Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PC very slow suddenly [RESOLVED]

Started by Sven89 , Feb 02 2008 07:00 AM

  • This topic is locked This topic is locked

#1
Sven89
Posted 02 February 2008 - 07:00 AM

Sven89

    Member

  • Member
  • PipPip
  • 17 posts
Hi,

I'm having very weird problems. I purchased this pc system in I think august and it was running really good.
It had 1 GB RAM in it and the only changes I made recently was to put 1 GB RAM more in it ,and also I put the
case on my desk instead of underneath it..

But now since a couple of days it's running REALLY slow.. But I mean really slow, like sometimes I have to wait like 3 minutes to close a program...
Also I'm having these blue screens to show up all of a sudden ,mostly saying something with this file in it : wmp54gv41x86.sys

And then I restart manually ,and I get stuff that some dll files (i remember rqoljih.dll and ssqro.dll) could not be loaded and then the pc runs
normally(still slower than usual though).

I did several Spyware Search and Destroy scans,and also tried to run a Bullguard scan,but I get the blue screen most of the time when I do it..

IF someone could help me it would be really great ,because I don't know what to do ..

Here's my log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:58:30, on 2/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\Windows\System32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.17.239.253:8888->United States(anonymous)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 82.98.86.177 rantbug.com
O1 - Hosts: 82.98.86.163 jubuporno.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\rqoljih.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\BVBANA~1\AppData\Local\Temp\ssqro.dll,#1
O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.0 Pro\init_scheduler.exe
O4 - HKCU\..\Run: [84824419] rundll32.exe "C:\Users\BVBANA~1\AppData\Local\Temp\hkeunyyt.dll",b
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BVBANA~1\AppData\Local\Temp\jkkjk.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Fenêtre d'état de Canon iR1200-1300.LNK = C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\system32\Shdocvw.dll
O13 - Gopher Prefix:
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15031/CTPID.cab
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfs.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.0 Pro\rcp_scheduler.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 7484 bytes
  • 0

Advertisements

#2
kahdah
Posted 02 February 2008 - 10:51 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Sven89

Welcome to G2Go. :)
================
The blue screen you are getting seems to be related to a linksys wireless card or software.
That particular driver is probably not compatible with vista.
I would uninstall that utility.
Use your wired connection if you cant get it sorted out.
=====================================
You do have some infections present.
So Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
Sven89
Posted 02 February 2008 - 12:01 PM

Sven89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi ,

thanks a lot for your help,

it seems faster already... It's still a little slower than usual but that's probably due to the lack of space on my hard drive?

This is the Combofix log(i'm sorry,it's in dutch...)

ComboFix 08-02.02.5 - BVBA Naudts 2008-02-02 18:48:15.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1043.18.1025 [GMT 1:00]
Gestart vanuit: C:\Users\BVBA Naudts\Desktop\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\BVBA Naudts\AppData\Roaming\inst.exe
C:\Users\BVBA Naudts\AppData\Roaming\macromedia\Flash Player\#SharedObjects\YH9LATZU\www.broadcaster.com
C:\Users\BVBA Naudts\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Users\BVBA Naudts\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Windows\system32\byxxxwt.dll
C:\Windows\system32\ljhgfgh.dll
C:\Windows\system32\opnmlli.dll
C:\Windows\system32\pmnkiih.dll
C:\Windows\system32\qomlkll.dll
C:\Windows\system32\rqoljih.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-01-02 to 2008-02-02 ))))))))))))))))))))))))))))))
.

