Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Spring cleaning! [RESOLVED]

Started by Rotgeur , Feb 23 2008 06:49 AM

This topic is locked

#1
Rotgeur

Posted 23 February 2008 - 06:49 AM

Member

Member
23 posts

Hey guys,

My sister's PC was running strange and kept popping up sites, so she figured it was infected with some malware. She asked me to get rid of it, but I haven't found what specificly is the problem. So I thought I'd ask you guys. I'll post a HijackThis!-log here, so could you please help me clean up a bit?

Thanks in advance!
-------------------------------------------------------------------------------
HijackThis!-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:42:09, on 23-2-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Casema SnelHelp\bin\mpbtn.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
F:\Thuis\Programma's\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://klant.casema.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13906623-E807-4FBA-BFCE-FC849060B7DD} - C:\WINDOWS\system32\asycfil.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\UpMedia\ContentTool.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: AD Bot - {BCBCEE7B-2001-4971-B991-EB6E81C96CC5} - C:\WINDOWS\system32\adspipe.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclemca.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [adstart] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\adspipe.dll" DllVerify
O4 - HKLM\..\Run: [hid_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\adspipe.dll" DllVerify
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Casema SnelHelp.lnk = C:\Program Files\Casema SnelHelp\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.driveclea...nerstart_nl.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.nl/...ects/jordan.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn....easeInstall.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10739 bytes

#2
kahdah

Posted 23 February 2008 - 08:05 AM

GeekU Teacher

Retired Staff
15,822 posts

Hello Rotgeur

Welcome to G2Go.

==================
The first thing I will need you to do is to Download this anti-virus program and install it.
This is free.
AVG free
========================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3
Rotgeur

Posted 23 February 2008 - 08:52 AM

Member

Topic Starter
Member
23 posts

Installed AVG and updated it. It immediately found some infections, but I haven't done anything with it so far because maybe you needed these scans first. First is the ComboFix-log, then the HijackThis!-log.

ComboFix-log:

ComboFix 08-02-23.2 - Eigenaar 2008-02-23 15:39:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.145 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\UpMedia
C:\WINDOWS\system32\UpMedia\ContentTool.dll
C:\WINDOWS\system32\UpMedia\SearchTool.dll
C:\WINDOWS\system32\UpMedia\uninstallSE.exe
C:\WINDOWS\system32\version69ie7fix.dll
C:\WINDOWS\system32\winnb58.dll
D:\Autorun.inf

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-01-23 to 2008-02-23 ))))))))))))))))))))))))))))))
.

2008-02-23 15:35 . 2008-02-23 15:36 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\AVG7
2008-02-23 15:34 . 2008-02-23 15:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-23 15:33 . 2008-02-23 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 15:33 . 2008-02-23 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-23 13:12 . 2008-02-23 13:12 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-23 13:12 . 2008-02-23 13:12 <DIR> d-------- C:\Program Files\DIFX
2008-02-23 13:12 . 2007-07-18 16:40 264,576 --a------ C:\WINDOWS\system32\drivers\RTL8187B.sys
2008-02-18 07:33 . 2008-02-18 07:33 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\Uniblue
2008-02-12 22:17 . 2008-02-13 21:18 35,840 --a------ C:\chaos_in_de_natuur[1].doc
2008-02-08 22:12 . 2008-02-08 22:12 363,980 --a------ C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
2008-02-08 22:12 . 2008-02-08 22:12 139,264 --a------ C:\WINDOWS\MirarDownloader_876260.exe
2008-02-08 22:12 . 2008-02-08 22:12 32,768 --a------ C:\WINDOWS\system32\WinDmy.dll
2008-02-08 22:12 . 2008-02-23 15:08 18,432 --a------ C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb6500.dat
2008-02-08 22:12 . 2008-02-23 15:08 555 --a------ C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb9169.dat
2008-02-08 22:12 . 2008-02-23 15:40 374 --a------ C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb5724.dat
2008-02-04 07:51 . 2008-02-04 07:51 <DIR> d-------- C:\Program Files\LEGO Company
2008-02-04 07:51 . 2008-02-04 07:51 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\LEGO Company
2008-02-02 00:11 . 2008-02-02 00:11 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\Apple Computer
2008-02-02 00:11 . 2008-02-23 13:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 00:11 . 2008-02-02 00:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-02 00:10 . 2008-02-02 00:10 <DIR> d-------- C:\Program Files\Bonjour
2008-02-02 00:09 . 2008-02-02 00:09 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-02 00:09 . 2008-02-23 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-02 00:08 . 2008-02-02 00:08 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-02 00:08 . 2008-02-02 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-01 23:58 . 2008-02-02 00:10 <DIR> d-------- C:\Program Files\QuickTime

