46:50 | 00,106,496 | ---- | M] (Apple, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007-06-28 17:43:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2007-01-29 17:11:36 | 00,537,520 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxczcoms.exe -- (lxcz_device)
SRV - [2006-10-13 13:41:32 | 00,065,536 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\nwwks.dll -- (NWCWorkstation)
SRV - [2006-06-03 17:28:18 | 00,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2005-04-03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004-11-19 11:26:40 | 00,147,456 | ---- | M] (Intel« Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2003-07-28 19:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009-10-21 01:04:34 | 00,045,232 | ---- | M] (Diskeeper Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DKRtWrt.sys -- (DKRtWrt)
DRV - [2009-08-05 21:48:42 | 00,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009-06-30 14:01:00 | 00,715,520 | R--- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2008-11-20 20:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008-08-07 21:15:47 | 00,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2007-11-13 11:25:55 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007-06-28 17:43:00 | 06,807,328 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007-03-26 20:21:06 | 04,395,008 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007-03-15 15:12:02 | 00,038,656 | R--- | M] (Attansic Technology corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atl01_xp.sys -- (AtcL001)
DRV - [2006-10-18 20:12:16 | 00,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006-10-13 11:23:15 | 00,163,584 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwrdr.sys -- (NWRDR)
DRV - [2006-09-19 13:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2005-11-16 21:36:00 | 01,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005-10-14 21:15:18 | 01,302,812 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005-08-10 13:44:04 | 00,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005-05-16 14:20:39 | 00,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2005-01-07 16:07:18 | 00,138,752 | ---- | M] (Windows « Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004-10-14 08:30:46 | 00,155,648 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel«
DRV - [2004-09-02 12:00:00 | 00,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2004-09-02 12:00:00 | 00,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004-09-02 12:00:00 | 00,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004-09-02 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004-08-13 19:56:20 | 00,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004-08-03 23:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) Stuurprogramma voor USB-audio (WDM)
DRV - [2004-08-03 23:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004-08-03 23:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2002-09-09 19:53:50 | 00,017,018 | ---- | M] (Intellon, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PLCNDIS5.SYS -- (PLCNDIS5)
DRV - [2001-09-06 19:02:58 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001-08-17 22:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001-08-17 22:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001-08-17 22:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001-08-17 22:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001-08-17 22:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001-08-17 21:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001-08-17 21:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001-08-17 21:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001-08-17 21:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001-08-17 21:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001-08-17 21:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001-08-17 21:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001-08-17 21:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001-08-17 21:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
IE - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\S-1-5-21-745787302-2696241262-1853562435-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "DAEMON Search"
FF - prefs.js..browser.startup.homepage: "http://www.daemon-search.com/startpage"


FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2007-10-20 13:30:49 | 00,000,000 | ---D | M]

[2009-07-12 19:47:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\Mozilla\Extensions
[2009-07-12 19:47:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009-07-04 11:33:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\Mozilla\Firefox\Profiles\iawrrj8n.default\extensions
[2008-03-01 11:16:06 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\lorenzo\Application Data\Mozilla\Firefox\Profiles\iawrrj8n.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008-08-09 13:13:29 | 00,000,523 | ---- | M] () -- C:\Documents and Settings\lorenzo\Application Data\Mozilla\Firefox\Profiles\iawrrj8n.default\searchplugins\daemon-search.xml
[2007-12-07 12:01:26 | 00,000,276 | ---- | M] () -- C:\Documents and Settings\lorenzo\Application Data\Mozilla\Firefox\Profiles\iawrrj8n.default\searchplugins\search.xml
[2007-10-20 13:36:55 | 00,002,386 | ---- | M] () -- C:\Documents and Settings\lorenzo\Application Data\Mozilla\Firefox\Profiles\iawrrj8n.default\searchplugins\siteadvisor.xml
[2009-07-08 13:41:21 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009-06-25 17:48:42 | 00,000,000 | ---D | M] (TorrentMan Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}
[2008-01-08 01:45:16 | 00,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2007-07-10 08:18:10 | 00,069,632 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npitunes.dll