Geen nieuwe bestanden aangemaakt in deze periode

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 17:48 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\uTorrent
2008-02-02 12:42 --------- d-----w C:\ProgramData\BullGuard
2008-02-01 20:56 --------- d-----w C:\Program Files\Picture Resize Genius
2008-02-01 20:55 --------- d-----w C:\Program Files\PartyGaming
2008-02-01 20:52 --------- d-----w C:\Program Files\Secret Maryo Chronicles
2008-02-01 20:48 --------- d-----w C:\Program Files\Total Video Converter
2008-01-27 18:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 12:33 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\MegauploadToolbar
2008-01-27 12:33 --------- d-----w C:\Program Files\MegauploadToolbar
2008-01-22 17:25 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\RCP 5
2008-01-22 17:18 --------- d-----w C:\Program Files\ReaConverter 5.0 Pro
2008-01-21 20:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-20 23:19 253,952 ----a-w C:\Windows\System32\andt.sys
2008-01-20 23:19 --------- d-----w C:\Program Files\ElcomSoft
2008-01-20 23:17 --------- d-----w C:\Program Files\RAR Password Cracker
2008-01-20 20:32 32,256 ----a-w C:\Windows\System32\routing.exe
2008-01-16 23:43 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\Wormux
2008-01-16 23:30 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\smc
2008-01-15 23:01 253,952 ----a-w C:\Windows\System32\ndt2.sys
2008-01-14 17:30 --------- d---a-w C:\ProgramData\TEMP
2008-01-14 16:48 --------- d-----w C:\Program Files\NoAdware5.0
2008-01-13 21:57 --------- d-----w C:\Program Files\Audacity
2008-01-12 20:14 --------- d-----w C:\Program Files\LSoft Technologies
2008-01-10 22:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-10 22:22 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 20:16 --------- d-----w C:\ProgramData\FLEXnet
2008-01-10 16:22 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-10 16:22 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-10 16:22 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-10 16:22 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-10 16:22 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-10 16:21 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-10 16:21 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-10 16:21 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-10 16:21 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-10 16:21 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-10 16:21 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-10 16:20 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-10 16:20 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-10 16:20 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-10 16:20 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-01-10 16:20 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-10 16:20 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-01-10 16:20 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 16:20 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-10 16:20 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 14:35 --------- d-----w C:\Program Files\ParallelGraphics
2008-01-09 14:35 --------- d-----w C:\Program Files\Common Files\ParallelGraphics
2008-01-09 14:30 --------- d-----w C:\Program Files\Room Arranger
2008-01-04 12:27 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\Vso
2007-12-23 23:48 --------- d-----w C:\ProgramData\NVIDIA
2007-12-23 10:59 --------- d-----w C:\Program Files\SpeeDefrag
2007-12-21 15:24 --------- d-----w C:\Program Files\MSN Messenger
2007-12-21 15:24 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-16 17:40 86,016 ----a-w C:\Windows\System32\OpenAL32.dll
2007-12-16 17:40 262,144 ----a-w C:\Windows\System32\wrap_oal.dll
2007-12-15 20:31 --------- d-----w C:\Program Files\Agogo Video to iPod PSP 3GP Xbox PPC PDA MP4
2007-12-15 14:24 --------- d-----w C:\Program Files\BitTorrent
2007-12-15 12:48 --------- d-----w C:\Program Files\uTorrent
2007-12-15 00:09 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\BitTorrent
2007-12-13 14:19 --------- d-----w C:\Program Files\Real
2007-12-13 14:19 --------- d-----w C:\Program Files\Philips ToUcam Camera
2007-12-13 14:19 --------- d-----w C:\Program Files\Common Files\Real
2007-12-13 07:31 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-13 07:30 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 07:30 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 07:29 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-13 07:29 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-13 07:29 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-13 07:29 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-13 07:28 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-13 07:28 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-13 07:28 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-13 07:28 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-13 07:26 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-13 07:26 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-12 22:23 --------- d-----w C:\Program Files\Screen Recorder
2007-12-12 21:27 --------- d-----w C:\Program Files\Common Files\sndm360
2007-12-12 21:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-12 13:34 --------- d-----w C:\Program Files\steam
2007-12-11 15:26 --------- d-----w C:\Program Files\Common Files\Steam
2007-12-09 00:27 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\Media Player Classic
2007-12-07 21:01 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\dvdcss
2007-12-06 00:00 --------- d-----w C:\Program Files\Foto Nelissen Viewer
2007-11-19 16:37 45,056 ----a-w C:\Windows\System32\Indt2.sys
2007-11-18 07:51 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-16 11:56 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-16 11:56 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-16 11:56 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-16 11:56 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-16 11:56 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-16 11:56 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-16 11:56 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-16 11:56 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-16 11:56 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-16 11:56 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-16 11:53 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-16 11:53 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-08-31 12:10 174 --sha-w C:\Program Files\desktop.ini
2007-08-07 14:54 87,608 ----a-w C:\Users\BVBA Naudts\AppData\Roaming\ezpinst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 17:20 1232896]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2007-10-19 16:43 308552]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"Steam"="C:\Program Files\Valve\Steam\\Steam.exe" [2007-12-05 20:47 1266936]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2007-12-15 13:48 219952]
"scheduler_monitor"="C:\Program Files\ReaConverter 5.0 Pro\init_scheduler.exe" [2007-06-15 10:17 27136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-12 18:33 1006264]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2007-10-19 16:43 308552]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 05:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 05:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 05:28 81920]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-22 14:29:22 113664]
Fenˆtre d'‚tat de Canon iR1200-1300.LNK - C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE [2004-12-02 23:07:51 30720]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