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 12:54 --------- d-----w C:\Program Files\Zylom Games
2008-02-23 12:51 --------- d-----w C:\Program Files\Google
2008-02-12 20:04 19,584 ----a-w C:\WINDOWS\system32\drivers\jmcbjlkf.dat
2008-02-08 20:59 --------- d-----w C:\Documents and Settings\Eigenaar.ELLES\Application Data\LimeWire
2008-01-16 10:21 257,552 ----a-w C:\Documents and Settings\Eigenaar.ELLES\Application Data\setup_nl[1].exe
2007-12-07 02:18 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-28 16:06 188,416 ----a-w C:\WINDOWS\system32\adspipe.dll
2006-11-21 22:29 49 ----a-w C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb41.dat
2006-11-21 22:29 337 ----a-w C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb1942.dat
2006-11-20 11:14 9,216 ----a-w C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb8467.dat
2006-11-20 11:14 20,480 ----a-w C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb4827.dat
2006-11-20 11:14 0 ----a-w C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb6334.dat
2006-11-20 11:14 0 ----a-w C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb5436.dat
2004-06-18 10:05 45,056 ------w C:\WINDOWS\inf\Slntinst.exe
2003-08-22 10:09 45,056 ----a-w C:\WINDOWS\inf\slntinst_staticW2k.exe
2002-07-26 11:22 60 ----a-w C:\Program Files\StopZillaKey.txt
2002-07-26 10:56 5,835,054 ----a-w C:\Program Files\STOPzillaALL.exe
2005-06-08 12:09 32 --sha-w C:\WINDOWS\{9E7FE2AE-715A-410C-9E1E-23F81B6CB816}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13906623-E807-4FBA-BFCE-FC849060B7DD}]
2004-08-04 13:00 94208 --a------ C:\WINDOWS\system32\asycfil.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07F60AC-688D-4F3E-89EC-30B281BDD2CC}]
2007-01-19 16:38 421888 --a------ C:\WINDOWS\system32\asclemca.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\version69ie7fix.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"Chckup"="C:\WINDOWS\system32\Netverchk.exe" [2006-11-20 12:14 118784]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-05-26 08:52 1506544]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [2007-01-19 16:38 118784]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 03:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 03:18 483328]
"WinCinemaMgr"="C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe" [2003-09-16 17:01 184320]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2003-11-24 17:40 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 16:50 221184]
"VTTimer"="VTTimer.exe" []
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 23:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 11:17 135168]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"Motive SmartBridge"="C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe" [2006-11-17 12:36 438359]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 22:21 53248 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 10:48 36864 C:\WINDOWS\system32\BTSetBootKey.exe]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-05-13 15:39 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 23:58 385024]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-23 15:35 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-23 15:33 219136]

C:\Documents and Settings\Eigenaar.ELLES\Menu Start\Programma's\Opstarten\
Microsoft Office Snelzoeken.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-02-19 111376]
Office Opstarten.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-02-19 51984]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Casema SnelHelp.lnk - C:\Program Files\Casema SnelHelp\bin\matcli.exe [2006-11-16 23:16:02 217088]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Startup.exe [2003-10-16 16:37:00 36864]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R0 yxkfzpjn;yxkfzpjn;C:\WINDOWS\system32\drivers\jmcbjlkf.dat []
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-05-09 10:16]
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-04-28 22:33]
R3 RTL8187B;Wireless Network USB Adapter 54g WL-168v1.004;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-18 16:40]
R3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys [2003-11-05 11:53]
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys [2003-10-29 19:52]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]