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Help bij koppelingen) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\..\Toolbar\ShellBrowser: (no name) - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No CLSID value found.
O3 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe ()
O4 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra Button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab (Reg Error: Key error.)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005-09-02 02:29:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009-06-30 13:55:00 | 00,453,376 | R--- | M] (MediaChance) - D:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2009-06-30 13:55:00 | 00,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2009-06-30 13:56:00 | 00,341,270 | R--- | M] () - D:\autorun.mbd -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (autocheck lsdelete) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009-12-20 21:17:21 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\lorenzo\Bureaublad\OTL.exe
[2009-12-20 18:41:48 | 00,000,000 | ---D | C] -- C:\thcbytes
[2009-12-20 18:26:25 | 00,715,520 | R--- | C] (Ralink Technology, Corp.) -- C:\WINDOWS\System32\drivers\rt2870.sys
[2009-12-20 18:17:23 | 00,221,184 | R--- | C] (Ralink Technology, Inc.) -- C:\WINDOWS\System32\RaCoInst.dll
[2009-12-20 11:33:31 | 00,000,000 | ---D | C] -- C:\Diskeeper
[2009-12-20 01:51:36 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009-12-20 01:50:22 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009-12-20 01:50:22 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009-12-20 01:50:22 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009-12-20 01:50:22 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009-12-20 01:48:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009-12-20 00:51:17 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009-12-19 19:39:04 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\lorenzo\Onlangs geopend
[2009-12-19 18:39:45 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\lorenzo\Bureaublad\RootRepeal.exe
[2009-12-18 18:31:16 | 00,045,232 | ---- | C] (Diskeeper Corporation) -- C:\WINDOWS\System32\drivers\DKRtWrt.sys
[2009-12-18 18:31:10 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Diskeeper Corporation
[2009-12-18 18:31:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
[2009-12-18 18:31:09 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Home Server
[2009-12-18 18:31:09 | 00,000,000 | ---D | C] -- C:\Program Files\Diskeeper Corporation
[2009-12-18 14:08:00 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009-12-18 14:07:58 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009-12-18 14:07:58 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009-12-17 21:09:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\lorenzo\Application Data\Malwarebytes
[2009-12-17 20:53:03 | 00,000,000 | ---D | C] -- C:\Program Files\xMalwarebytes' Anti-Malware
[2009-12-17 19:08:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009-12-17 18:50:00 | 00,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2009-11-27 16:42:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009-07-11 18:53:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009-07-11 18:35:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009-06-01 17:22:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007-12-10 12:24:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007-04-04 10:59:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006-12-20 22:08:24 | 00,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczpmui.dll
[2006-12-20 22:06:58 | 01,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczserv.dll
[2006-12-20 22:01:04 | 00,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczcomm.dll
[2006-12-20 21:59:24 | 00,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczlmpm.dll
[2006-12-20 21:58:02 | 00,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcziesc.dll
[2006-12-20 21:55:40 | 00,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczpplc.dll
[2006-12-20 21:54:54 | 00,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczcomc.dll
[2006-12-20 21:54:20 | 00,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczprox.dll
[2006-12-20 21:47:32 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczinpa.dll
[2006-12-20 21:46:50 | 00,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczusb1.dll
[2006-12-20 21:42:36 | 00,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczhbn3.dll
[2006-10-16 16:12:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2005-09-02 02:35:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2005-09-02 02:16:44 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009-12-20 21:17:44 | 00,000,000 | -HS- | M] () -- C:\DkHyperbootSync
[2009-12-20 21:17:27 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\lorenzo\Bureaublad\OTL.exe
[2009-12-20 21:16:00 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009-12-20 21:15:57 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009-12-20 21:15:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009-12-20 21:15:50 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009-12-20 21:15:44 | 21,465,53856 | -HS- | M] () -- C:\hiberfil.sys
[2009-12-20 21:14:42 | 08,126,464 | -H-- | M] () -- C:\Documents and Settings\lorenzo\NTUSER.DAT
[2009-12-20 21:13:43 | 01,619,016 | -H-- | M] () -- C:\Documents and Settings\lorenzo\Local Settings\Application Data\IconCache.db
[2009-12-20 21:05:45 | 00,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\World of Warcraft.lnk
[2009-12-20 19:52:56 | 00,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2009-12-20 19:52:43 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009-12-20 18:36:54 | 03,858,925 | R--- | M] () -- C:\Documents and Settings\lorenzo\Bureaublad\thcbytes.exe
[2009-12-20 18:34:52 | 01,104,562 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009-12-20 18:34:52 | 00,501,416 | ---- | M] () -- C:\WINDOWS\System32\perfh013.dat
[2009-12-20 18:34:52 | 00,434,588 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009-12-20 18:34:52 | 00,087,480 | ---- | M] () -- C:\WINDOWS\System32\perfc013.dat
[2009-12-20 18:34:52 | 00,068,492 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009-12-20 18:29:14 | 00,000,188 | -HS- | M] () -- C:\Documents and Settings\lorenzo\ntuser.ini
[2009-12-20 01:59:31 | 00,048,984 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009-12-20 01:51:41 | 00,000,279 | RHS- | M] () -- C:\boot.ini
[2009-12-20 00:43:22 | 00,000,176 | ---- | M] () -- C:\Documents and Settings\lorenzo\defogger_reenable
[2009-12-20 00:42:33 | 00,050,621 | ---- | M] () -- C:\Documents and Settings\lorenzo\Bureaublad\Defogger.exe
[2009-12-20 00:42:08 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\lorenzo\Bureaublad\rkill.pif
[2009-12-20 00:40:30 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\lorenzo\Bureaublad\rkill.exe
[2009-12-20 00:11:26 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2009-12-19 23:36:26 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009-12-19 19:43:31 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\lorenzo\Bureaublad\settings.dat
[2009-12-19 19:15:13 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\iTunes.lnk
[2009-12-19 19:10:31 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\lorenzo\Mijn documenten\Infected with Trojan.doc
[2009-12-19 18:39:47 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\lorenzo\Bureaublad\RootRepeal.exe
[2009-12-19 18:33:26 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\lorenzo\Bureaublad\dds.scr
[2009-12-19 11:06:30 | 00,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2009-12-14 12:24:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009-12-09 22:54:07 | 00,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009-12-08 17:36:06 | 00,101,376 | ---- | M] () -- C:\Documents and Settings\lorenzo\Mijn documenten\ict hss, hoofsheid en Arthur oplossing 2009-10-27.doc
[2009-12-07 18:16:38 | 00,040,960 | ---- | M] () -- C:\Documents and Settings\lorenzo\Mijn documenten\leerstof aar.doc
[2009-12-07 17:32:19 | 01,541,120 | ---- | M] () -- C:\Documents and Settings\lorenzo\Mijn documenten\excursie versie smartschool nm.doc
[2009-12-03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009-12-03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009-11-29 18:07:01 | 00,070,656 | ---- | M] () -- C:\Documents and Settings\lorenzo\Mijn documenten\Franse Artikels.doc
[2009-11-26 18:43:47 | 00,041,472 | ---- | M] () -- C:\Documents and Settings\lorenzo\Mijn documenten\ARTICLES FRANCAIS.doc
[2009-11-26 17:17:49 | 00,091,648 | ---- | M] () -- C:\Documents and Settings\lorenzo\Mijn documenten\Articles Francaises.doc
[2009-11-25 17:27:39 | 00,036,864 | ---- | M] () -- C:\Documents and Settings\lorenzo\Mijn documenten\WIKISOURCE VERTALINGEN.doc
[2009-11-22 17:39:51 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\lorenzo\Mijn documenten\Dialoog_engels.doc
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009-12-20 21:17:44 | 00,000,000 | -HS- | C] () -- C:\DkHyperbootSync
[2009-12-20 18:36:54 | 03,858,925 | R--- | C] () -- C:\Documents and Settings\lorenzo\Bureaublad\thcbytes.exe
[2009-12-20 18:30:21 | 21,465,53856 | -HS- | C] () -- C:\hiberfil.sys
[2009-12-20 18:17:23 | 00,013,931 | R--- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2009-12-20 01:59:31 | 00,048,984 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2009-12-20 01:51:40 | 00,000,209 | ---- | C] () -- C:\Boot.bak
[2009-12-20 01:51:38 | 00,261,936 | ---- | C] () -- C:\cmldr
[2009-12-20 01:50:22 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009-12-20 01:50:22 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009-12-20 01:50:22 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009-12-20 01:50:22 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009-12-20 01:50:22 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009-12-20 00:43:13 | 00,000,176 | ---- | C] () -- C:\Documents and Settings\lorenzo\defogger_reenable
[2009-12-20 00:42:33 | 00,050,621 | ---- | C] () -- C:\Documents and Settings\lorenzo\Bureaublad\Defogger.exe
[2009-12-20 00:42:05 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\lorenzo\Bureaublad\rkill.pif
[2009-12-20 00:40:29 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\lorenzo\Bureaublad\rkill.exe
[2009-12-19 19:43:31 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\lorenzo\Bureaublad\settings.dat
[2009-12-19 19:10:31 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\lorenzo\Mijn documenten\Infected with Trojan.doc
[2009-12-19 18:33:06 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\lorenzo\Bureaublad\dds.scr
[2009-12-18 14:08:02 | 00,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2009-12-17 23:04:59 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009-12-17 15:36:13 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2009-12-08 17:36:04 | 00,101,376 | ---- | C] () -- C:\Documents and Settings\lorenzo\Mijn documenten\ict hss, hoofsheid en Arthur oplossing 2009-10-27.doc
[2009-12-07 18:16:38 | 00,040,960 | ---- | C] () -- C:\Documents and Settings\lorenzo\Mijn documenten\leerstof aar.doc
[2009-12-07 17:32:14 | 01,541,120 | ---- | C] () -- C:\Documents and Settings\lorenzo\Mijn documenten\excursie versie smartschool nm.doc
[2009-11-29 15:50:29 | 00,070,656 | ---- | C] () -- C:\Documents and Settings\lorenzo\Mijn documenten\Franse Artikels.doc
[2009-11-26 17:05:06 | 00,091,648 | ---- | C] () -- C:\Documents and Settings\lorenzo\Mijn documenten\Articles Francaises.doc
[2009-11-25 19:14:31 | 00,041,472 | ---- | C] () -- C:\Documents and Settings\lorenzo\Mijn documenten\ARTICLES FRANCAIS.doc
[2009-11-24 21:55:27 | 00,036,864 | ---- | C] () -- C:\Documents and Settings\lorenzo\Mijn documenten\WIKISOURCE VERTALINGEN.doc
[2009-11-22 17:39:51 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\lorenzo\Mijn documenten\Dialoog_engels.doc
[2008-07-12 15:08:46 | 00,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008-07-12 15:08:46 | 00,022,328 | ---- | C] () -- C:\Documents and Settings\lorenzo\Application Data\PnkBstrK.sys
[2008-06-04 01:11:42 | 00,000,000 | ---- | C] () -- C:\WINDOWS\msicpl.ini
[2008-06-04 00:50:23 | 00,131,072 | R--- | C] () -- C:\WINDOWS\System32\smdll.dll
[2008-06-04 00:50:15 | 00,032,768 | R--- | C] () -- C:\WINDOWS\System32\Auxiliary.dll
[2008-06-04 00:50:14 | 00,266,240 | R--- | C] () -- C:\WINDOWS\System32\HookShield.dll
[2008-06-04 00:50:14 | 00,262,144 | R--- | C] () -- C:\WINDOWS\System32\HookMAp.dll
[2008-06-04 00:41:19 | 00,009,728 | R--- | C] () -- C:\WINDOWS\System32\sysinfoX64.sys
[2008-06-04 00:41:19 | 00,008,192 | R--- | C] () -- C:\WINDOWS\System32\sysinfo.sys
[2008-06-04 00:34:20 | 00,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2008-06-04 00:34:20 | 00,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2008-06-04 00:32:33 | 00,013,854 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008-06-03 23:50:00 | 00,014,081 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2008-06-03 23:48:07 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008-06-03 23:47:30 | 00,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008-03-02 19:02:58 | 00,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008-03-02 14:57:35 | 00,000,187 | ---- | C] () -- C:\Documents and Settings\lorenzo\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2008-02-23 19:46:44 | 00,003,072 | ---- | C] () -- C:\Documents and Settings\lorenzo\Application Data\dvd.bmk
[2007-06-28 17:43:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007-06-28 17:43:00 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007-06-28 17:43:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007-06-28 17:43:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007-06-28 17:43:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007-01-25 19:42:50 | 00,413,696 | ---- | C] () -- C:\WINDOWS\System32\lxczutil.dll
[2007-01-22 13:49:34 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.dll
[2007-01-06 18:33:41 | 00,000,318 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2007-01-06 18:33:36 | 00,000,092 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006-08-29 16:09:18 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2006-08-29 16:09:18 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2006-05-11 17:52:02 | 00,014,848 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2006-05-07 13:37:09 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006-05-06 14:51:17 | 00,000,845 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006-04-29 18:52:58 | 22,471,185 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Autosave.3dm
[2006-04-27 13:37:44 | 00,000,395 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006-04-13 16:45:47 | 00,170,496 | ---- | C] () -- C:\Documents and Settings\lorenzo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006-04-10 21:22:16 | 00,001,747 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006-04-10 13:23:34 | 00,000,130 | ---- | C] () -- C:\Documents and Settings\lorenzo\Local Settings\Application Data\fusioncache.dat
[2006-04-04 15:20:31 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006-04-04 15:15:30 | 00,000,303 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006-04-04 14:54:14 | 00,000,515 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006-03-29 19:59:10 | 00,029,919 | ---- | C] () -- C:\WINDOWS\System32\rtsicis.ini
[2006-03-27 16:19:14 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2006-01-10 22:11:06 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv5.dll
[2006-01-10 22:11:06 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv4.dll
[2005-11-10 08:56:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005-09-02 02:23:51 | 00,003,717 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005-08-17 23:56:52 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

========== LOP Check ==========

[2009-12-18 18:31:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
[2006-04-14 17:29:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McNeel
[2007-08-16 18:47:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009-11-27 16:42:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2008-10-30 10:29:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\Acreon
[2006-04-25 15:07:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\Autodesk
[2009-07-07 23:52:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\BitTorrent
[2008-08-09 13:12:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\DAEMON Tools
[2008-08-07 21:15:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\DAEMON Tools Pro
[2006-07-18 11:45:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\IrfanView
[2006-05-16 20:22:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\Leadertech
[2009-07-08 13:41:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\Notepad++
[2008-07-01 14:38:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\PanoramaStudio
[2009-06-25 18:39:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\SPORE Creature Creator

========== Purity Check ==========


< End of report >

Extras
OTL Extras logfile created on: 20-12-2009 21:19:09 - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Documents and Settings\lorenzo\Bureaublad
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 74,00% Memory free
3,00 Gb Paging File | 2,00 Gb Available in Paging File | 82,00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144,33 Gb Total Space | 33,47 Gb Free Space | 23,19% Space Free | Partition Type: NTFS
Drive D: | 72,95 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DHCV762J
Current User Name: lorenzo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = FirefoxHTML] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE File not found

[HKEY_USERS\S-1-5-21-745787302-2696241262-1853562435-1005\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" File not found
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1933:TCP" = 1933:TCP:*:Enabled:Blizzar downloader
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader
"6112:TCP" = 6112:TCP:*:Enabled:Blizzard Downloader
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msncall.exe" = C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\World of Warcraft\WoW-1.10.0-enGB-downloader.exe" = C:\World of Warcraft\WoW-1.10.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\World of Warcraft\BackgroundDownloader.exe" = C:\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\World of Warcraft\WoW.exe" = C:\World of Warcraft\WoW.exe:*:Enabled:World of Warcraft -- (Blizzard Entertainment)
"C:\World of Warcraft\Repair.exe" = C:\World of Warcraft\Repair.exe:*:Enabled:World of Warcraft - Repair -- (Blizzard Entertainment, Inc.)
"C:\World of Warcraft\WoW-1.10.2.5302-to-1.11.0.5428-enGB-downloader.exe" = C:\World of Warcraft\WoW-1.10.2.5302-to-1.11.0.5428-enGB-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\WINDOWS\system32\lxczcoms.exe" = C:\WINDOWS\system32\lxczcoms.exe:*:Enabled:1200 Series Server -- ( )
"C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe" = C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:*:Enabled:Crysis_32 -- (Crytek GmbH)
"C:\Program Files\Curse\CurseClient.exe" = C:\Program Files\Curse\CurseClient.exe:*:Enabled:Curse Client -- ()
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe" = C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:*:Disabled:CrysisDedicatedServer_32 -- (Crytek GmbH)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes -- (Apple Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire -- (Lime Wire, LLC)
"C:\StubInstaller.exe" = C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer -- (LimeWire)
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- ()
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- ()
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{000E79B7-E725-4F01-870A-C12942B7F8E4}" = Crysis«
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{10F5387D-1728-423A-A578-B00982CF2646}" = Windows Live Messenger
"{11005483-57F9-400C-BF9F-CBC47540705A}" = Windows Live Photo Gallery
"{1BD6AE96-4742-4498-9D03-9451C7E5A214}" = Windows Live aanmeldhulp
"{1F698102-5739-441E-96F0-74F4EA540F06}" = Attansic Ethernet Utility
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live - Hulpprogramma voor uploaden
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2869F5EA-93C3-48E5-80DF-DB696BC84A91}" = Windows Live Mail
"{2A8F82E8-7B86-4AFD-BFBC-2BA4C2CF52DB}" = Windows Live Call
"{2D456CE5-01E4-4DBE-9797-77003A7C8271}" = Microsoft« Measurement Smart Tag Converter
"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C9413-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CA031C-D3CD-4A28-8D9B-C71466C4F045}" = Windows Live Writer
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{562B9CA4-6E52-4F87-ACEC-912FC004F1F0}" = Windows Live Essentials
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B09BD67-4C99-46A1-8161-B7208CE18121}" = QuickTime
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = SkypeÖ 3.8
"{66867BB8-FBC5-450B-8533-C6BE2C9C4068}" = Windows Live Family Safety
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7E4B7FD9-4ECE-4298-A910-3160B7918059}" = CryEngine«2 Sandbox™2
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel« PROSet for Wired Connections
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel« Graphics Media Accelerator Driver
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8D015A2F-4D85-419E-8E1D-93B0C246D491}" = Diskeeper 2010 Professional
"{90110413-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Editie 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}" = iTunes
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9757283E-3FCA-4F3D-9257-928859318E55}" = Microsoft Windows Theme Ontario
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1043-7B44-A81200000003}" = Adobe Reader 8.1.2 - Nederlands
"{AF79DFD1-04C2-4CE5-9C8F-F60CA3CF01A7}" = NETGEAR XE102 Powerline Ethernet Adapter
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CD19EDD9-1632-4002-9212-7478E4BA0423}" = Windows Live Sync
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware 2007
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E51109E7-3818-4BC2-B3FD-A59AC2378A2B}" = Windows Live Toolbar
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"AtcL1" = Attansic L1 Gigabit Ethernet Driver
"CCleaner" = CCleaner (remove only)
"CurseClient" = Curse Client
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PROSet" = Intel« PRO Network Connections Drivers
"PunkBusterSvc" = PunkBuster Services
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 19-12-2009 21:17:25 | Computer Name = DHCV762J | Source = PerfNet | ID = 2006
Description = Kan de prestatiegegevens van de serverwachtrij niet lezen. Er zullen
in dit voorbeeld geen prestatiegegevens van de serverwachtrij worden geretourneerd.
De geretourneerde statuscode is een DWORD 0-waarde, IOSB.Status is een DWORD 1-waarde
en de IOSB.Information is een DWORD 2-waarde.

Error - 19-12-2009 21:17:26 | Computer Name = DHCV762J | Source = PerfNet | ID = 2005
Description = Kan de prestatiegegevens van de Server-service niet lezen. Er zullen
in dit voorbeeld geen prestatiegegevens van de server worden geretourneerd. De geretourneerde
statuscode is een DWORD 0-waarde, IOSB.Status is een DWORD 1-waarde en de IOSB.Information
is een DWORD 2-waarde.

Error - 19-12-2009 21:17:26 | Computer Name = DHCV762J | Source = PerfNet | ID = 2006
Description = Kan de prestatiegegevens van de serverwachtrij niet lezen. Er zullen
in dit voorbeeld geen prestatiegegevens van de serverwachtrij worden geretourneerd.
De geretourneerde statuscode is een DWORD 0-waarde, IOSB.Status is een DWORD 1-waarde
en de IOSB.Information is een DWORD 2-waarde.

Error - 19-12-2009 21:17:26 | Computer Name = DHCV762J | Source = PerfNet | ID = 2005
Description = Kan de prestatiegegevens van de Server-service niet lezen. Er zullen
in dit voorbeeld geen prestatiegegevens van de server worden geretourneerd. De geretourneerde
statuscode is een DWORD 0-waarde, IOSB.Status is een DWORD 1-waarde en de IOSB.Information
is een DWORD 2-waarde.

Error - 19-12-2009 21:17:26 | Computer Name = DHCV762J | Source = PerfNet | ID = 2006
Description = Kan de prestatiegegevens van de serverwachtrij niet lezen. Er zullen
in dit voorbeeld geen prestatiegegevens van de serverwachtrij worden geretourneerd.
De geretourneerde statuscode is een DWORD 0-waarde, IOSB.Status is een DWORD 1-waarde
en de IOSB.Information is een DWORD 2-waarde.

Error - 19-12-2009 21:17:27 | Computer Name = DHCV762J | Source = PerfNet | ID = 2005
Description = Kan de prestatiegegevens van de Server-service niet lezen. Er zullen
in dit voorbeeld geen prestatiegegevens van de server worden geretourneerd. De geretourneerde
statuscode is een DWORD 0-waarde, IOSB.Status is een DWORD 1-waarde en de IOSB.Information
is een DWORD 2-waarde.

Error - 19-12-2009 21:17:27 | Computer Name = DHCV762J | Source = PerfNet | ID = 2006
Description = Kan de prestatiegegevens van de serverwachtrij niet lezen. Er zullen
in dit voorbeeld geen prestatiegegevens van de serverwachtrij worden geretourneerd.
De geretourneerde statuscode is een DWORD 0-waarde, IOSB.Status is een DWORD 1-waarde
en de IOSB.Information is een DWORD 2-waarde.

Error - 19-12-2009 21:17:27 | Computer Name = DHCV762J | Source = PerfNet | ID = 2005
Description = Kan de prestatiegegevens van de Server-service niet lezen. Er zullen
in dit voorbeeld geen prestatiegegevens van de server worden geretourneerd. De geretourneerde
statuscode is een DWORD 0-waarde, IOSB.Status is een DWORD 1-waarde en de IOSB.Information
is een DWORD 2-waarde.

Error - 19-12-2009 21:17:27 | Computer Name = DHCV762J | Source = PerfNet | ID = 2006
Description = Kan de prestatiegegevens van de serverwachtrij niet lezen. Er zullen
in dit voorbeeld geen prestatiegegevens van de serverwachtrij worden geretourneerd.
De geretourneerde statuscode is een DWORD 0-waarde, IOSB.Status is een DWORD 1-waarde
en de IOSB.Information is een DWORD 2-waarde.

Error - 20-12-2009 16:13:42 | Computer Name = DHCV762J | Source = nview_info | ID = 11141121
Description =

[ System Events ]
Error - 20-12-2009 13:30:45 | Computer Name = DHCV762J | Source = Service Control Manager | ID = 7000
Description = De McAfee SpamKiller Service-service kan vanwege de volgende fout
niet worden gestart: %%3

Error - 20-12-2009 13:31:17 | Computer Name = DHCV762J | Source = Server | ID = 2505
Description = De server kan geen binding tot stand brengen met transport \Device\NetbiosSmb
omdat een andere computer op het netwerk dezelfde naam heeft. De server kan niet
worden gestart.

Error - 20-12-2009 14:52:47 | Computer Name = DHCV762J | Source = Service Control Manager | ID = 7000
Description = De McAfee Network Agent-service kan vanwege de volgende fout niet
worden gestart: %%3

Error - 20-12-2009 14:52:47 | Computer Name = DHCV762J | Source = Service Control Manager | ID = 7000
Description = De McAfee Personal Firewall Service-service kan vanwege de volgende
fout niet worden gestart: %%3

Error - 20-12-2009 14:52:47 | Computer Name = DHCV762J | Source = Service Control Manager | ID = 7000
Description = De McAfee SpamKiller Service-service kan vanwege de volgende fout
niet worden gestart: %%3

Error - 20-12-2009 16:16:10 | Computer Name = DHCV762J | Source = Service Control Manager | ID = 7000
Description = De McAfee Network Agent-service kan vanwege de volgende fout niet
worden gestart: %%3

Error - 20-12-2009 16:16:10 | Computer Name = DHCV762J | Source = Service Control Manager | ID = 7000
Description = De McAfee Personal Firewall Service-service kan vanwege de volgende
fout niet worden gestart: %%3

Error - 20-12-2009 16:16:10 | Computer Name = DHCV762J | Source = Service Control Manager | ID = 7000
Description = De McAfee SpamKiller Service-service kan vanwege de volgende fout
niet worden gestart: %%3

Error - 20-12-2009 16:16:11 | Computer Name = DHCV762J | Source = Service Control Manager | ID = 7026
Description = De volgende opstartstuurprogramma's zijn niet geladen: IntelIde

Error - 20-12-2009 16:16:18 | Computer Name = DHCV762J | Source = sr | ID = 1
Description = Tijdens de verwerking van het bestand op het volume HarddiskVolume2
is de fout 0xC0000001 opgetreden in het filter van Systeemherstel. Controle van
dit volume is gestopt.


< End of report >

Gmer
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-20 23:10:06
Windows 5.1.2600 Service Pack 2
Running: 8d00hxds.exe; Driver: C:\DOCUME~1\lorenzo\LOCALS~1\Temp\uwrdapod.sys


---- Kernel code sections - GMER 1.0.15 ----

? swae.sys Het systeem kan het opgegeven bestand niet vinden. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8B3E380, 0x2FF527, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B2984C8A

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x02 0x9E 0x5E 0xD8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x07 0x4D 0xA6 0xB1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6A 0x5F 0x28 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x61 0xC5 0xB5 0xEA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xAB 0xCC 0x45 0x1F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x02 0x9E 0x5E 0xD8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x07 0x4D 0xA6 0xB1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6A 0x5F 0x28 0x88 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x61 0xC5 0xB5 0xEA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xAB 0xCC 0x45 0x1F ...

---- EOF - GMER 1.0.15 ----

Edited by Barcode, 20 December 2009 - 07:02 PM.


#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 20 December 2009 - 10:36 PM

Excellent. :(

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
    SRV - File not found [Auto | Stopped] -- -- (MSK80Service)
    SRV - File not found [Auto | Stopped] -- -- (MpfService)
    SRV - File not found [Auto | Stopped] -- -- (McNASvc)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-745787302-2696241262-1853562435-1005\..\Toolbar\ShellBrowser: (no name) - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No CLSID value found.
    O32 - AutoRun File - [2009-06-30 13:55:00 | 00,453,376 | R--- | M] (MediaChance) - D:\autorun.exe -- [ CDFS ]
    O32 - AutoRun File - [2009-06-30 13:55:00 | 00,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
    O32 - AutoRun File - [2009-06-30 13:56:00 | 00,341,270 | R--- | M] () - D:\autorun.mbd -- [ CDFS ]
    [7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2009-07-07 23:52:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\lorenzo\Application Data\BitTorrent
    
    :Files
    c:\program files\BitLord
    c:\program files\LimeWire
    
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled"=-
    
    :Commands
    [CREATERESTOREPOINT]
    [resethosts]
    [emptytemp]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
==========

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
==========

With your next post please provide:

* OTL fix log
* ESET log
* Still running ok?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 Barcode

Barcode
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 21 December 2009 - 08:53 AM

Hello again

Everything went fine, pc's still running fine (as far as I know) and it seems that those files ESET found are songs my sister downloaded =/
anyway, here are the logs:

OTL fix
All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Service NMIndexingService stopped successfully!
Service NMIndexingService deleted successfully!
Service MSK80Service stopped successfully!
Service MSK80Service deleted successfully!
Service MpfService stopped successfully!
Service MpfService deleted successfully!
Service McNASvc stopped successfully!
Service McNASvc deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\S-1-5-21-745787302-2696241262-1853562435-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-745787302-2696241262-1853562435-1005\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938}\ not found.
File move failed. D:\autorun.exe scheduled to be moved on reboot.
File move failed. D:\autorun.inf scheduled to be moved on reboot.
File move failed. D:\autorun.mbd scheduled to be moved on reboot.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET24C.tmp deleted successfully.
C:\WINDOWS\System32\SET64.tmp deleted successfully.
C:\WINDOWS\System32\SET65.tmp deleted successfully.
C:\WINDOWS\System32\SET9B.tmp deleted successfully.
C:\WINDOWS\System32\SETA0.tmp deleted successfully.
C:\WINDOWS\System32\SETA7.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\Documents and Settings\lorenzo\Application Data\BitTorrent folder moved successfully.
========== FILES ==========
c:\program files\BitLord\Torrents folder moved successfully.
c:\program files\BitLord\rules folder moved successfully.
c:\program files\BitLord\lang folder moved successfully.
c:\program files\BitLord\Downloads\Spore-RELOADED folder moved successfully.
c:\program files\BitLord\Downloads folder moved successfully.
c:\program files\BitLord folder moved successfully.
c:\program files\LimeWire\lib folder moved successfully.
c:\program files\LimeWire folder moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall\\DisableMonitoring deleted successfully.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (64424509440)
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Gast

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 344198 bytes

User: lorenzo
->Temp folder emptied: 587991 bytes
->Temporary Internet Files folder emptied: 4567773 bytes
->Java cache emptied: 13 bytes
->FireFox cache emptied: 9042119 bytes
->Google Chrome cache emptied: 166499097 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 49152 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34311 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 173,00 mb


OTL by OldTimer - Version 3.1.19.0 log created on 12212009_132323

Files\Folders moved on Reboot...
File\Folder D:\autorun.exe not found!
File\Folder D:\autorun.inf not found!
File\Folder D:\autorun.mbd not found!

Registry entries deleted on Reboot...

Eset log
C:\Documents and Settings\lorenzo\Bureaublad\DOT'n'BAAFS\muzizk\Massimo Spada - Matteo Silva - Night over Manaus - BooZoo BaJou.mp3 WMA/TrojanDownloader.GetCodec.C trojan cleaned by deleting - quarantined
C:\Documents and Settings\lorenzo\Bureaublad\DOT'n'BAAFS\muzizk\Moby - I love to move in here.mp3 WMA/TrojanDownloader.GetCodec.C trojan cleaned by deleting - quarantined
C:\Documents and Settings\lorenzo\Bureaublad\DOT'n'BAAFS\muzizk\nescafe music.mp3 WMA/TrojanDownloader.GetCodec.C trojan cleaned by deleting - quarantined
C:\Documents and Settings\lorenzo\Bureaublad\DOT'n'BAAFS\muzizk\paleto.mp3 WMA/TrojanDownloader.GetCodec.C trojan cleaned by deleting - quarantined
C:\WINDOWS\distro_SelectRebatesSetup_um1002.exe probably a variant of Win32/Adware.SAHAgent application cleaned by deleting - quarantined

Edited by Barcode, 21 December 2009 - 08:54 AM.


#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 21 December 2009 - 03:44 PM

Almost there...

Please update and re-run MBAM. Post a log.

Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 Barcode

Barcode
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 21 December 2009 - 04:51 PM

updated it and ran it - no infected files though

MBAM
Malwarebytes' Anti-Malware 1.42
Database versie: 3406
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

21-12-2009 22:48:49
mbam-log-2009-12-21 (22-48-49).txt

Scan type: Volledige Scan (A:\|C:\|D:\|)
Objecten gescand: 218832
Verstreken tijd: 54 minute(s), 4 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 0
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 0

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:52 AM

Posted 21 December 2009 - 04:54 PM

Hello,

Congratulations! You now appear clean!

**********

Please pay particularly close attention to the instructions that follow. To neglect these steps risk needless reinfection!!

**********

Are things running okay? Do you have any more questions?

**********

Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

    Posted Image

  • The following will implement some very important cleanup procedures as well as reset System Restore points.
**********

Run OTL again

We will now remove the tools we used during this fix using OTL.
  • Double click the OTL icon to start the program.
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
**********

Recommendations


Below are some recommendations to lower your chances of (re)infection.

  • Install an Anti-Spyware program, and update it regularly
    Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.

    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  • Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.


    Windows XP


    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  • Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date.

  • Consider Firefox as your primary browser. Its safer, fast and secure!

  • Install WOT. Never inadvertently surf to a dangerous website again.

  • Consider running your browser Sandboxed with Sandboxie. You decide what actually get's into your OS!!

  • Install NoScript. Pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.

  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
**********

System Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve performance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

**********

Good luck & safe surfing,
Kind Regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 Barcode

Barcode
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 21 December 2009 - 05:29 PM

allright, thanks for all the effort and help; my pc's working faster then before :(.

I've only got one more question... do you know any good free Antivirus? I've uninstalled Mcafee because i couldn't turn its antivirus off for Combofix + it wasn't updating itself anymore anyway...

thanks a lot!

B




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users