R2 BdFileSpy;BullGuard File Monitor Driver;C:\Windows\system32\drivers\BdFileSpy.sys [2007-10-19 16:43]
R2 BsFileScan;BullGuard File Scan Service;C:\Windows\System32\svchost.exe [2006-11-02 10:45]
R2 perfmons;perfmons Service;C:\Windows\system32\perfs.exe [2006-11-02 10:46]
R2 RapidPortM2;RapidPortM2;C:\Windows\system32\Drivers\CAPM2LP.SYS [2002-08-07 16:00]
R2 Routing;Routing Service;C:\Windows\system32\routing.exe [2008-01-20 21:32]
R3 camvid20;Philips ToUcam Camera; Video;C:\Windows\system32\DRIVERS\camdrv21.sys []
R3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Software\BullGuard\reconn.sys [2007-01-27 11:06]
R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;C:\Windows\system32\DRIVERS\WMP54Gv41x86.sys [2007-03-12 10:00]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 08:30]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\Windows\system32\DRIVERS\libusb0.sys [2007-05-11 00:12]
S3 rcp_service;ReaConverter scheduler service;C:\Program Files\ReaConverter 5.0 Pro\rcp_scheduler.exe [2007-11-30 11:27]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2007-12-05 20:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\autoplay.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 18:51:55
Windows 6.0.6000 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-02-02 18:54:01
ComboFix-quarantined-files.txt 2008-02-02 17:53:59
.
2008-02-01 16:56:58 --- E O F ---



THIS IS THE HIJACKTHIS LOG NOW

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:01:29, on 2/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\Windows\System32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.17.239.253:8888->United States(anonymous)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 82.98.86.177 rantbug.com
O1 - Hosts: 82.98.86.163 jubuporno.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.0 Pro\init_scheduler.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Fenêtre d'état de Canon iR1200-1300.LNK = C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\system32\Shdocvw.dll
O13 - Gopher Prefix:
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15031/CTPID.cab
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfs.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.0 Pro\rcp_scheduler.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6744 bytes
  • 0

#4
kahdah
Posted 02 February 2008 - 12:58 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Windows\System32\andt.sys
C:\Windows\System32\Indt2.sys
C:\Windows\system32\routing.exe 
C:\Windows\system32\perfs.exe
C:\Users\BVBA Naudts\AppData\Roaming\ezpinst.exe
Driver::
Routing
perfmons


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
Sven89
Posted 02 February 2008 - 01:18 PM

Sven89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks for your help,

I've done what you said and this is the log I'm getting from ComboFix

ComboFix 08-02.02.5 - BVBA Naudts 2008-02-02 20:04:38.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1043.18.1063 [GMT 1:00]
Gestart vanuit: C:\Users\BVBA Naudts\Desktop\ComboFix.exe
Command switches used :: C:\Users\BVBA Naudts\Desktop\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

FILE
C:\Users\BVBA Naudts\AppData\Roaming\ezpinst.exe
C:\Windows\System32\andt.sys
C:\Windows\System32\Indt2.sys
C:\Windows\system32\perfs.exe
C:\Windows\system32\routing.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\BVBA Naudts\AppData\Roaming\ezpinst.exe
C:\Windows\System32\andt.sys
C:\Windows\System32\Indt2.sys
C:\Windows\system32\perfs.exe
C:\Windows\system32\routing.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\perfmons
-------\Routing


(((((((((((((((((((( Bestanden Gemaakt van 2008-01-02 to 2008-02-02 ))))))))))))))))))))))))))))))
.