*Newly Created Service* - AVG7ALRT
*Newly Created Service* - AVG7CORE
*Newly Created Service* - AVG7RSW
*Newly Created Service* - AVG7RSXP
*Newly Created Service* - AVG7UPDSVC
*Newly Created Service* - AVGCLEAN
*Newly Created Service* - AVGEMS
*Newly Created Service* - AVGTDI
.
Inhoud van de 'Gedeelde Taken' map
"2008-02-01 23:09:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 15:44:21
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-02-23 15:46:58
ComboFix-quarantined-files.txt 2008-02-23 14:46:55
.
2008-02-13 10:14:26 --- E O F ---

--------------------------------------------------------------------------------------------------------------------------------------
HijackThis!-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:48:59, on 23-2-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Casema SnelHelp\bin\mpbtn.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\kmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
F:\Thuis\Programma's\HiJackThis.exe
C:\WINDOWS\Nircmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {13906623-E807-4FBA-BFCE-FC849060B7DD} - C:\WINDOWS\system32\asycfil.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclemca.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\version69ie7fix.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Chckup] C:\WINDOWS\system32\Netverchk.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Casema SnelHelp.lnk = C:\Program Files\Casema SnelHelp\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.driveclea...nerstart_nl.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.nl/...ects/jordan.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn....easeInstall.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9866 bytes

#4
kahdah

Posted 23 February 2008 - 09:02 AM

GeekU Teacher

Retired Staff
15,822 posts

Good call.

--============
1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\MirarDownloader_876260.exe
C:\WINDOWS\system32\WinDmy.dll
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb6500.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb9169.dat
C:\WINDOWS\system32\drivers\jmcbjlkf.dat
C:\WINDOWS\system32\adspipe.dll
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb41.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb1942.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb8467.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb4827.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb6334.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb5436.dat
C:\WINDOWS\system32\asycfil.dll
C:\WINDOWS\system32\asclemca.dll
C:\WINDOWS\system32\version69ie7fix.dll 
C:\WINDOWS\system32\Netverchk.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13906623-E807-4FBA-BFCE-FC849060B7DD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07F60AC-688D-4F3E-89EC-30B281BDD2CC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=-
[-HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[-HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Chckup"=-
Driver::
yxkfzpjn

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#5
Rotgeur

Posted 23 February 2008 - 09:16 AM

Member

Topic Starter
Member
23 posts

The ComboFix-log...

ComboFix 08-02-23.2 - Eigenaar 2008-02-23 16:06:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.115 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

FILE ::
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb1942.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb41.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb4827.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb5436.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb6334.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb6500.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb8467.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb9169.dat
C:\WINDOWS\MirarDownloader_876260.exe
C:\WINDOWS\system32\adspipe.dll
C:\WINDOWS\system32\asclemca.dll
C:\WINDOWS\system32\asycfil.dll
C:\WINDOWS\system32\drivers\jmcbjlkf.dat
C:\WINDOWS\system32\Netverchk.exe
C:\WINDOWS\system32\version69ie7fix.dll
C:\WINDOWS\system32\WinDmy.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb1942.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb41.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb4827.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb5436.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb6334.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb6500.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb8467.dat
C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb9169.dat
C:\WINDOWS\MirarDownloader_876260.exe
C:\WINDOWS\system32\adspipe.dll
C:\WINDOWS\system32\asclemca.dll
C:\WINDOWS\system32\asycfil.dll
C:\WINDOWS\system32\drivers\jmcbjlkf.dat
C:\WINDOWS\system32\Netverchk.exe
C:\WINDOWS\system32\WinDmy.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_YXKFZPJN
-------\yxkfzpjn

(((((((((((((((((((( Bestanden Gemaakt van 2008-01-23 to 2008-02-23 ))))))))))))))))))))))))))))))
.

