Iīm having lots of trouble because of this file. Itīs called DHCPSAP.dll. What can I do to get rid this? You are my last help because I did everything I thought was helping but nothing did. Many thanks
delf.12.an trojan horse [RESOLVED]
#1
Posted 23 June 2008 - 10:54 AM
Iīm having lots of trouble because of this file. Itīs called DHCPSAP.dll. What can I do to get rid this? You are my last help because I did everything I thought was helping but nothing did. Many thanks
#2
Posted 23 June 2008 - 10:56 AM
CLICK HERE to download the HijackThis Installer:
- Save HJTInstall.exe to your desktop.
- Double-click on HJTInstall.exe to run the program.
- By default it will install to C:\Program Files\Trend Micro\HijackThis.
- Accept the license agreement by clicking the "I Accept" button.
- Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
- Click "Save log" to save the log file and then the log will open in Notepad.
- Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
- Come back here to this thread and paste the log in your next reply.
- Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingc...to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
#3
Posted 23 June 2008 - 11:45 AM
this is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:44:10, on 23-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A26D2720-B21F-4A82-9FB9-4477F5693BE2} - C:\WINDOWS\system32\dhcpsap.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 6594 bytes
#4
Posted 23 June 2008 - 12:01 PM
#5
Posted 23 June 2008 - 12:07 PM
ComboFix 08-06-20.4 - christa hertogh 2008-06-23 20:01:35.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.210 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\christa hertogh\Bureaublad\ComboFix.exe
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-05-23 to 2008-06-23 ))))))))))))))))))))))))))))))
.
2008-06-23 18:40 . 2008-06-23 18:40 161 --a------ C:\WINDOWS\DRVERASE.INI
2008-06-23 18:39 . 2008-06-23 18:42 24,576 --a------ C:\WINDOWS\system32\DEINSTEX.DLL
2008-06-23 18:19 . 2008-06-23 18:19 <DIR> d-------- C:\!KillBox
2008-06-23 17:45 . 2008-06-23 17:45 <DIR> dr-h----- C:\Documents and Settings\christa hertogh\Onlangs geopend
2008-06-23 15:36 . 2008-05-29 21:30 828,824 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-06-23 15:36 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
2008-06-23 14:55 . 2008-06-23 14:55 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-23 12:35 . 2008-06-23 12:35 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-23 12:35 . 2008-06-23 12:35 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\Program Files\AVG
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\Documents and Settings\christa hertogh\Application Data\AVGTOOLBAR
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-23 12:16 . 2008-06-23 12:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-23 12:16 . 2008-06-23 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-23 12:14 . 2008-06-23 12:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 11:08 . 2008-06-23 11:08 <DIR> d-------- C:\WINDOWS\system32\nl-nl
2008-06-14 18:55 . 2008-04-14 17:54 272,640 --------- C:\WINDOWS\system32\dllcache\bthport.sys
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-21 07:03 474,624 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:03 151,552 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 07:03 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 07:03 1,057,280 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2007-08-17 16:12 18,432 ----a-w C:\Documents and Settings\christa hertogh\Application Data\internaldb41.dat
2007-08-17 16:11 382 ----a-w C:\Documents and Settings\christa hertogh\Application Data\internaldb6334.dat
2007-08-17 16:10 194 ----a-w C:\Documents and Settings\christa hertogh\Application Data\internaldb8467.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26D2720-B21F-4A82-9FB9-4477F5693BE2}]
2008-03-05 16:59 98048 --a------ C:\WINDOWS\system32\dhcpsap.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13 766041]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-23 12:34 1177368]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Acer Empowering Technology.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Acer Empowering Technology.lnk
backup=C:\WINDOWS\pss\Acer Empowering Technology.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^christa hertogh^Menu Start^Programma's^Opstarten^PrevxCSI.lnk]
path=C:\Documents and Settings\christa hertogh\Menu Start\Programma's\Opstarten\PrevxCSI.lnk
backup=C:\WINDOWS\pss\PrevxCSI.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]
C:\WINDOWS\system32\cpmrotate.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-12-13 21:50 88204 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-07-19 09:41 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-07-19 09:41 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2006-06-01 14:40 413696 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-06-13 09:57 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-06-13 09:57 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-06-13 09:57 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Acer\Acer Arcade\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-07-19 09:42 16248320 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-07-19 09:42 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 08:18 307200 c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
--a------ 2006-09-23 13:08 61440 C:\Acer\WR_PopUp\WarReg_PopUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\christa hertogh\\Bureaublad\\utorrent-1.7-beta-1703.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R0 sblkmqot;sblkmqot;C:\WINDOWS\system32\drivers\tholvjks.dat []
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-23 12:35]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-23 12:34]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-20 03:20]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71910514-7fe8-11db-8eca-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 20:03:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\sblkmqot]
"ImagePath"="system32\drivers\tholvjks.dat"
.
Voltooingstijd: 2008-06-23 20:04:02
ComboFix2.txt 2008-06-23 13:43:04
ComboFix-quarantined-files.txt 2008-06-23 18:04:00
Pre-Run: 16,792,502,272 bytes beschikbaar
Post-Run: 16,827,039,744 bytes beschikbaar
162 --- E O F --- 2008-06-23 09:17:34
#6
Posted 23 June 2008 - 12:22 PM
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
http://www.geekstogo...se-t202628.html
KillAll::
Collect::
C:\WINDOWS\system32\dhcpsap.dll
Suspect::
File::
C:\WINDOWS\system32\RVAXO.bat
C:\WINDOWS\system32\remove.exe
C:\WINDOWS\system32\cpmrotate.dll
E:\setup.exe
Folder::
Driver::
sblkmqot
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71910514-7fe8-11db-8eca-806d6172696f}]
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. Additonally, ComboFix will generate the following files on your desktop
- A zipped file on your desktop called Submit [Date Time].zip
- And another file named - CF-Submit.htm
7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.
8. If CF-Submit.htm is detected, ComboFix will generate this message box:
Clicking OK will cause the machine's browser to load CF-Submit.htm
9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
- Click on the file to Select it.
- Submit the file by clicking "OK"
11. Post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log (run after ComboFix has finished its work.)
Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:
C:\WINDOWS\system32\DEINSTEX.DLL
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
Edited by Rorschach112, 23 June 2008 - 12:22 PM.
#7
Posted 23 June 2008 - 12:48 PM
Combofix:
ComboFix 08-06-20.4 - christa hertogh 2008-06-23 20:30:12.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.271 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\christa hertogh\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\christa hertogh\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
FILE ::
C:\WINDOWS\system32\cpmrotate.dll
C:\WINDOWS\system32\remove.exe
C:\WINDOWS\system32\RVAXO.bat
E:\setup.exe
E:\SETUP.EXE
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\remove.exe
C:\WINDOWS\system32\RVAXO.bat
C:\WINDOWS\system32\dhcpsap.dll . . . . konden niet verwijderd worden
E:\SETUP.EXE . . . . konden niet verwijderd worden
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SBLKMQOT
-------\Service_sblkmqot
(((((((((((((((((((( Bestanden Gemaakt van 2008-05-23 to 2008-06-23 ))))))))))))))))))))))))))))))
.
2008-06-23 18:40 . 2008-06-23 18:40 161 --a------ C:\WINDOWS\DRVERASE.INI
2008-06-23 18:39 . 2008-06-23 18:42 24,576 --a------ C:\WINDOWS\system32\DEINSTEX.DLL
2008-06-23 18:19 . 2008-06-23 18:19 <DIR> d-------- C:\!KillBox
2008-06-23 17:45 . 2008-06-23 17:45 <DIR> dr-h----- C:\Documents and Settings\christa hertogh\Onlangs geopend
2008-06-23 14:55 . 2008-06-23 14:55 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-23 12:35 . 2008-06-23 12:35 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-23 12:35 . 2008-06-23 12:35 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\Program Files\AVG
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\Documents and Settings\christa hertogh\Application Data\AVGTOOLBAR
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-23 12:16 . 2008-06-23 12:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-23 12:16 . 2008-06-23 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-23 12:14 . 2008-06-23 12:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 11:08 . 2008-06-23 11:08 <DIR> d-------- C:\WINDOWS\system32\nl-nl
2008-06-14 18:55 . 2008-04-14 17:54 272,640 --------- C:\WINDOWS\system32\dllcache\bthport.sys
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 18:31 98,048 ----a-w C:\WINDOWS\system32\dhcpsap.dll
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-21 07:03 474,624 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:03 151,552 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 07:03 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 07:03 1,057,280 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2007-08-17 16:12 18,432 ----a-w C:\Documents and Settings\christa hertogh\Application Data\internaldb41.dat
2007-08-17 16:11 382 ----a-w C:\Documents and Settings\christa hertogh\Application Data\internaldb6334.dat
2007-08-17 16:10 194 ----a-w C:\Documents and Settings\christa hertogh\Application Data\internaldb8467.dat
.
((((((((((((((((((((((((((((( snapshot@2008-06-23_20.03.43,17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-23 16:27:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-23 18:33:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26D2720-B21F-4A82-9FB9-4477F5693BE2}]
2008-06-23 20:31 98048 --a------ C:\WINDOWS\system32\dhcpsap.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13 766041]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-23 12:34 1177368]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Acer Empowering Technology.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Acer Empowering Technology.lnk
backup=C:\WINDOWS\pss\Acer Empowering Technology.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^christa hertogh^Menu Start^Programma's^Opstarten^PrevxCSI.lnk]
path=C:\Documents and Settings\christa hertogh\Menu Start\Programma's\Opstarten\PrevxCSI.lnk
backup=C:\WINDOWS\pss\PrevxCSI.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-12-13 21:50 88204 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-07-19 09:41 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-07-19 09:41 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2006-06-01 14:40 413696 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-06-13 09:57 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-06-13 09:57 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-06-13 09:57 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Acer\Acer Arcade\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-07-19 09:42 16248320 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-07-19 09:42 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 08:18 307200 c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
--a------ 2006-09-23 13:08 61440 C:\Acer\WR_PopUp\WarReg_PopUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\christa hertogh\\Bureaublad\\utorrent-1.7-beta-1703.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R0 sblkmqot;sblkmqot;C:\WINDOWS\system32\drivers\tholvjks.dat []
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-23 12:35]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-23 12:34]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-20 03:20]
*Newly Created Service* - SBLKMQOT
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 20:35:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sblkmqot]
"ImagePath"="system32\drivers\tholvjks.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
C:\PROGRAM FILES\AVG\AVG8\AVGWDSVC.EXE
C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
C:\PROGRAM FILES\AVG\AVG8\AVGRSX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Voltooingstijd: 2008-06-23 20:37:35 - machine was rebooted
ComboFix3.txt 2008-06-23 13:43:04
ComboFix-quarantined-files.txt 2008-06-23 18:37:28
ComboFix2.txt 2008-06-23 18:04:06
Pre-Run: 16,784,588,800 bytes beschikbaar
Post-Run: 16,707,911,680 bytes beschikbaar
195 --- E O F --- 2008-06-23 09:17:34
HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:40, on 23-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A26D2720-B21F-4A82-9FB9-4477F5693BE2} - C:\WINDOWS\system32\dhcpsap.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 6425 bytes
Results of virustotal:
Bestand DEINSTEX.DLL ontvangen op 2008.06.23 20:47:20 (CET)
Huidig status: Laden ... In wachtrij Wachtende Aan het scannen Einde NIET GEVONDEN GESTOPT
Resultaat: 0/33 (0%)
Server informatie laden...
Je bestand is in de wachtrij geplaatst, plaats: ___.
De gemiddelde starttijd ligt tussen ___ en ___ .
Laat dit venster open tijdens het scannen.
De scanner die je bestand aan het verwerken was is gestopt, gelieve enkele seconden te wachten terwijl we proberen je resultaat te herstellen.
Indien u meer dan 5 minuten wachten dient U uw bestand opnieuw in te sturen.
Je bestand word op dit moment gescand door VirusTotal,
De resultaten worden weergegeven zodra ze beschikbaar zijn.
Geformatteerd Resultaten afdrukken
Je bestand is vervallen of bestaat niet.
De dienst is momenteel gestopt, je bestand staat in de wachtrij (plaats: ) voor een onbekende tijd.
Je kan deze pagina open houden en wachten (automatische refresh) of je kan je e-mailadres hieronder invullen en op "Aanvraag verzenden" klikken zodat je de resultaten per mail ontvangt.
E-mail:
Antivirus Versie Laatst geüpdatet Resultaat
AhnLab-V3 2008.6.22.0 2008.06.23 -
AntiVir 7.8.0.59 2008.06.23 -
Authentium 5.1.0.4 2008.06.21 -
Avast 4.8.1195.0 2008.06.23 -
AVG 7.5.0.516 2008.06.23 -
BitDefender 7.2 2008.06.23 -
CAT-QuickHeal 9.50 2008.06.23 -
ClamAV 0.93.1 2008.06.23 -
DrWeb 4.44.0.09170 2008.06.23 -
eSafe 7.0.15.0 2008.06.23 -
eTrust-Vet 31.6.5897 2008.06.23 -
Ewido 4.0 2008.06.23 -
F-Prot 4.4.4.56 2008.06.21 -
F-Secure 7.60.13501.0 2008.06.20 -
Fortinet 3.14.0.0 2008.06.23 -
GData 2.0.7306.1023 2008.06.23 -
Ikarus T3.1.1.26.0 2008.06.23 -
Kaspersky 7.0.0.125 2008.06.23 -
McAfee 5323 2008.06.23 -
Microsoft 1.3604 2008.06.23 -
NOD32v2 3210 2008.06.23 -
Norman 5.80.02 2008.06.23 -
Panda 9.0.0.4 2008.06.23 -
Prevx1 V2 2008.06.23 -
Rising 20.50.02.00 2008.06.23 -
Sophos 4.30.0 2008.06.23 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.23 -
TheHacker 6.2.92.358 2008.06.21 -
TrendMicro 8.700.0.1004 2008.06.23 -
VBA32 3.12.6.8 2008.06.23 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.23 -
Extra informatie
File size: 24576 bytes
MD5...: 56a5968c1b81a52d5cc5b3a3530a6acd
SHA1..: 4d665747f05ad6ecaacb36adf9f75955351ccb2e
SHA256: a9be04db02659ea068347dce0213f1917ef1cb907a79f02332771c1980cfae4b
SHA512: 7707ce50c4a8289fcef12a8263a03645b967fff49d2f1690d9c879b7c77628d9
72b9e15b2474e5ebb1c6e6c17833c55f0eca9223e027a06e8997354c0c47d645
PEiD..: Armadillo v1.xx - v2.xx
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x100019c1
timedatestamp.....: 0x4109e036 (Fri Jul 30 05:44:22 2004)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb16 0x1000 4.79 c9eea0af0e330abb0c9fdc2812d04695
.rdata 0x2000 0x5ab 0x1000 2.08 990bffe17cd2ba49e50f6b6ba503afbb
.data 0x3000 0x14dc 0x1000 1.45 1b370d825687eb24aca66668f8323869
.rsrc 0x5000 0x3f8 0x1000 1.05 a236941d1a6534fe8d7c5148e9af5290
.reloc 0x6000 0x1f6 0x1000 1.14 8d5ce2e4992f6f6d758fa4863fa8d83c
( 3 imports )
> MFC42.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: __CxxFrameHandler, _EH_prolog, __2@YAPAXI@Z, __dllonexit, __1type_info@@UAE@XZ, _adjust_fdiv, malloc, _initterm, free, _onexit
> KERNEL32.dll: LocalFree, LocalAlloc, lstrcmpA
( 2 exports )
GetExtensionStatus, GetInstallDate
Thanks so much!!
greetings from the Netherlands
#8
Posted 23 June 2008 - 12:51 PM
thank you
#9
Posted 23 June 2008 - 01:01 PM
Were you watching Euro 2008 ? Holland were impressive
1. Please download The Avenger by Swandog46 to your Desktop.
- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
C:\WINDOWS\system32\dhcpsap.dll
Drivers to delete:
sblkmqot
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
#10
Posted 23 June 2008 - 01:12 PM
This is the avengerlog:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\dhcpsap.dll" deleted successfully.
Driver "sblkmqot" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Hijacklog:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:12:28, on 23-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\christa hertogh\Bureaublad\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {A26D2720-B21F-4A82-9FB9-4477F5693BE2} - C:\WINDOWS\system32\dhcpsap.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 6655 bytes
thanks
#11
Posted 23 June 2008 - 01:22 PM
#12
Posted 23 June 2008 - 02:11 PM
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {A26D2720-B21F-4A82-9FB9-4477F5693BE2} - C:\WINDOWS\system32\dhcpsap.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner and click Accept
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases - Click OK
- Now under select a target to scan:Select My Computer
- This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
#13
Posted 24 June 2008 - 01:37 AM
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 24, 2008 9:35:18 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/06/2008
Kaspersky Anti-Virus database records: 881136
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 38288
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:55:41
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\tholvjks.dat Infected: Rootkit.Win32.Agent.aap skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7C71021A-BE65-4D7C-B318-A8941D346E89}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwdsvc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\christa hertogh\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\christa hertogh\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\christa hertogh\Local Settings\Temp\yduanszd.dat Infected: Rootkit.Win32.Agent.zw skipped
C:\Documents and Settings\christa hertogh\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\christa hertogh\Local Settings\Geschiedenis\History.IE5\MSHist012008062420080625\index.dat Object is locked skipped
C:\Documents and Settings\christa hertogh\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\christa hertogh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\christa hertogh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\christa hertogh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\christa hertogh\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\christa hertogh\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{B4CDBF0C-D0A3-4919-B3EF-3EFEEA66D12A}\RP4\change.log Object is locked skipped
Scan process completed.
sorry for the late reply
#14
Posted 24 June 2008 - 07:11 AM
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
http://www.geekstogo...se-t202628.html
Collect::
C:\WINDOWS\system32\drivers\tholvjks.dat
Suspect::
File::
C:\Documents and Settings\christa hertogh\Local Settings\Temp\yduanszd.dat
Folder::
Driver::
Registry::
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. Additonally, ComboFix will generate the following files on your desktop
- A zipped file on your desktop called Submit [Date Time].zip
- And another file named - CF-Submit.htm
7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.
8. If CF-Submit.htm is detected, ComboFix will generate this message box:
Clicking OK will cause the machine's browser to load CF-Submit.htm
9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
- Click on the file to Select it.
- Submit the file by clicking "OK"
11. Post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log (run after ComboFix has finished its work.)
Also tell me how your PC is running
#15
Posted 24 June 2008 - 07:45 AM
It didnīt create those 2 files but here are the logs:
ComboFix 08-06-20.4 - christa hertogh 2008-06-24 15:39:59.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.206 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\christa hertogh\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\christa hertogh\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
FILE ::
C:\Documents and Settings\christa hertogh\Local Settings\Temp\yduanszd.dat
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\christa hertogh\Local Settings\Temp\yduanszd.dat
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-05-24 to 2008-06-24 ))))))))))))))))))))))))))))))
.
2008-06-24 14:25 . 2008-06-24 14:25 <DIR> dr-h----- C:\Documents and Settings\christa hertogh\Onlangs geopend
2008-06-24 12:10 . 2008-06-24 12:10 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-06-24 12:10 . 2008-06-24 12:10 <DIR> d-------- C:\Documents and Settings\christa hertogh\Application Data\TuneUp Software
2008-06-24 12:10 . 2008-06-24 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-06-24 12:10 . 2008-06-24 12:13 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-06-24 12:10 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-06-24 00:36 . 2008-06-24 00:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-24 00:35 . 2008-06-24 00:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-23 18:40 . 2008-06-23 18:40 161 --a------ C:\WINDOWS\DRVERASE.INI
2008-06-23 18:39 . 2008-06-23 18:42 24,576 --a------ C:\WINDOWS\system32\DEINSTEX.DLL
2008-06-23 14:55 . 2008-06-23 14:55 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-23 12:35 . 2008-06-23 12:35 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-23 12:35 . 2008-06-23 12:35 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\Program Files\AVG
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\Documents and Settings\christa hertogh\Application Data\AVGTOOLBAR
2008-06-23 12:34 . 2008-06-23 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-23 12:16 . 2008-06-23 12:16 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-23 12:16 . 2008-06-23 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-23 12:14 . 2008-06-23 12:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-23 11:08 . 2008-06-23 11:08 <DIR> d-------- C:\WINDOWS\system32\nl-nl
2008-06-14 18:55 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\dllcache\bthport.sys
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 18:00 272,640 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-21 07:03 474,624 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 07:03 151,552 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 07:03 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 07:03 1,057,280 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 07:03 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2007-08-17 16:12 18,432 ----a-w C:\Documents and Settings\christa hertogh\Application Data\internaldb41.dat
2007-08-17 16:11 382 ----a-w C:\Documents and Settings\christa hertogh\Application Data\internaldb6334.dat
2007-08-17 16:10 194 ----a-w C:\Documents and Settings\christa hertogh\Application Data\internaldb8467.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-23 12:34 1177368]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13 766041]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Acer Empowering Technology.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Acer Empowering Technology.lnk
backup=C:\WINDOWS\pss\Acer Empowering Technology.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^christa hertogh^Menu Start^Programma's^Opstarten^PrevxCSI.lnk]
path=C:\Documents and Settings\christa hertogh\Menu Start\Programma's\Opstarten\PrevxCSI.lnk
backup=C:\WINDOWS\pss\PrevxCSI.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-12-13 21:50 88204 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-07-19 09:41 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-07-19 09:41 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2006-06-01 14:40 413696 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2006-06-13 09:57 77824 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2006-06-13 09:57 118784 C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2006-06-13 09:57 94208 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Acer\Acer Arcade\PCMService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 18:58 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-07-19 09:42 16248320 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-07-19 09:42 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 08:18 307200 c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
--a------ 2006-09-23 13:08 61440 C:\Acer\WR_PopUp\WarReg_PopUp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-23 12:35]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-23 12:34]
R2 UxTuneUp;TuneUp Thema-uitbreiding;C:\WINDOWS\System32\svchost.exe [2004-08-04 05:00]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-20 03:20]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-06-24 12:13]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
*Newly Created Service* - CATCHME
.
Inhoud van de 'Gedeelde Taken' map
"2008-06-24 10:10:50 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 15:41:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
Voltooingstijd: 2008-06-24 15:41:44
ComboFix-quarantined-files.txt 2008-06-24 13:41:42
Pre-Run: 16,070,311,936 bytes beschikbaar
Post-Run: 16,304,259,072 bytes beschikbaar
174 --- E O F --- 2008-06-24 01:02:11
Hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:45:20, on 24-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 6270 bytes
let me know if the computer is ok.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users