Geen nieuwe bestanden aangemaakt in deze periode

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 19:11 --------- d-----w C:\ProgramData\BullGuard
2008-02-02 19:08 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\uTorrent
2008-02-01 20:56 --------- d-----w C:\Program Files\Picture Resize Genius
2008-02-01 20:55 --------- d-----w C:\Program Files\PartyGaming
2008-02-01 20:52 --------- d-----w C:\Program Files\Secret Maryo Chronicles
2008-02-01 20:48 --------- d-----w C:\Program Files\Total Video Converter
2008-01-27 18:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 12:33 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\MegauploadToolbar
2008-01-27 12:33 --------- d-----w C:\Program Files\MegauploadToolbar
2008-01-22 17:25 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\RCP 5
2008-01-22 17:18 --------- d-----w C:\Program Files\ReaConverter 5.0 Pro
2008-01-21 20:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-20 23:19 --------- d-----w C:\Program Files\ElcomSoft
2008-01-20 23:17 --------- d-----w C:\Program Files\RAR Password Cracker
2008-01-16 23:43 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\Wormux
2008-01-16 23:30 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\smc
2008-01-15 23:01 253,952 ----a-w C:\Windows\System32\ndt2.sys
2008-01-14 17:30 --------- d---a-w C:\ProgramData\TEMP
2008-01-14 16:48 --------- d-----w C:\Program Files\NoAdware5.0
2008-01-13 21:57 --------- d-----w C:\Program Files\Audacity
2008-01-12 20:14 --------- d-----w C:\Program Files\LSoft Technologies
2008-01-10 22:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-10 22:22 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 20:16 --------- d-----w C:\ProgramData\FLEXnet
2008-01-10 16:22 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-10 16:22 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-10 16:22 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-10 16:22 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-10 16:22 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-10 16:21 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-10 16:21 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-10 16:21 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-10 16:21 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-10 16:21 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-10 16:21 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-10 16:20 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-10 16:20 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-10 16:20 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-10 16:20 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-01-10 16:20 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-10 16:20 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-01-10 16:20 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 16:20 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-10 16:20 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 14:35 --------- d-----w C:\Program Files\ParallelGraphics
2008-01-09 14:35 --------- d-----w C:\Program Files\Common Files\ParallelGraphics
2008-01-09 14:30 --------- d-----w C:\Program Files\Room Arranger
2008-01-04 12:27 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\Vso
2007-12-23 23:48 --------- d-----w C:\ProgramData\NVIDIA
2007-12-23 10:59 --------- d-----w C:\Program Files\SpeeDefrag
2007-12-21 15:24 --------- d-----w C:\Program Files\MSN Messenger
2007-12-21 15:24 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-16 17:40 86,016 ----a-w C:\Windows\System32\OpenAL32.dll
2007-12-16 17:40 262,144 ----a-w C:\Windows\System32\wrap_oal.dll
2007-12-15 20:31 --------- d-----w C:\Program Files\Agogo Video to iPod PSP 3GP Xbox PPC PDA MP4
2007-12-15 14:24 --------- d-----w C:\Program Files\BitTorrent
2007-12-15 12:48 --------- d-----w C:\Program Files\uTorrent
2007-12-15 00:09 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\BitTorrent
2007-12-13 14:19 --------- d-----w C:\Program Files\Real
2007-12-13 14:19 --------- d-----w C:\Program Files\Philips ToUcam Camera
2007-12-13 14:19 --------- d-----w C:\Program Files\Common Files\Real
2007-12-13 07:31 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-13 07:30 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 07:30 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 07:29 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-13 07:29 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-13 07:29 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-13 07:29 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-13 07:28 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-13 07:28 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-13 07:28 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-13 07:28 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-13 07:26 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-13 07:26 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-12 22:23 --------- d-----w C:\Program Files\Screen Recorder
2007-12-12 21:27 --------- d-----w C:\Program Files\Common Files\sndm360
2007-12-12 21:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-12 13:34 --------- d-----w C:\Program Files\steam
2007-12-11 15:26 --------- d-----w C:\Program Files\Common Files\Steam
2007-12-09 00:27 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\Media Player Classic
2007-12-07 21:01 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\dvdcss
2007-12-06 00:00 --------- d-----w C:\Program Files\Foto Nelissen Viewer
2007-11-18 07:51 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-16 11:56 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-16 11:56 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-16 11:56 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-16 11:56 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-16 11:56 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-16 11:56 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-16 11:56 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-16 11:56 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-16 11:56 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-16 11:56 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-16 11:53 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-16 11:53 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-08-31 12:10 174 --sha-w C:\Program Files\desktop.ini
2007-08-07 14:54 47,360 ----a-w C:\Users\BVBA Naudts\AppData\Roaming\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 17:20 1232896]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2007-10-19 16:43 308552]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"Steam"="C:\Program Files\Valve\Steam\\Steam.exe" [2007-12-05 20:47 1266936]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2007-12-15 13:48 219952]
"scheduler_monitor"="C:\Program Files\ReaConverter 5.0 Pro\init_scheduler.exe" [2007-06-15 10:17 27136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-12 18:33 1006264]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2007-10-19 16:43 308552]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 05:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 05:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 05:28 81920]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-22 14:29:22 113664]
Fenˆtre d'‚tat de Canon iR1200-1300.LNK - C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE [2004-12-02 23:07:51 30720]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