2008-02-23 15:35 . 2008-02-23 15:36 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\AVG7
2008-02-23 15:34 . 2008-02-23 15:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-23 15:33 . 2008-02-23 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 15:33 . 2008-02-23 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-23 13:12 . 2008-02-23 13:12 <DIR> d-------- C:\Program Files\DIFX
2008-02-23 13:12 . 2007-07-18 16:40 264,576 --a------ C:\WINDOWS\system32\drivers\RTL8187B.sys
2008-02-18 07:33 . 2008-02-18 07:33 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\Uniblue
2008-02-12 22:17 . 2008-02-13 21:18 35,840 --a------ C:\chaos_in_de_natuur[1].doc
2008-02-08 22:12 . 2008-02-08 22:12 363,980 --a------ C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
2008-02-08 22:12 . 2008-02-23 15:40 374 --a------ C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb5724.dat
2008-02-04 07:51 . 2008-02-04 07:51 <DIR> d-------- C:\Program Files\LEGO Company
2008-02-04 07:51 . 2008-02-04 07:51 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\LEGO Company
2008-02-02 00:11 . 2008-02-02 00:11 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\Apple Computer
2008-02-02 00:11 . 2008-02-23 13:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 00:11 . 2008-02-02 00:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-02 00:10 . 2008-02-02 00:10 <DIR> d-------- C:\Program Files\Bonjour
2008-02-02 00:09 . 2008-02-02 00:09 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-02 00:09 . 2008-02-23 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-02 00:08 . 2008-02-02 00:08 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-02 00:08 . 2008-02-02 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-01 23:58 . 2008-02-02 00:10 <DIR> d-------- C:\Program Files\QuickTime

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 12:54 --------- d-----w C:\Program Files\Zylom Games
2008-02-23 12:51 --------- d-----w C:\Program Files\Google
2008-02-08 20:59 --------- d-----w C:\Documents and Settings\Eigenaar.ELLES\Application Data\LimeWire
2008-01-16 10:21 257,552 ----a-w C:\Documents and Settings\Eigenaar.ELLES\Application Data\setup_nl[1].exe
2002-07-26 11:22 60 ----a-w C:\Program Files\StopZillaKey.txt
2002-07-26 10:56 5,835,054 ----a-w C:\Program Files\STOPzillaALL.exe
2005-06-08 12:09 32 --sha-w C:\WINDOWS\{9E7FE2AE-715A-410C-9E1E-23F81B6CB816}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07F60AC-688D-4F3E-89EC-30B281BDD2CC}]
2008-02-23 16:12 421888 --a------ C:\WINDOWS\system32\ascluwci.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-05-26 08:52 1506544]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [2007-01-19 16:38 118784]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 03:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 03:18 483328]
"WinCinemaMgr"="C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe" [2003-09-16 17:01 184320]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2003-11-24 17:40 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 16:50 221184]
"VTTimer"="VTTimer.exe" []
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 23:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 11:17 135168]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"Motive SmartBridge"="C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe" [2006-11-17 12:36 438359]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 22:21 53248 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 10:48 36864 C:\WINDOWS\system32\BTSetBootKey.exe]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-05-13 15:39 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 23:58 385024]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-23 15:35 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-23 15:33 219136]

C:\Documents and Settings\Eigenaar.ELLES\Menu Start\Programma's\Opstarten\
Microsoft Office Snelzoeken.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-02-19 111376]
Office Opstarten.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-02-19 51984]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Casema SnelHelp.lnk - C:\Program Files\Casema SnelHelp\bin\matcli.exe [2006-11-16 23:16:02 217088]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Startup.exe [2003-10-16 16:37:00 36864]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-05-09 10:16]
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-04-28 22:33]
R3 RTL8187B;Wireless Network USB Adapter 54g WL-168v1.004;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-18 16:40]
R3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys [2003-11-05 11:53]
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys [2003-10-29 19:52]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]

.
Inhoud van de 'Gedeelde Taken' map
"2008-02-01 23:09:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 16:11:55
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Casema SnelHelp\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
.
**************************************************************************
.
Voltooingstijd: 2008-02-23 16:14:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 15:14:48
ComboFix2.txt 2008-02-23 14:46:59
.
2008-02-13 10:14:26 --- E O F ---