R2 BdFileSpy;BullGuard File Monitor Driver;C:\Windows\system32\drivers\BdFileSpy.sys [2007-10-19 16:43]
R2 BsFileScan;BullGuard File Scan Service;C:\Windows\System32\svchost.exe [2006-11-02 10:45]
R2 RapidPortM2;RapidPortM2;C:\Windows\system32\Drivers\CAPM2LP.SYS [2002-08-07 16:00]
R3 camvid20;Philips ToUcam Camera; Video;C:\Windows\system32\DRIVERS\camdrv21.sys []
R3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Software\BullGuard\reconn.sys [2007-01-27 11:06]
R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;C:\Windows\system32\DRIVERS\WMP54Gv41x86.sys [2007-03-12 10:00]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 08:30]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\Windows\system32\DRIVERS\libusb0.sys [2007-05-11 00:12]
S3 rcp_service;ReaConverter scheduler service;C:\Program Files\ReaConverter 5.0 Pro\rcp_scheduler.exe [2007-11-30 11:27]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2007-12-05 20:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\autoplay.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 20:11:26
Windows 6.0.6000 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\CAPM2RSK.EXE
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\ehome\mcupdate.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Voltooingstijd: 2008-02-02 20:17:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 19:17:01
ComboFix2.txt 2008-02-02 17:54:02
.
2008-02-01 16:56:58 --- E O F ---



HIJACKTHIS LOGFILE :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:17:58, on 2/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.17.239.253:8888->United States(anonymous)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.0 Pro\init_scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Fenêtre d'état de Canon iR1200-1300.LNK = C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\system32\Shdocvw.dll
O13 - Gopher Prefix:
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15031/CTPID.cab
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.0 Pro\rcp_scheduler.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6066 bytes
  • 0

#6
kahdah
Posted 02 February 2008 - 01:26 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I see that you have uTorrent installed and various other p2p programs.
Having P2p programs such as these raise the possibility of getting infected again.
See here for information on P2P's.
I will leave it up to you if you want to remove them.
To remove it just simply uninstall ithem then delete this folder>C:\Program Files\Program Name
===================================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
Sven89
Posted 02 February 2008 - 06:49 PM

Sven89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
This is the log :

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 03, 2008 1:46:59 AM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 546114
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 181666
Number of viruses found: 8
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 01:54:43

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\ProgramData\BullGuard\BgSupport.log Object is locked skipped
C:\ProgramData\BullGuard\BsFileScan.log Object is locked skipped
C:\ProgramData\BullGuard\BsMailProxy.log Object is locked skipped
C:\ProgramData\BullGuard\Logs\OnAccess.log Object is locked skipped
C:\ProgramData\BullGuard\Logs\OnAccessMail.log Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\10db17f1eda84b10df611f702b13b410_1600e04b-177b-4d1d-9264-2e58013c1a07 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_1600e04b-177b-4d1d-9264-2e58013c1a07 Object is locked skipped
C:\QooBox\Quarantine\C\Windows\System32\andt.sys.vir Infected: Trojan-Downloader.Win32.Delf.eah skipped
C:\QooBox\Quarantine\C\Windows\System32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.vo skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020220080203\index.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020320080204\index.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012008020220080203\index.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\UsrClass.dat{0b3ba878-d7bc-11db-871f-001617d43325}.TM.blf Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\UsrClass.dat{0b3ba878-d7bc-11db-871f-001617d43325}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows\UsrClass.dat{0b3ba878-d7bc-11db-871f-001617d43325}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B084_827C_8482_44B6\dfsr.db Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B084_827C_8482_44B6\fsr.log Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B084_827C_8482_44B6\fsrtmp.log Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_B084_827C_8482_44B6\tmp.edb Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows Defender\FileTracker\{B7A981D6-0FD3-4EFD-9276-43BC916F0A97} Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Ahead\Nero Home\bl.db Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Ahead\Nero Home\is2.db Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Temp\tmp00002f3e\tmp00000000 Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Temp\~DF456B.tmp Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Temp\~DF4572.tmp Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Temp\~DF6C49.tmp Object is locked skipped
C:\Users\BVBA Naudts\AppData\Local\Temp\~DF6C50.tmp Object is locked skipped
C:\Users\BVBA Naudts\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\BVBA Naudts\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\BVBA Naudts\Desktop\Downloads\Virtual Dj_Crack By Dj Nilo\Virtual Dj 4.3 + Crack By Dj Nilo.exe Infected: Trojan.Win32.Chifrax.a skipped
C:\Users\BVBA Naudts\Documents\Mijn ontvangen bestanden\lcapi0.log Object is locked skipped
C:\Users\BVBA Naudts\Documents\Mijn ontvangen bestanden\MsnMsgr.txt Object is locked skipped
C:\Users\BVBA Naudts\Documents\Mijn ontvangen bestanden\Transport0.log Object is locked skipped
C:\Users\BVBA Naudts\NTUSER.DAT Object is locked skipped
C:\Users\BVBA Naudts\ntuser.dat.LOG1 Object is locked skipped
C:\Users\BVBA Naudts\ntuser.dat.LOG2 Object is locked skipped
C:\Users\BVBA Naudts\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\BVBA Naudts\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\BVBA Naudts\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\MEMORY.DMP Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{4081D39E-7506-47BA-9CA8-7FD5C9F2999B}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\msspa.exe Infected: Trojan-Downloader.Win32.Delf.czg skipped
C:\Windows\System32\mst.tmp Infected: Trojan-Downloader.Win32.Delf.czg skipped
C:\Windows\System32\ndt2.sys Infected: Trojan-Downloader.Win32.Delf.eah skipped
C:\Windows\System32\perfs.exe.old613295 Infected: Trojan-Downloader.Win32.Agent.gcx skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\tmp0_22173540868.bk Infected: Trojan-Downloader.Win32.Delf.dxh skipped
C:\Windows\System32\tmp0_228251660929.bk Infected: Trojan-Downloader.Win32.Delf.dvf skipped
C:\Windows\System32\tmp0_31863192069.bk Infected: Trojan-Downloader.Win32.Delf.dvf skipped
C:\Windows\System32\tmp0_319318182916.bk Infected: Trojan-Downloader.Win32.Delf.dvf skipped
C:\Windows\System32\tmp0_32855130699.bk Infected: Trojan-Downloader.Win32.Delf.dvf skipped
C:\Windows\System32\tmp0_47913357.bk Infected: Trojan-Downloader.Win32.Delf.dsx skipped
C:\Windows\System32\tmp0_532974475743.bk Infected: Trojan-Downloader.Win32.Delf.dvf skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\Temp\tmp00002f3e\tmp00000000 Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
D:\Downloaded\Virtual Dj_Crack By Dj Nilo.rar/Virtual Dj_Crack By Dj Nilo/Virtual Dj 4.3 + Crack By Dj Nilo.exe Infected: Trojan.Win32.Chifrax.a skipped
D:\Downloaded\Virtual Dj_Crack By Dj Nilo.rar RAR: infected - 1 skipped

Scan process completed.
  • 0

#8
kahdah
Posted 02 February 2008 - 07:22 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Windows\System32\tmp0_532974475743.bk 
C:\Windows\System32\tmp0_47913357.bk
C:\Windows\System32\tmp0_32855130699.bk
C:\Windows\System32\tmp0_22173540868.bk
C:\Windows\System32\tmp0_228251660929.bk
C:\Windows\System32\tmp0_31863192069.bk
C:\Windows\System32\tmp0_319318182916.bk
C:\Windows\System32\msspa.exe 
C:\Windows\System32\mst.tmp
C:\Windows\System32\ndt2.sys 
C:\Windows\System32\perfs.exe.old613295 
C:\Windows\System32\perfs.exe
Folder::
D:\Downloaded\Virtual Dj_Crack By Dj Nilo.rar


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
Sven89
Posted 02 February 2008 - 07:52 PM

Sven89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi,

these are the logs this time :

COMBOFIX LOG :

ComboFix 08-02.02.5 - BVBA Naudts 2008-02-03 2:43:27.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1043.18.1140 [GMT 1:00]
Gestart vanuit: C:\Users\BVBA Naudts\Desktop\ComboFix.exe
Command switches used :: C:\Users\BVBA Naudts\Desktop\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