...and the HijackThis!-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15:31, on 23-2-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Casema SnelHelp\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\WINDOWS\system32\notepad.exe
F:\Thuis\Programma's\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Casema SnelHelp.lnk = C:\Program Files\Casema SnelHelp\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.driveclea...nerstart_nl.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.nl/...ects/jordan.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn....easeInstall.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9450 bytes

#6
kahdah

Posted 23 February 2008 - 09:21 AM

GeekU Teacher

Retired Staff
15,822 posts

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.driveclea...nerstart_nl.cab

Now click on Fix Checked and then close Hijackthis.
===================================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
============================
Please also post back with a new Hijackthis log.

#7
Rotgeur

Posted 23 February 2008 - 09:35 AM

Member

Topic Starter
Member
23 posts

Here's the MalwareBytes-log:

Malwarebytes' Anti-Malware 1.05
Database version: 396

Scan type: Quick Scan
Objects scanned: 30481
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1037b06c-84b7-4240-8d80-485810a0497d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{54b287f9-fd90-4457-b65e-cb91560c021d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nn_bar_dummy.nn_bardummy (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nn_bar_dummy.nn_bardummy.1 (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8a0dcbda-6e20-489c-9041-c1e8a0352e75} (Adware.Mirar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------------------------------------------------------------
And here's the HijackThis!-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:34:44, on 23-2-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Casema SnelHelp\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
F:\Thuis\Programma's\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Casema SnelHelp.lnk = C:\Program Files\Casema SnelHelp\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.nl/...ects/jordan.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8927 bytes

#8
kahdah

Posted 23 February 2008 - 10:01 AM

GeekU Teacher

Retired Staff
15,822 posts

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

#9
Rotgeur

Posted 23 February 2008 - 10:06 AM

Member

Topic Starter
Member
23 posts

Here it is...:

SmitFraudFix v2.294

Scan done at 17:04:55,34, za 23-02-2008
Run from C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Casema SnelHelp\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eigenaar.ELLES

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eigenaar.ELLES\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\EIGENA~1.ELL\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Wireless Network USB Adapter 54g WL-168v1.004 - Pakketplanner-minipoort
DNS Server Search Order: 10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8481D14-22DA-413E-8A32-DF14829ED1EC}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8481D14-22DA-413E-8A32-DF14829ED1EC}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F8481D14-22DA-413E-8A32-DF14829ED1EC}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

#10
kahdah

Posted 23 February 2008 - 10:33 AM

GeekU Teacher

Retired Staff
15,822 posts

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
c:\documents and settings\All Users\start menu\programs\startup\Startup.exe
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Keep that log and post it with the following log.
====================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#11
Rotgeur

Posted 23 February 2008 - 12:57 PM

Member

Topic Starter
Member
23 posts

Much simpler log than the rest of them...

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Startup.exe moved successfully.

OTMoveIt2 v1.0.20 log created on 02232008_174230

The Kaspersky log in text format made my post way too long. I've tried to make a link to it, but that's not working. Then, I tried to place it on one of my old profile sites, but the HTML version is not the complete log and the text is all screwed up...Could you give me a hand on how to post it, or to make a good link to it? I still have the page with the scanner opened, and I've got both the HTML version and the text file saved to the desktop.

PS: sorry it took me so long to respond; the scanning took quite a while and I had dinner when it was almost finished. After that, all the trouble with the posting started...

#12
kahdah

Posted 23 February 2008 - 01:00 PM

GeekU Teacher

Retired Staff
15,822 posts

No problem rather than fooling around more with posting it please e-mail it to me kahdah at aol.com (replace at with @)

Thank you.