FILE
C:\Windows\System32\msspa.exe
C:\Windows\System32\mst.tmp
C:\Windows\System32\ndt2.sys
C:\Windows\System32\perfs.exe
C:\Windows\System32\perfs.exe.old613295
C:\Windows\System32\tmp0_22173540868.bk
C:\Windows\System32\tmp0_228251660929.bk
C:\Windows\System32\tmp0_31863192069.bk
C:\Windows\System32\tmp0_319318182916.bk
C:\Windows\System32\tmp0_32855130699.bk
C:\Windows\System32\tmp0_47913357.bk
C:\Windows\System32\tmp0_532974475743.bk
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\msspa.exe
C:\Windows\System32\mst.tmp
C:\Windows\System32\ndt2.sys
C:\Windows\System32\perfs.exe.old613295
C:\Windows\System32\tmp0_22173540868.bk
C:\Windows\System32\tmp0_228251660929.bk
C:\Windows\System32\tmp0_31863192069.bk
C:\Windows\System32\tmp0_319318182916.bk
C:\Windows\System32\tmp0_32855130699.bk
C:\Windows\System32\tmp0_47913357.bk
C:\Windows\System32\tmp0_532974475743.bk
D:\Downloaded\Virtual Dj_Crack By Dj Nilo.rar\

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-01-03 to 2008-02-03 ))))))))))))))))))))))))))))))
.

Geen nieuwe bestanden aangemaakt in deze periode

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 01:43 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\uTorrent
2008-02-02 21:01 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\Vso
2008-02-02 19:17 6,736 ----a-w C:\Windows\system32\drivers\PROCEXP90.SYS
2008-02-02 19:11 --------- d-----w C:\ProgramData\BullGuard
2008-02-01 20:56 --------- d-----w C:\Program Files\Picture Resize Genius
2008-02-01 20:55 --------- d-----w C:\Program Files\PartyGaming
2008-02-01 20:52 --------- d-----w C:\Program Files\Secret Maryo Chronicles
2008-02-01 20:48 --------- d-----w C:\Program Files\Total Video Converter
2008-01-27 18:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 12:33 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\MegauploadToolbar
2008-01-27 12:33 --------- d-----w C:\Program Files\MegauploadToolbar
2008-01-22 17:25 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\RCP 5
2008-01-22 17:18 --------- d-----w C:\Program Files\ReaConverter 5.0 Pro
2008-01-21 20:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-20 23:19 --------- d-----w C:\Program Files\ElcomSoft
2008-01-20 23:17 --------- d-----w C:\Program Files\RAR Password Cracker
2008-01-16 23:43 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\Wormux
2008-01-16 23:30 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\smc
2008-01-14 17:30 --------- d---a-w C:\ProgramData\TEMP
2008-01-14 16:48 --------- d-----w C:\Program Files\NoAdware5.0
2008-01-13 21:57 --------- d-----w C:\Program Files\Audacity
2008-01-12 20:14 --------- d-----w C:\Program Files\LSoft Technologies
2008-01-10 22:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-10 22:22 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 20:16 --------- d-----w C:\ProgramData\FLEXnet
2008-01-10 16:22 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-10 16:22 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-10 16:22 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-10 16:22 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-10 16:22 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-10 16:21 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-10 16:21 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-10 16:21 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-10 16:21 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-10 16:21 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-10 16:21 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-10 16:20 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-10 16:20 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-10 16:20 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-10 16:20 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-01-10 16:20 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-10 16:20 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-01-10 16:20 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 16:20 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-10 16:20 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 14:35 --------- d-----w C:\Program Files\ParallelGraphics
2008-01-09 14:35 --------- d-----w C:\Program Files\Common Files\ParallelGraphics
2008-01-09 14:30 --------- d-----w C:\Program Files\Room Arranger
2007-12-23 23:48 --------- d-----w C:\ProgramData\NVIDIA
2007-12-23 10:59 --------- d-----w C:\Program Files\SpeeDefrag
2007-12-21 15:24 --------- d-----w C:\Program Files\MSN Messenger
2007-12-21 15:24 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-16 17:40 86,016 ----a-w C:\Windows\System32\OpenAL32.dll
2007-12-16 17:40 262,144 ----a-w C:\Windows\System32\wrap_oal.dll
2007-12-15 20:31 --------- d-----w C:\Program Files\Agogo Video to iPod PSP 3GP Xbox PPC PDA MP4
2007-12-15 14:24 --------- d-----w C:\Program Files\BitTorrent
2007-12-15 12:48 --------- d-----w C:\Program Files\uTorrent
2007-12-15 00:09 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\BitTorrent
2007-12-13 14:19 --------- d-----w C:\Program Files\Real
2007-12-13 14:19 --------- d-----w C:\Program Files\Philips ToUcam Camera
2007-12-13 14:19 --------- d-----w C:\Program Files\Common Files\Real
2007-12-13 07:31 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-13 07:30 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 07:30 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 07:29 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-13 07:29 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-13 07:29 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-13 07:29 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-13 07:28 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-13 07:28 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-13 07:28 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-13 07:28 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-13 07:26 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-13 07:26 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-12 22:23 --------- d-----w C:\Program Files\Screen Recorder
2007-12-12 21:27 --------- d-----w C:\Program Files\Common Files\sndm360
2007-12-12 21:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-12 13:34 --------- d-----w C:\Program Files\steam
2007-12-11 15:26 --------- d-----w C:\Program Files\Common Files\Steam
2007-12-09 00:27 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\Media Player Classic
2007-12-07 21:01 --------- d-----w C:\Users\BVBA Naudts\AppData\Roaming\dvdcss
2007-12-06 00:00 --------- d-----w C:\Program Files\Foto Nelissen Viewer
2007-11-18 07:51 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-16 11:56 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-16 11:56 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-16 11:56 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-16 11:56 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-16 11:56 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-16 11:56 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-16 11:56 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-16 11:56 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-16 11:56 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-16 11:56 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-16 11:53 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-16 11:53 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-08-31 12:10 174 --sha-w C:\Program Files\desktop.ini
2007-08-07 14:54 47,360 ----a-w C:\Users\BVBA Naudts\AppData\Roaming\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 17:20 1232896]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2007-10-19 16:43 308552]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"Steam"="C:\Program Files\Valve\Steam\\Steam.exe" [2007-12-05 20:47 1266936]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2007-12-15 13:48 219952]
"scheduler_monitor"="C:\Program Files\ReaConverter 5.0 Pro\init_scheduler.exe" [2007-06-15 10:17 27136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-04-12 18:33 1006264]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2007-10-19 16:43 308552]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 05:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 05:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 05:28 81920]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-22 14:29:22 113664]
Fenˆtre d'‚tat de Canon iR1200-1300.LNK - C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE [2004-12-02 23:07:51 30720]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