#13
Rotgeur

Posted 23 February 2008 - 01:04 PM

Member

Topic Starter
Member
23 posts

Log under way. Thank you so much, you're really helping me out here

I've never had such quick responses

#14
kahdah

Posted 23 February 2008 - 01:20 PM

GeekU Teacher

Retired Staff
15,822 posts

I've never had such quick responses

I am addicted what can I say

=========================
1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\wbhlmcge.exe
C:\WINDOWS\system32\slimwkym.exe
C:\WINDOWS\system32\BastaYa.exe
C:\WINDOWS\system32\asycfil.2
C:\WINDOWS\system32\asycfil.1
C:\WINDOWS\system32\ascluwci.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe
C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe
C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe
C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
C:\Documents and Settings\Eigenaar.ELLES\Shared\01 Track 1 (evils).wma
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix.exe
Folder::
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix
C:\Documents and Settings\Eigenaar.ELLES\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-6e7dd4b7.zip
C:\Documents and Settings\Eigenaar.ELLES\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade5-79e4d2c3.zip

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#15
Rotgeur

Posted 23 February 2008 - 01:28 PM

Member

Topic Starter
Member
23 posts

Combo:

ComboFix 08-02-23.2 - Eigenaar 2008-02-23 20:23:04.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.211 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

FILE ::
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix.exe
C:\Documents and Settings\Eigenaar.ELLES\Shared\01 Track 1 (evils).wma
C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe
C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe
C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\system32\ascluwci.dll
C:\WINDOWS\system32\asycfil.1
C:\WINDOWS\system32\asycfil.2
C:\WINDOWS\system32\BastaYa.exe
C:\WINDOWS\system32\slimwkym.exe
C:\WINDOWS\system32\wbhlmcge.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Eigenaar.ELLES\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade4-6e7dd4b7.zip\
C:\Documents and Settings\Eigenaar.ELLES\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f4eade5-79e4d2c3.zip\
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\dumphive.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\exit.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\GenericRenosFix.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\HostsChk.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\IEDFix.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\Process.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\Reboot.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\restart.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\SmitfraudFix.cmd
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\SmiUpdate.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\SrchSTS.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\swreg.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\swsc.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\swxcacls.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\UIFix.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\unzip.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\VACFix.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\VCCLSID.exe
C:\Documents and Settings\Eigenaar.ELLES\Bureaublad\SmitfraudFix\WS2Fix.exe
C:\Documents and Settings\Eigenaar.ELLES\Shared\01 Track 1 (evils).wma
C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe
C:\WINDOWS\12-b101c483c2fe3ac4a2bd5fae3377ef4f.exe
C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\system32\ascluwci.dll
C:\WINDOWS\system32\asycfil.1
C:\WINDOWS\system32\asycfil.2
C:\WINDOWS\system32\BastaYa.exe
C:\WINDOWS\system32\slimwkym.exe
C:\WINDOWS\system32\wbhlmcge.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-01-23 to 2008-02-23 ))))))))))))))))))))))))))))))
.

2008-02-23 17:44 . 2008-02-23 17:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-23 17:44 . 2008-02-23 17:44 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-23 17:44 . 2008-02-23 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-23 17:42 . 2008-02-23 17:42 <DIR> d-------- C:\_OTMoveIt
2008-02-23 17:04 . 2008-02-23 17:04 2,696 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-23 16:27 . 2008-02-23 16:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-23 16:27 . 2008-02-23 16:27 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\Malwarebytes
2008-02-23 16:27 . 2008-02-23 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-23 15:35 . 2008-02-23 15:36 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\AVG7
2008-02-23 15:34 . 2008-02-23 15:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-23 15:33 . 2008-02-23 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 15:33 . 2008-02-23 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-23 13:12 . 2008-02-23 13:12 <DIR> d-------- C:\Program Files\DIFX
2008-02-23 13:12 . 2007-07-18 16:40 264,576 --a------ C:\WINDOWS\system32\drivers\RTL8187B.sys
2008-02-18 07:33 . 2008-02-18 07:33 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\Uniblue
2008-02-12 22:17 . 2008-02-13 21:18 35,840 --a------ C:\chaos_in_de_natuur[1].doc
2008-02-08 22:12 . 2008-02-23 15:40 374 --a------ C:\Documents and Settings\Eigenaar.ELLES\Application Data\internaldb5724.dat
2008-02-04 07:51 . 2008-02-04 07:51 <DIR> d-------- C:\Program Files\LEGO Company
2008-02-04 07:51 . 2008-02-04 07:51 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\LEGO Company
2008-02-02 00:11 . 2008-02-02 00:11 <DIR> d-------- C:\Documents and Settings\Eigenaar.ELLES\Application Data\Apple Computer
2008-02-02 00:11 . 2008-02-23 13:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 00:11 . 2008-02-02 00:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-02 00:10 . 2008-02-02 00:10 <DIR> d-------- C:\Program Files\Bonjour
2008-02-02 00:09 . 2008-02-02 00:09 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-02 00:09 . 2008-02-23 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-02 00:08 . 2008-02-02 00:08 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-02 00:08 . 2008-02-02 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-01 23:58 . 2008-02-02 00:10 <DIR> d-------- C:\Program Files\QuickTime

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 15:12 45,321 ----a-w C:\WINDOWS\system32\CAUnst.exe
2008-02-23 15:11 --------- d-----w C:\Program Files\Google
2008-02-23 12:54 --------- d-----w C:\Program Files\Zylom Games
2008-02-08 20:59 --------- d-----w C:\Documents and Settings\Eigenaar.ELLES\Application Data\LimeWire
2008-01-16 10:21 257,552 ----a-w C:\Documents and Settings\Eigenaar.ELLES\Application Data\setup_nl[1].exe
2007-12-07 02:18 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:42 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2004-06-18 10:05 45,056 ------w C:\WINDOWS\inf\Slntinst.exe
2003-08-22 10:09 45,056 ----a-w C:\WINDOWS\inf\slntinst_staticW2k.exe
2002-07-26 11:22 60 ----a-w C:\Program Files\StopZillaKey.txt
2002-07-26 10:56 5,835,054 ----a-w C:\Program Files\STOPzillaALL.exe
2005-06-08 12:09 32 --sha-w C:\WINDOWS\{9E7FE2AE-715A-410C-9E1E-23F81B6CB816}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-05-26 08:52 1506544]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 03:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 03:18 483328]
"WinCinemaMgr"="C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe" [2003-09-16 17:01 184320]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2003-11-24 17:40 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 16:50 221184]
"VTTimer"="VTTimer.exe" []
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 23:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 11:17 135168]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"Motive SmartBridge"="C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe" [2006-11-17 12:36 438359]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 22:21 53248 C:\WINDOWS\system32\BtUsrBdg.exe]
"BTSETBOOTKEY"="BTSetBootKey.exe" [2003-04-15 10:48 36864 C:\WINDOWS\system32\BTSetBootKey.exe]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-05-13 15:39 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 23:58 385024]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-23 15:35 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-23 15:33 219136]

C:\Documents and Settings\Eigenaar.ELLES\Menu Start\Programma's\Opstarten\
Microsoft Office Snelzoeken.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-02-19 111376]
Office Opstarten.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-02-19 51984]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Casema SnelHelp.lnk - C:\Program Files\Casema SnelHelp\bin\matcli.exe [2006-11-16 23:16:02 217088]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-05-09 10:16]
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-04-28 22:33]
R3 RTL8187B;Wireless Network USB Adapter 54g WL-168v1.004;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-18 16:40]
R3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys [2003-11-05 11:53]
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys [2003-10-29 19:52]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 16:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 16:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 16:59]

.
Inhoud van de 'Gedeelde Taken' map
"2008-02-01 23:09:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 20:26:26
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-02-23 20:27:01
ComboFix-quarantined-files.txt 2008-02-23 19:26:53
ComboFix2.txt 2008-02-23 15:14:52
ComboFix3.txt 2008-02-23 14:46:59
.
2008-02-13 10:14:26 --- E O F ---

and HijackThis!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:27:45, on 23-2-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Casema SnelHelp\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
F:\Thuis\Programma's\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CASEMA~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Casema SnelHelp.lnk = C:\Program Files\Casema SnelHelp\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.nl/...ects/jordan.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9038 bytes