R2 BdFileSpy;BullGuard File Monitor Driver;C:\Windows\system32\drivers\BdFileSpy.sys [2007-10-19 16:43]
R2 BsFileScan;BullGuard File Scan Service;C:\Windows\System32\svchost.exe [2006-11-02 10:45]
R2 RapidPortM2;RapidPortM2;C:\Windows\system32\Drivers\CAPM2LP.SYS [2002-08-07 16:00]
R3 camvid20;Philips ToUcam Camera; Video;C:\Windows\system32\DRIVERS\camdrv21.sys []
R3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Software\BullGuard\reconn.sys [2007-01-27 11:06]
R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;C:\Windows\system32\DRIVERS\WMP54Gv41x86.sys [2007-03-12 10:00]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 08:30]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\Windows\system32\DRIVERS\libusb0.sys [2007-05-11 00:12]
S3 rcp_service;ReaConverter scheduler service;C:\Program Files\ReaConverter 5.0 Pro\rcp_scheduler.exe [2007-11-30 11:27]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2007-12-05 20:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\autoplay.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 02:48:07
Windows 6.0.6000 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-02-03 2:49:08
ComboFix-quarantined-files.txt 2008-02-03 01:49:04
ComboFix2.txt 2008-02-02 19:17:17
ComboFix3.txt 2008-02-02 17:54:02
.
2008-02-01 16:56:58 --- E O F ---


HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:26, on 3/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spool\drivers\w32x86\3\CAPM2SWK.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.17.239.253:8888->United States(anonymous)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.0 Pro\init_scheduler.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Fenêtre d'état de Canon iR1200-1300.LNK = C:\Windows\System32\spool\drivers\w32x86\3\CAPM2LAK.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\system32\Shdocvw.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15031/CTPID.cab
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.0 Pro\rcp_scheduler.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6622 bytes
  • 0

#10
kahdah
Posted 02 February 2008 - 08:06 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Time for some housekeeping
  • Click START Search then type in RUN click on the Run program that shows up. (Should be a little box)
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete anything that we used that is left over.

Don't forget to stop that blue screen I would uninstall your linksys wireless adapter software.

After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#11
Sven89
Posted 02 February 2008 - 08:18 PM

Sven89

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Allright,thanks a lot my friend!

I will be deleting uTorrent and the linksys drivers later on ,and also I will be donating to you for helping me! Thanks alot again
  • 0

#12
kahdah
Posted 02 February 2008 - 08:29 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome and thank you as well.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#13
kahdah
Posted 02 February 2008 - 08:29 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP