Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows Security Center spyware won't go away [RESOLVED]


  • This topic is locked This topic is locked

#1
Johnny88

Johnny88

    Member

  • Member
  • PipPip
  • 27 posts
Hello,
Since yesterday I'm getting fake Windows Security Center pop-ups etc., there is also a fake icon in the systemtray which leads to some fake security center page telling me to download some spyware.

I've tried alot of progs to get rid of it (ad-aware/spybot/malwarebytes/sdfix/smitfraudfix etc.), but so far with no success.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:53, on 15-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HDDlife.lnk = E:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
O4 - Startup: Kopie van SpeedFan.lnk = E:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - K:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - K:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Save Flash - res://E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159065150921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...160/mcfscan.cab
O20 - Winlogon Notify: aydemscs - C:\WINDOWS\SYSTEM32\aydemscs.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Ms-java - Unknown owner - C:\WINDOWS\Driver\i386\ms-java.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\RpcSandraSrv.exe

--
End of file - 6320 bytes


Uninstall list:

µTorrent
3DMark05
3DMark06
3D-Rijsimulator
3GP Player 2007
Aangifte inkomstenbelasting 2007
ABBYY FineReader 8.0 Professional Edition
AC3Filter (remove only)
Ad-Aware 2007
Ad-Aware SE Professional
Adobe Download Manager 2.0 (alleen verwijderen)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
Advanced GIF Animator 2.23
Advanced RAR Password Recovery (remove only)
a-squared Free 3.5
ASUS Probe V2.25.02
ATITool Overclocking Utility
Battlefield 2™
Battlefield 2: Special Forces
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows XP (KB941569)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows Media Player 11 (KB936782)
Beveiligingsupdate voor Windows Media Player 6.4 (KB925398)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB904706)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB911562)
Beveiligingsupdate voor Windows XP (KB911567)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913433)
Beveiligingsupdate voor Windows XP (KB913580)
Beveiligingsupdate voor Windows XP (KB914388)
Beveiligingsupdate voor Windows XP (KB914389)
Beveiligingsupdate voor Windows XP (KB917159)
Beveiligingsupdate voor Windows XP (KB917344)
Beveiligingsupdate voor Windows XP (KB917422)
Beveiligingsupdate voor Windows XP (KB917953)
Beveiligingsupdate voor Windows XP (KB918118)
Beveiligingsupdate voor Windows XP (KB918439)
Beveiligingsupdate voor Windows XP (KB918899)
Beveiligingsupdate voor Windows XP (KB919007)
Beveiligingsupdate voor Windows XP (KB920213)
Beveiligingsupdate voor Windows XP (KB920214)
Beveiligingsupdate voor Windows XP (KB920670)
Beveiligingsupdate voor Windows XP (KB920683)
Beveiligingsupdate voor Windows XP (KB920685)
Beveiligingsupdate voor Windows XP (KB921398)
Beveiligingsupdate voor Windows XP (KB921883)
Beveiligingsupdate voor Windows XP (KB922616)
Beveiligingsupdate voor Windows XP (KB922819)
Beveiligingsupdate voor Windows XP (KB923191)
Beveiligingsupdate voor Windows XP (KB923414)
Beveiligingsupdate voor Windows XP (KB923980)
Beveiligingsupdate voor Windows XP (KB924270)
Beveiligingsupdate voor Windows XP (KB924496)
Beveiligingsupdate voor Windows XP (KB924667)
Beveiligingsupdate voor Windows XP (KB925902)
Beveiligingsupdate voor Windows XP (KB926255)
Beveiligingsupdate voor Windows XP (KB926436)
Beveiligingsupdate voor Windows XP (KB927779)
Beveiligingsupdate voor Windows XP (KB927802)
Beveiligingsupdate voor Windows XP (KB928255)
Beveiligingsupdate voor Windows XP (KB928843)
Beveiligingsupdate voor Windows XP (KB929123)
Beveiligingsupdate voor Windows XP (KB930178)
Beveiligingsupdate voor Windows XP (KB931261)
Beveiligingsupdate voor Windows XP (KB931784)
Beveiligingsupdate voor Windows XP (KB932168)
Beveiligingsupdate voor Windows XP (KB933729)
Beveiligingsupdate voor Windows XP (KB935839)
Beveiligingsupdate voor Windows XP (KB935840)
Beveiligingsupdate voor Windows XP (KB936021)
Beveiligingsupdate voor Windows XP (KB938127)
Beveiligingsupdate voor Windows XP (KB941202)
Beveiligingsupdate voor Windows XP (KB941568)
Beveiligingsupdate voor Windows XP (KB941644)
Beveiligingsupdate voor Windows XP (KB941693)
Beveiligingsupdate voor Windows XP (KB943055)
Beveiligingsupdate voor Windows XP (KB943460)
Beveiligingsupdate voor Windows XP (KB943485)
Beveiligingsupdate voor Windows XP (KB944338)
Beveiligingsupdate voor Windows XP (KB944653)
Beveiligingsupdate voor Windows XP (KB945553)
Beveiligingsupdate voor Windows XP (KB946026)
Beveiligingsupdate voor Windows XP (KB947864)
Beveiligingsupdate voor Windows XP (KB948590)
Beveiligingsupdate voor Windows XP (KB948881)
Beveiligingsupdate voor Windows XP (KB950749)
BitComet 0.70
BSPlayer
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.1 Patch
Call of Duty® 4 - Modern Warfare™ 1.2 Patch
CCleaner (remove only)
COD Serveur 3.0.3
Command & Conquer 3
Command & Conquer Generals
Command & Conquer™ 3: Kane's Wrath
Command and ConquerTM Generals Zero Hour
Corel Paint Shop Pro Photo XI
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Identifier
eMule
Far Manager v1.70
ffdshow (remove only)
Flash Saving Plugin
FlashFXP v3
Flock (Photobucket Edition) 0.7
Google Earth
Google Toolbar for Internet Explorer
Hamachi 1.0.2.5
HD Tach version 3
HD Tune 2.52
Hijack This 1.99.1
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB926239)
Java™ SE Runtime Environment 6 Update 1
Just Cause 1.00.0000
K-Lite Mega Codec Pack 1.53
Lavasoft VX2 Cleaner
Lexmark 640 Series
LimeWire PRO 4.17.1
Logitech Gaming Software
Logitech MouseWare 9.80
Malwarebytes' Anti-Malware
MATLAB R2007b
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - NLD
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2003 Proofing Tools
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Vista Upgrade Advisor
mIRC
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB936181)
Need for Speed™ Carbon
NewsBin Pro
Norton PartitionMagic 8.0
NVIDIA Drivers
NVIDIA PureVideo Decoder
OCCT v0.91
Pakket voor de provider van Microsoft Base-smartcardcryptografieservice
PowerDVD
PowerISO
Prime95
PunkBuster Services
QuickTime
RealPlayer
Realtek AC'97 Audio
RivaTuner v2.0 RC 16
Sansa Updater
Security Update voor Microsoft .NET Framework 2.0 (KB917283)
SiSoftware Sandra Pro Home 2007 (Win64/32/CE)
Sony Ericsson W800 Software
SopCast 1.1.2
SopCore 1.1.2
SpeedFan (remove only)
Spybot - Search & Destroy
System Requirements Lab
SysTool Overclocking Utility
TI Connect 1.6
TI NoteFolio Creator
TI-Black Link
TI-Graph Link 83 Plus - Nederland
TopMail
TVAnts 1.0
Uniblue RegistryBooster 2
Update Service
Update voor Windows XP (KB894391)
Update voor Windows XP (KB898461)
Update voor Windows XP (KB900485)
Update voor Windows XP (KB900930)
Update voor Windows XP (KB904942)
Update voor Windows XP (KB908531)
Update voor Windows XP (KB910437)
Update voor Windows XP (KB911280)
Update voor Windows XP (KB916595)
Update voor Windows XP (KB920872)
Update voor Windows XP (KB922582)
Update voor Windows XP (KB927891)
Update voor Windows XP (KB930916)
Update voor Windows XP (KB938828)
Update voor Windows XP (KB942763)
Video Card Stability Test
VideoLAN VLC media player 0.8.5
VobSub v2.23 (Remove Only)
Winamp
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows-stuurprogrammapakket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
WinRAR archiver
WinZip
Xfire (remove only)
Xvid 1.1.2 final uninstall
  • 0

Advertisements


#2
Johnny88

Johnny88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Deckard log:

Deckard's System Scanner v20071014.68
Run by AK47 on 2008-05-15 12:24:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as AK47.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:40, on 15-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\SpeedFan\speedfan.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\AK47\Bureaublad\dss(2).exe
E:\PROGRA~1\TRENDM~1\HIJACK~1\AK47.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HDDlife.lnk = E:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
O4 - Startup: Kopie van SpeedFan.lnk = E:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - K:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - K:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Save Flash - res://E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159065150921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...160/mcfscan.cab
O20 - Winlogon Notify: aydemscs - C:\WINDOWS\SYSTEM32\aydemscs.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\RpcSandraSrv.exe

--
End of file - 6367 bytes

-- Files created between 2008-04-15 and 2008-05-15 -----------------------------

2008-05-15 01:53:40 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-15 01:16:18 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-15 01:16:18 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-15 01:16:18 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-15 01:16:18 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-15 01:16:18 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-15 01:16:18 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-15 01:16:18 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-15 01:16:18 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-14 10:35:56 68096 --a------ C:\WINDOWS\zip.exe
2008-05-14 10:35:56 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-14 10:35:56 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-14 10:35:56 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-14 10:35:56 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-14 10:35:56 98816 --a------ C:\WINDOWS\sed.exe
2008-05-14 10:35:56 80412 --a------ C:\WINDOWS\grep.exe
2008-05-14 10:35:56 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-14 01:31:23 0 d-------- C:\Program Files\MSXML 4.0
2008-05-14 01:14:05 0 d-------- C:\WINDOWS\ERUNT
2008-05-14 00:21:56 0 d-------- D:\Deckard
2008-05-14 00:08:51 1428 --a------ D:\sageset2005.reg
2008-05-13 23:24:23 0 d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:15:56 0 d-------- C:\Program Files\Enigma Software Group
2008-05-13 21:35:39 0 d-------- D:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-13 21:29:53 0 d-------- D:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-13 21:27:16 0 d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-13 19:33:37 0 d-------- D:\Documents and Settings\AK47\Application Data\Malwarebytes
2008-05-13 19:33:29 0 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 19:29:04 0 d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 19:17:20 818420 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-05-13 19:17:20 69632 --a------ C:\WINDOWS\system32\remove.exe
2008-05-13 19:17:20 7048 --a------ C:\WINDOWS\system32\fixp.bat
2008-05-13 18:27:22 249856 --a------ C:\WINDOWS\system32\aydemscs.dll
2008-05-13 18:02:57 928 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-13 18:00:51 0 dr------- D:\Documents and Settings\NetworkService.NT AUTHORITY\Favorieten
2008-05-13 17:52:07 0 d-------- D:\ErdUndoCache
2008-05-13 16:24:32 0 d-------- D:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-13 16:18:29 1 --a------ C:\WINDOWS\system32\ds.dat
2008-05-13 16:07:01 0 d--h----- D:\Documents and Settings\LocalService.NT AUTHORITY\NetHood
2008-05-13 16:07:01 0 dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Mijn documenten
2008-05-13 16:06:59 0 dr-h----- D:\Documents and Settings\LocalService.NT AUTHORITY\Onlangs geopend
2008-05-13 16:06:57 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Bureaublad
2008-05-13 16:06:51 11776 --a------ C:\WINDOWS\system32\luwu534.exe
2008-05-13 16:02:01 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia
2008-05-13 16:02:01 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Adobe
2008-05-13 15:58:20 0 dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Favorieten
2008-05-13 15:58:19 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Menu Start
2008-05-13 15:58:00 0 d-------- D:\Documents and Settings\All Users\Application Data\czkbqpsv
2008-05-13 15:07:32 9216 --a------ C:\WINDOWS\system32\luwu615.exe
2008-05-13 15:07:20 11776 --a------ C:\WINDOWS\system32\luwu563.exe
2008-05-12 21:35:02 0 d-------- D:\Documents and Settings\Reserve\Application Data\Macromedia
2008-05-12 21:35:02 0 d-------- D:\Documents and Settings\Reserve\Application Data\Adobe
2008-05-12 21:34:58 0 d-------- D:\Documents and Settings\Reserve\Application Data\Google
2008-05-12 21:34:13 0 d-------- D:\Documents and Settings\Reserve\Application Data\Real
2008-05-12 21:34:02 0 d-------- D:\Documents and Settings\Reserve\Application Data\Identities
2008-05-12 21:33:51 0 dr------- D:\Documents and Settings\Reserve\Favorieten
2008-05-12 21:33:51 0 d---s---- D:\Documents and Settings\Reserve\Cookies
2008-05-12 21:33:51 0 d-------- D:\Documents and Settings\Reserve\Bureaublad
2008-05-12 21:33:51 0 dr-h----- D:\Documents and Settings\Reserve\Application Data
2008-05-12 21:33:51 0 d---s---- D:\Documents and Settings\Reserve\Application Data\Microsoft
2008-05-12 21:33:50 0 d--h----- D:\Documents and Settings\Reserve\Sjablonen
2008-05-12 21:33:50 0 dr-h----- D:\Documents and Settings\Reserve\SendTo
2008-05-12 21:33:50 0 dr-h----- D:\Documents and Settings\Reserve\Onlangs geopend
2008-05-12 21:33:50 786432 --ah----- D:\Documents and Settings\Reserve\NTUSER.DAT
2008-05-12 21:33:50 0 d--h----- D:\Documents and Settings\Reserve\Netwerkprinteromgeving
2008-05-12 21:33:50 0 d--h----- D:\Documents and Settings\Reserve\NetHood
2008-05-12 21:33:50 0 dr------- D:\Documents and Settings\Reserve\Mijn documenten
2008-05-12 21:33:50 0 dr------- D:\Documents and Settings\Reserve\Menu Start
2008-05-12 21:33:50 0 d--h----- D:\Documents and Settings\Reserve\Local Settings
2008-05-11 14:50:42 0 d-------- C:\Program Files\Common Files\NVIDIA Shared
2008-05-11 02:25:07 0 d-------- D:\Documents and Settings\AK47\Application Data\FreeStone Group
2008-05-11 00:29:56 0 d-------- D:\Documents and Settings\AK47\Application Data\Command & Conquer 3 Kane's Wrath
2008-05-11 00:17:21 0 dr-h----- D:\Documents and Settings\AK47\Application Data\SecuROM
2008-05-06 01:02:47 0 d-------- D:\Documents and Settings\AK47\Application Data\Hamachi
2008-05-04 02:06:49 975 --a------ C:\WINDOWS\eReg.dat


-- Find3M Report ---------------------------------------------------------------

2008-05-13 23:28:01 0 d-------- D:\Documents and Settings\AK47\Application Data\uTorrent
2008-05-13 23:23:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 12:31:11 0 d-------- D:\Documents and Settings\AK47\Application Data\Corel
2008-05-12 20:24:09 0 d-------- D:\Documents and Settings\AK47\Application Data\LimeWire
2008-05-11 16:13:46 465612 --a------ C:\WINDOWS\system32\perfh013.dat
2008-05-11 16:13:46 81146 --a------ C:\WINDOWS\system32\perfc013.dat
2008-05-11 14:50:42 0 d-------- C:\Program Files\Common Files
2008-05-11 14:50:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-11 14:50:40 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-10 18:24:59 0 d-------- D:\Documents and Settings\AK47\Application Data\SopCast
2008-05-02 15:55:53 2880 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-30 13:28:29 0 d-------- D:\Documents and Settings\AK47\Application Data\Xfire
2008-04-19 20:11:02 0 d-------- D:\Documents and Settings\AK47\Application Data\Adobe
2008-03-27 23:19:45 0 d-------- D:\Documents and Settings\AK47\Application Data\Uniblue


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11-08-2006 21:43]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" []
"nwiz"="nwiz.exe" [11-08-2006 21:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [11-08-2006 21:43 C:\WINDOWS\system32\nvmctray.dll]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" []
"Logitech Utility"="Logi_MwX.Exe" [11-12-2003 09:50 C:\WINDOWS\LOGI_MWX.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [10-06-2007 21:16]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13-10-2004 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 01:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aydemscs]
aydemscs.dll 13-05-2008 18:27 249856 C:\WINDOWS\system32\aydemscs.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hns85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lrx06.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xej73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime




-- End of Deckard's System Scanner: finished at 2008-05-15 12:24:59 ------------
  • 0

#3
Johnny88

Johnny88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Combofix log:

ComboFix 08-05-12.1 - AK47 2008-05-15 14:09:03.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1539 [GMT 2:00]
Gestart vanuit: D:\Documents and Settings\AK47\Bureaublad\ComboFix.exe

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((( Bestanden Gemaakt van 2008-04-15 to 2008-05-15 ))))))))))))))))))))))))))))))
.

2008-05-15 13:50 . 2008-05-15 13:50 <DIR> d-------- C:\Program Files\Panda Security
2008-05-15 13:49 . 2008-05-15 13:49 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-15 13:49 . 2008-05-15 13:49 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\SUPERAntiSpyware.com
2008-05-15 01:47 . 2008-05-15 01:47 <DIR> d-------- C:\VundoFix Backups
2008-05-15 01:16 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-15 01:16 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-15 01:16 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-15 01:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-15 01:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-15 01:16 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-15 01:16 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-15 01:16 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-14 01:31 . 2008-05-14 01:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-14 01:14 . 2008-05-14 01:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-14 00:39 . 2008-05-14 00:40 135,168 --a------ C:\zip.exe
2008-05-14 00:39 . 2008-05-14 00:40 19,286 --a------ C:\cleanup.exe
2008-05-14 00:39 . 2008-05-14 00:40 574 --a------ C:\cleanup.bat
2008-05-14 00:16 . 2008-05-14 01:12 <DIR> d-------- C:\RVAXO
2008-05-13 23:24 . 2008-05-13 23:24 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:15 . 2008-05-13 22:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-13 21:47 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-13 21:47 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-13 21:47 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-13 21:47 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-13 21:27 . 2008-05-13 21:27 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-13 20:12 . 2008-05-13 20:45 687 --a------ C:\WINDOWS\wininit.iniRVAXO
2008-05-13 19:33 . 2008-05-13 19:33 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 19:33 . 2008-05-13 19:33 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\Malwarebytes
2008-05-13 19:33 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 19:33 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-13 19:29 . 2008-05-13 20:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 19:17 . 2008-05-10 12:18 818,420 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-05-13 19:17 . 2001-10-01 14:51 69,632 --a------ C:\WINDOWS\system32\remove.exe
2008-05-13 19:17 . 2007-12-13 16:46 7,048 --a------ C:\WINDOWS\system32\fixp.bat
2008-05-13 19:00 . 2008-05-13 19:00 <DIR> d-------- C:\tool
2008-05-13 18:27 . 2008-05-13 18:27 249,856 --a------ C:\WINDOWS\system32\aydemscs.dll
2008-05-13 18:02 . 2008-05-15 01:16 928 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-13 18:00 . 2008-05-13 18:00 <DIR> dr------- D:\Documents and Settings\NetworkService.NT AUTHORITY\Favorieten
2008-05-13 17:57 . 2004-08-04 01:03 1,035,776 -r-h----- C:\WINDOWS\system32\win_2tf.exe
2008-05-13 17:52 . 2007-06-13 15:24 1,036,800 --a--c--- C:\WINDOWS\system32\dllcache\explorer.exe
2008-05-13 17:52 . 2004-08-04 01:03 504,832 --a--c--- C:\WINDOWS\system32\dllcache\winlogon.exe
2008-05-13 17:52 . 2004-08-04 01:03 108,544 --a--c--- C:\WINDOWS\system32\dllcache\services.exe
2008-05-13 17:52 . 2005-06-11 01:53 57,856 --a--c--- C:\WINDOWS\system32\dllcache\spoolsv.exe
2008-05-13 17:52 . 2004-08-04 01:03 13,312 --a--c--- C:\WINDOWS\system32\dllcache\lsass.exe
2008-05-13 17:51 . 2008-05-13 17:52 <DIR> d--h----- C:\ErdUndoCache
2008-05-13 17:49 . 2008-05-13 17:50 <DIR> d-------- C:\~ErdUserProfile.$$$
2008-05-13 16:19 . 2008-05-13 16:19 29 --a------ C:\WINDOWS\system32\fqwyiash.tmp
2008-05-13 16:18 . 2008-05-13 17:55 1 --a------ C:\WINDOWS\system32\ds.dat
2008-05-13 16:07 . 2008-05-13 16:07 <DIR> dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Mijn documenten
2008-05-13 16:06 . 2008-05-13 16:07 <DIR> dr-h----- D:\Documents and Settings\LocalService.NT AUTHORITY\Onlangs geopend
2008-05-13 16:06 . 2008-05-13 16:06 <DIR> d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Bureaublad
2008-05-13 15:58 . 2008-05-13 15:58 <DIR> d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Menu Start
2008-05-13 15:58 . 2008-05-13 16:07 <DIR> dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Favorieten
2008-05-13 15:58 . 2008-05-13 21:23 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\czkbqpsv
2008-05-13 15:57 . 2008-05-13 22:32 12,288 --------- C:\WINDOWS\system32\WinwwdsNt32ssss.dlla
2008-05-13 15:07 . 2008-05-13 16:07 1 --a------ C:\WINDOWS\system32\wsbkom.tmp
2008-05-12 21:34 . 2004-08-04 01:03 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-12 21:33 . 2006-09-24 05:56 <DIR> d--h----- D:\Documents and Settings\Reserve\Sjablonen
2008-05-12 21:33 . 2008-05-12 21:34 <DIR> dr-h----- D:\Documents and Settings\Reserve\Onlangs geopend
2008-05-12 21:33 . 2006-09-24 05:56 <DIR> d--h----- D:\Documents and Settings\Reserve\Netwerkprinteromgeving
2008-05-12 21:33 . 2008-05-12 21:34 <DIR> dr------- D:\Documents and Settings\Reserve\Mijn documenten
2008-05-12 21:33 . 2006-09-24 05:56 <DIR> dr------- D:\Documents and Settings\Reserve\Menu Start
2008-05-12 21:33 . 2008-05-12 21:34 <DIR> dr------- D:\Documents and Settings\Reserve\Favorieten
2008-05-12 21:33 . 2006-11-07 18:16 <DIR> d-------- D:\Documents and Settings\Reserve\Bureaublad
2008-05-12 21:33 . 2008-05-12 21:33 <DIR> d-------- D:\Documents and Settings\Reserve
2008-05-12 21:33 . 2008-05-15 00:58 1,024 --ah----- D:\Documents and Settings\Reserve\ntuser.dat.LOG
2008-05-11 15:33 . 2006-01-23 11:51 466,944 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2008-05-11 15:32 . 2006-04-14 14:00 208,896 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-05-11 15:32 . 2006-04-14 14:00 208,896 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-05-11 15:32 . 2006-04-14 20:08 101,888 --a------ C:\WINDOWS\system32\drivers\nvtcp.sys
2008-05-11 15:32 . 2006-02-20 13:00 3,903 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-05-11 15:32 . 2005-12-08 12:06 1,864 --a------ C:\WINDOWS\system32\nvsmb.nvu
2008-05-11 14:50 . 2008-05-11 14:50 <DIR> d-------- C:\Program Files\Common Files\NVIDIA Shared
2008-05-11 02:25 . 2008-05-11 02:25 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\FreeStone Group
2008-05-11 00:29 . 2008-05-11 00:29 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\Command & Conquer 3 Kane's Wrath
2008-05-11 00:28 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-11 00:28 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-11 00:28 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-11 00:28 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-11 00:17 . 2008-05-11 00:17 <DIR> dr-h----- D:\Documents and Settings\AK47\Application Data\SecuROM
2008-05-11 00:15 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-05-06 01:02 . 2008-05-11 02:06 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\Hamachi
2008-05-06 01:02 . 2008-05-06 01:02 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-05-04 02:06 . 2008-05-04 02:11 975 --a------ C:\WINDOWS\eReg.dat
2008-04-27 10:57 . 2008-05-13 12:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-27 10:57 . 2008-04-27 10:57 1,409 --a------ C:\WINDOWS\QTFont.for

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 11:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 21:32 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 21:28 --------- d-----w D:\Documents and Settings\AK47\Application Data\uTorrent
2008-05-13 18:12 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-05-13 10:31 --------- d-----w D:\Documents and Settings\AK47\Application Data\Corel
2008-05-12 18:24 --------- d-----w D:\Documents and Settings\AK47\Application Data\LimeWire
2008-05-11 12:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 12:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-10 16:24 --------- d-----w D:\Documents and Settings\AK47\Application Data\SopCast
2008-05-02 13:55 2,880 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-30 11:28 --------- d-----w D:\Documents and Settings\AK47\Application Data\Xfire
2008-03-31 15:56 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-31 15:56 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-27 21:19 --------- d-----w D:\Documents and Settings\AK47\Application Data\Uniblue
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:10 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 662,528 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-22 20:42 22,328 ----a-w D:\Documents and Settings\AK47\Application Data\PnkBstrK.sys
2006-10-01 13:07 88 --sh--r C:\WINDOWS\system32\825135B91D.sys
.

((((((((((((((((((((((((((((( [email protected]_10.38.27,84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 08:30:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 12:04:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-14 08:13:55 794,624 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-05-14 23:30:12 9,834,496 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2008-05-14 08:13:55 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-14 23:30:12 241,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-15 11:49:35 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-05-15 11:49:35 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-05-15 11:50:23 2,546 ----a-w C:\WINDOWS\mozver.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-06-10 21:16 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 21:43 86016 C:\WINDOWS\system32\nvmctray.dll]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 20992 C:\WINDOWS\LOGI_MWX.EXE]

D:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aydemscs]
aydemscs.dll 2008-05-13 18:27 249856 C:\WINDOWS\system32\aydemscs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= E:\Program Files\ffdshow\ffdshow.ax
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hns85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lrx06.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xej73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 E:\Program Files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12012:TCP"= 12012:TCP:BitComet 12012 TCP
"12012:UDP"= 12012:UDP:BitComet 12012 UDP
"4662:TCP"= 4662:TCP:BitComet 4662 TCP
"4662:UDP"= 4662:UDP:BitComet 4662 UDP

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 SysTool;SysTool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\SysTool.sys [2006-10-10 14:06]
R2 TICalc;TICalc;C:\WINDOWS\system32\drivers\TICalc.sys [1999-08-30 14:51]
S0 bmolbc;bmolbc;C:\WINDOWS\system32\drivers\qhwpeed.sys []
S0 xxfg;xxfg;C:\WINDOWS\system32\drivers\xythpn.sys []
S3 CrystalCpuInfo;CrystalCpuInfo;E:\Program Files\OCCT\CpuInfo.sys [2003-11-25 07:50]
S3 iteio;iteio;C:\WINDOWS\system32\drivers\iteio.sys []
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;D:\DOCUME~1\AK47\LOCALS~1\Temp\TCCpuInfo.sys []
S4 Ms-java;Ms-java;C:\WINDOWS\Driver\i386\ms-java.exe []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 14:10:54
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scannen van verborgen processen ...

C:\WINDOWS\system32\.ac6eec15\ac6eec15.exe [196] 0x88D2F578

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...


D:\DOCUME~1\AK47\LOCALS~1\Temp\tmp7.tmp.ac6eec15.tmp 249856 bytes executable
C:\WINDOWS\TEMP\tmp9.tmp.ac6eec15.tmp 249856 bytes executable

Scan succesvol afgerond
verborgen bestanden: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ac6eec15]
"ImagePath"="C:\WINDOWS\system32\.ac6eec15\ac6eec15.exe"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\aydemscs.dll
.
Voltooingstijd: 2008-05-15 14:12:28
ComboFix-quarantined-files.txt 2008-05-15 12:11:48
ComboFix2.txt 2008-05-14 23:54:56
ComboFix3.txt 2008-05-14 08:39:11

Pre-Run: 4,933,541,888 bytes beschikbaar
Post-Run: 4,923,498,496 bytes beschikbaar

221 --- E O F --- 2008-05-13 23:34:43
  • 0

#4
Johnny88

Johnny88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Could somebody please help me ASAP as I'm getting reboots now aswell each half hour or something, a counter starts and reboots my system after one minute (NT AUTHORITY/SYSTEM thingy).

I know that 'bumping' is not allowed but I really am in a hurry as I constantly need to save my work for school to prevent data loss.
  • 0

#5
Johnny88

Johnny88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
...got a little impatient and tried to be creative by reading topics of people with the same problem.., with succes. :)

Ran Combofix first, rebooted. Read the log, made the following file:

File::
C:\WINDOWS\system32\aydemscs.dll
D:\DOCUME~1\AK47\LOCALS~1\Temp\tmp7.tmp.ac6eec15.tmp
C:\WINDOWS\TEMP\tmp9.tmp.ac6eec15.tmp

Folder::
C:\WINDOWS\system32\.ac6eec15\

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aydemscs]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ac6eec15]

Renamed it to CFScript and dragged it to combofix.exe.

Everything works fine now and aydemscs.dll is not showing up on the HJT log either, but is there anyway to be sure that my system is totally clean of this virus now?
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
You are living dangerously by using cfscript on your system, when it was designed for someone else. This time you were lucky and did not crash your system, next time you may not. I will take this one but I will need a fresh look at your system, plus an update on your symptoms. Please do not run any more programmes whilst I am helping you.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#7
Johnny88

Johnny88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hello, thank you for helping me out.

Well, actually I did not copy the whole script but rather changed it as the files names/folders etc. were different in my log. I do understand it could have gone wrong but it was really driving me crazy and I had to do something about it.

Anyways, here is the requested log, there was no 'extra.txt' log for some reason, only the main.txt one:

Deckard's System Scanner v20071014.68
Run by AK47 on 2008-05-16 21:14:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as AK47.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:14:29, on 16-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\MSN Messenger\usnsvc.exe
D:\Documents and Settings\AK47\Bureaublad\dss(3).exe
E:\PROGRA~1\TRENDM~1\HIJACK~1\AK47.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HDDlife.lnk = E:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
O4 - Startup: Kopie van SpeedFan.lnk = E:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - K:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - K:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Save Flash - res://E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159065150921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...160/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\RpcSandraSrv.exe

--
End of file - 6175 bytes

-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-16 01:03:40 0 d-------- D:\Qoobox
2008-05-15 13:50:10 0 d-------- C:\Program Files\Panda Security
2008-05-15 13:49:42 0 d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-15 13:49:24 0 d-------- D:\Documents and Settings\AK47\Application Data\SUPERAntiSpyware.com
2008-05-15 01:16:18 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-15 01:16:18 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-15 01:16:18 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-15 01:16:18 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-15 01:16:18 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-15 01:16:18 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-15 01:16:18 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-15 01:16:18 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-14 10:35:56 68096 --a------ C:\WINDOWS\zip.exe
2008-05-14 10:35:56 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-14 10:35:56 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-14 10:35:56 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-14 10:35:56 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-14 10:35:56 98816 --a------ C:\WINDOWS\sed.exe
2008-05-14 10:35:56 80412 --a------ C:\WINDOWS\grep.exe
2008-05-14 10:35:56 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-14 01:31:23 0 d-------- C:\Program Files\MSXML 4.0
2008-05-14 01:14:05 0 d-------- C:\WINDOWS\ERUNT
2008-05-14 00:21:56 0 d-------- D:\Deckard
2008-05-14 00:08:51 1428 --a------ D:\sageset2005.reg
2008-05-13 23:24:23 0 d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:15:56 0 d-------- C:\Program Files\Enigma Software Group
2008-05-13 21:35:39 0 d-------- D:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-13 21:29:53 0 d-------- D:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-13 21:27:16 0 d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-13 19:33:37 0 d-------- D:\Documents and Settings\AK47\Application Data\Malwarebytes
2008-05-13 19:33:29 0 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 19:29:04 0 d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 19:17:20 818420 --a------ C:\WINDOWS\system32\RVAXO.bat
2008-05-13 19:17:20 69632 --a------ C:\WINDOWS\system32\remove.exe
2008-05-13 19:17:20 7048 --a------ C:\WINDOWS\system32\fixp.bat
2008-05-13 18:02:57 928 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-13 18:00:51 0 dr------- D:\Documents and Settings\NetworkService.NT AUTHORITY\Favorieten
2008-05-13 17:52:07 0 d-------- D:\ErdUndoCache
2008-05-13 16:24:32 0 d-------- D:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-13 16:18:29 1 --a------ C:\WINDOWS\system32\ds.dat
2008-05-13 16:07:01 0 d--h----- D:\Documents and Settings\LocalService.NT AUTHORITY\NetHood
2008-05-13 16:07:01 0 dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Mijn documenten
2008-05-13 16:06:59 0 dr-h----- D:\Documents and Settings\LocalService.NT AUTHORITY\Onlangs geopend
2008-05-13 16:06:57 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Bureaublad
2008-05-13 16:02:01 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia
2008-05-13 16:02:01 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Adobe
2008-05-13 15:58:20 0 dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Favorieten
2008-05-13 15:58:19 0 d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Menu Start
2008-05-13 15:58:00 0 d-------- D:\Documents and Settings\All Users\Application Data\czkbqpsv
2008-05-12 21:35:02 0 d-------- D:\Documents and Settings\Reserve\Application Data\Macromedia
2008-05-12 21:35:02 0 d-------- D:\Documents and Settings\Reserve\Application Data\Adobe
2008-05-12 21:34:58 0 d-------- D:\Documents and Settings\Reserve\Application Data\Google
2008-05-12 21:34:13 0 d-------- D:\Documents and Settings\Reserve\Application Data\Real
2008-05-12 21:34:02 0 d-------- D:\Documents and Settings\Reserve\Application Data\Identities
2008-05-12 21:33:51 0 dr------- D:\Documents and Settings\Reserve\Favorieten
2008-05-12 21:33:51 0 d---s---- D:\Documents and Settings\Reserve\Cookies
2008-05-12 21:33:51 0 d-------- D:\Documents and Settings\Reserve\Bureaublad
2008-05-12 21:33:51 0 dr-h----- D:\Documents and Settings\Reserve\Application Data
2008-05-12 21:33:51 0 d---s---- D:\Documents and Settings\Reserve\Application Data\Microsoft
2008-05-12 21:33:50 0 d--h----- D:\Documents and Settings\Reserve\Sjablonen
2008-05-12 21:33:50 0 dr-h----- D:\Documents and Settings\Reserve\SendTo
2008-05-12 21:33:50 0 dr-h----- D:\Documents and Settings\Reserve\Onlangs geopend
2008-05-12 21:33:50 786432 --ah----- D:\Documents and Settings\Reserve\NTUSER.DAT
2008-05-12 21:33:50 0 d--h----- D:\Documents and Settings\Reserve\Netwerkprinteromgeving
2008-05-12 21:33:50 0 d--h----- D:\Documents and Settings\Reserve\NetHood
2008-05-12 21:33:50 0 dr------- D:\Documents and Settings\Reserve\Mijn documenten
2008-05-12 21:33:50 0 dr------- D:\Documents and Settings\Reserve\Menu Start
2008-05-12 21:33:50 0 d--h----- D:\Documents and Settings\Reserve\Local Settings
2008-05-11 14:50:42 0 d-------- C:\Program Files\Common Files\NVIDIA Shared
2008-05-11 02:25:07 0 d-------- D:\Documents and Settings\AK47\Application Data\FreeStone Group
2008-05-11 00:29:56 0 d-------- D:\Documents and Settings\AK47\Application Data\Command & Conquer 3 Kane's Wrath
2008-05-11 00:17:21 0 dr-h----- D:\Documents and Settings\AK47\Application Data\SecuROM
2008-05-06 01:02:47 0 d-------- D:\Documents and Settings\AK47\Application Data\Hamachi
2008-05-04 02:06:49 975 --a------ C:\WINDOWS\eReg.dat


-- Find3M Report ---------------------------------------------------------------

2008-05-16 21:08:52 0 d-------- D:\Documents and Settings\AK47\Application Data\LimeWire
2008-05-15 14:50:21 471832 --a------ C:\WINDOWS\system32\perfh013.dat
2008-05-15 14:50:21 83226 --a------ C:\WINDOWS\system32\perfc013.dat
2008-05-15 13:50:23 2546 --a------ C:\WINDOWS\mozver.dat
2008-05-15 13:49:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 23:28:01 0 d-------- D:\Documents and Settings\AK47\Application Data\uTorrent
2008-05-13 12:31:11 0 d-------- D:\Documents and Settings\AK47\Application Data\Corel
2008-05-11 14:50:42 0 d-------- C:\Program Files\Common Files
2008-05-11 14:50:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-11 14:50:40 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-10 18:24:59 0 d-------- D:\Documents and Settings\AK47\Application Data\SopCast
2008-05-02 15:55:53 2880 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-30 13:28:29 0 d-------- D:\Documents and Settings\AK47\Application Data\Xfire
2008-04-19 20:11:02 0 d-------- D:\Documents and Settings\AK47\Application Data\Adobe
2008-03-27 23:19:45 0 d-------- D:\Documents and Settings\AK47\Application Data\Uniblue


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11-08-2006 21:43]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" []
"nwiz"="nwiz.exe" [11-08-2006 21:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [11-08-2006 21:43 C:\WINDOWS\system32\nvmctray.dll]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" []
"Logitech Utility"="Logi_MwX.Exe" [11-12-2003 09:50 C:\WINDOWS\LOGI_MWX.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [10-06-2007 21:16]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13-10-2004 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 01:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20-12-2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 12:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ac6eec15]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hns85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lrx06.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xej73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime




-- End of Deckard's System Scanner: finished at 2008-05-16 21:14:45 ------------
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets remove some more then do a deep scan :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
bmolbc
xxfg
Ms-java

File::
C:\WINDOWS\system32\RVAXO.bat
C:\WINDOWS\system32\remove.exe
C:\WINDOWS\system32\fixp.bat
C:\WINDOWS\system32\luwu534.exe
C:\WINDOWS\system32\luwu615.exe
C:\WINDOWS\system32\luwu563.exe
C:\WINDOWS\system32\fqwyiash.tmp
C:\WINDOWS\system32\WinwwdsNt32ssss.dlla
C:\WINDOWS\system32\wsbkom.tmp
C:\WINDOWS\system32\wmpns.dll
C:\WINDOWS\system32\aydemscs.dll
C:\WINDOWS\system32\drivers\qhwpeed.sys
C:\WINDOWS\system32\drivers\xythpn.sys 
C:\WINDOWS\system32\drivers\iteio.sys 
C:\WINDOWS\Driver\i386\ms-java.exe 
C:\WINDOWS\system32\.ac6eec15\ac6eec15.exe 
D:\DOCUME~1\AK47\LOCALS~1\Temp\tmp7.tmp.ac6eec15.tmp 
C:\WINDOWS\TEMP\tmp9.tmp.ac6eec15.tmp 

Folder::
D:\Documents and Settings\All Users\Application Data\czkbqpsv
C:\WINDOWS\system32\.ac6eec15

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

THEN

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - Desktop Components
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#9
Johnny88

Johnny88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi, here are the logs:

Combofix:

ComboFix 08-05-12.1 - AK47 2008-05-16 22:40:31.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1700 [GMT 2:00]
Gestart vanuit: D:\Documents and Settings\AK47\Bureaublad\ComboFix.exe
Command switches used :: D:\Documents and Settings\AK47\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
C:\WINDOWS\Driver\i386\ms-java.exe
C:\WINDOWS\system32\.ac6eec15\ac6eec15.exe
C:\WINDOWS\system32\aydemscs.dll
C:\WINDOWS\system32\drivers\iteio.sys
C:\WINDOWS\system32\drivers\qhwpeed.sys
C:\WINDOWS\system32\drivers\xythpn.sys
C:\WINDOWS\system32\fixp.bat
C:\WINDOWS\system32\fqwyiash.tmp
C:\WINDOWS\system32\luwu534.exe
C:\WINDOWS\system32\luwu563.exe
C:\WINDOWS\system32\luwu615.exe
C:\WINDOWS\system32\remove.exe
C:\WINDOWS\system32\RVAXO.bat
C:\WINDOWS\system32\WinwwdsNt32ssss.dlla
C:\WINDOWS\system32\wmpns.dll
C:\WINDOWS\system32\wsbkom.tmp
C:\WINDOWS\TEMP\tmp9.tmp.ac6eec15.tmp
D:\DOCUME~1\AK47\LOCALS~1\Temp\tmp7.tmp.ac6eec15.tmp
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\fixp.bat
C:\WINDOWS\system32\fqwyiash.tmp
C:\WINDOWS\system32\remove.exe
C:\WINDOWS\system32\RVAXO.bat
C:\WINDOWS\system32\WinwwdsNt32ssss.dlla
C:\WINDOWS\system32\wmpns.dll
C:\WINDOWS\system32\wsbkom.tmp
D:\Documents and Settings\All Users\Application Data\czkbqpsv

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MS-JAVA
-------\Service_bmolbc
-------\Service_Ms-java
-------\Service_xxfg


(((((((((((((((((((( Bestanden Gemaakt van 2008-04-16 to 2008-05-16 ))))))))))))))))))))))))))))))
.

2008-05-15 13:50 . 2008-05-15 13:50 <DIR> d-------- C:\Program Files\Panda Security
2008-05-15 13:49 . 2008-05-15 13:49 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-15 13:49 . 2008-05-15 13:49 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\SUPERAntiSpyware.com
2008-05-15 01:47 . 2008-05-15 01:47 <DIR> d-------- C:\VundoFix Backups
2008-05-15 01:16 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-15 01:16 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-15 01:16 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-15 01:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-15 01:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-15 01:16 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-15 01:16 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-15 01:16 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-14 01:31 . 2008-05-14 01:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-14 01:14 . 2008-05-14 01:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-14 00:39 . 2008-05-14 00:40 135,168 --a------ C:\zip.exe
2008-05-14 00:39 . 2008-05-14 00:40 19,286 --a------ C:\cleanup.exe
2008-05-14 00:39 . 2008-05-14 00:40 574 --a------ C:\cleanup.bat
2008-05-14 00:16 . 2008-05-14 01:12 <DIR> d-------- C:\RVAXO
2008-05-13 23:24 . 2008-05-13 23:24 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:15 . 2008-05-13 22:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-13 21:47 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-13 21:47 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-13 21:47 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-13 21:47 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-13 21:27 . 2008-05-13 21:27 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-13 20:12 . 2008-05-13 20:45 687 --a------ C:\WINDOWS\wininit.iniRVAXO
2008-05-13 19:33 . 2008-05-13 19:33 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 19:33 . 2008-05-13 19:33 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\Malwarebytes
2008-05-13 19:33 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 19:33 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-13 19:29 . 2008-05-13 20:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 19:00 . 2008-05-13 19:00 <DIR> d-------- C:\tool
2008-05-13 18:02 . 2008-05-15 01:16 928 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-13 18:00 . 2008-05-13 18:00 <DIR> dr------- D:\Documents and Settings\NetworkService.NT AUTHORITY\Favorieten
2008-05-13 17:57 . 2004-08-04 01:03 1,035,776 -r-h----- C:\WINDOWS\system32\win_2tf.exe
2008-05-13 17:52 . 2007-06-13 15:24 1,036,800 --a--c--- C:\WINDOWS\system32\dllcache\explorer.exe
2008-05-13 17:52 . 2004-08-04 01:03 504,832 --a--c--- C:\WINDOWS\system32\dllcache\winlogon.exe
2008-05-13 17:52 . 2004-08-04 01:03 108,544 --a--c--- C:\WINDOWS\system32\dllcache\services.exe
2008-05-13 17:52 . 2005-06-11 01:53 57,856 --a--c--- C:\WINDOWS\system32\dllcache\spoolsv.exe
2008-05-13 17:52 . 2004-08-04 01:03 13,312 --a--c--- C:\WINDOWS\system32\dllcache\lsass.exe
2008-05-13 17:51 . 2008-05-13 17:52 <DIR> d--h----- C:\ErdUndoCache
2008-05-13 17:49 . 2008-05-13 17:50 <DIR> d-------- C:\~ErdUserProfile.$$$
2008-05-13 16:18 . 2008-05-13 17:55 1 --a------ C:\WINDOWS\system32\ds.dat
2008-05-13 16:07 . 2008-05-13 16:07 <DIR> dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Mijn documenten
2008-05-13 16:06 . 2008-05-13 16:07 <DIR> dr-h----- D:\Documents and Settings\LocalService.NT AUTHORITY\Onlangs geopend
2008-05-13 16:06 . 2008-05-13 16:06 <DIR> d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Bureaublad
2008-05-13 15:58 . 2008-05-13 15:58 <DIR> d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Menu Start
2008-05-13 15:58 . 2008-05-13 16:07 <DIR> dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Favorieten
2008-05-12 21:33 . 2006-09-24 05:56 <DIR> d--h----- D:\Documents and Settings\Reserve\Sjablonen
2008-05-12 21:33 . 2008-05-12 21:34 <DIR> dr-h----- D:\Documents and Settings\Reserve\Onlangs geopend
2008-05-12 21:33 . 2006-09-24 05:56 <DIR> d--h----- D:\Documents and Settings\Reserve\Netwerkprinteromgeving
2008-05-12 21:33 . 2008-05-12 21:34 <DIR> dr------- D:\Documents and Settings\Reserve\Mijn documenten
2008-05-12 21:33 . 2006-09-24 05:56 <DIR> dr------- D:\Documents and Settings\Reserve\Menu Start
2008-05-12 21:33 . 2008-05-12 21:34 <DIR> dr------- D:\Documents and Settings\Reserve\Favorieten
2008-05-12 21:33 . 2006-11-07 18:16 <DIR> d-------- D:\Documents and Settings\Reserve\Bureaublad
2008-05-12 21:33 . 2008-05-12 21:33 <DIR> d-------- D:\Documents and Settings\Reserve
2008-05-12 21:33 . 2008-05-15 00:58 1,024 --ah----- D:\Documents and Settings\Reserve\ntuser.dat.LOG
2008-05-11 15:33 . 2006-01-23 11:51 466,944 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2008-05-11 15:32 . 2006-04-14 14:00 208,896 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-05-11 15:32 . 2006-04-14 14:00 208,896 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-05-11 15:32 . 2006-04-14 20:08 101,888 --a------ C:\WINDOWS\system32\drivers\nvtcp.sys
2008-05-11 15:32 . 2006-02-20 13:00 3,903 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-05-11 15:32 . 2005-12-08 12:06 1,864 --a------ C:\WINDOWS\system32\nvsmb.nvu
2008-05-11 14:50 . 2008-05-11 14:50 <DIR> d-------- C:\Program Files\Common Files\NVIDIA Shared
2008-05-11 02:25 . 2008-05-11 02:25 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\FreeStone Group
2008-05-11 00:29 . 2008-05-11 00:29 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\Command & Conquer 3 Kane's Wrath
2008-05-11 00:28 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-11 00:28 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-11 00:28 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-11 00:28 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-11 00:17 . 2008-05-11 00:17 <DIR> dr-h----- D:\Documents and Settings\AK47\Application Data\SecuROM
2008-05-11 00:15 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-05-06 01:02 . 2008-05-11 02:06 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\Hamachi
2008-05-06 01:02 . 2008-05-06 01:02 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-05-04 02:06 . 2008-05-04 02:11 975 --a------ C:\WINDOWS\eReg.dat
2008-04-27 10:57 . 2008-05-13 12:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-27 10:57 . 2008-04-27 10:57 1,409 --a------ C:\WINDOWS\QTFont.for

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 19:08 --------- d-----w D:\Documents and Settings\AK47\Application Data\LimeWire
2008-05-15 11:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 21:32 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 21:28 --------- d-----w D:\Documents and Settings\AK47\Application Data\uTorrent
2008-05-13 10:31 --------- d-----w D:\Documents and Settings\AK47\Application Data\Corel
2008-05-11 12:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 12:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-10 16:24 --------- d-----w D:\Documents and Settings\AK47\Application Data\SopCast
2008-04-30 11:28 --------- d-----w D:\Documents and Settings\AK47\Application Data\Xfire
2008-03-31 15:56 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-27 21:19 --------- d-----w D:\Documents and Settings\AK47\Application Data\Uniblue
2007-11-22 20:42 22,328 ----a-w D:\Documents and Settings\AK47\Application Data\PnkBstrK.sys
2006-10-01 13:07 88 --sh--r C:\WINDOWS\system32\825135B91D.sys
.

((((((((((((((((((((((((((((( snapshot_2008-05-16_ 1.09.09.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-15 23:05:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-16 20:42:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2006-09-11 08:37:22 8,960,936 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 12:35:06 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-06-10 21:16 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 21:43 86016 C:\WINDOWS\system32\nvmctray.dll]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 20992 C:\WINDOWS\LOGI_MWX.EXE]

D:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= E:\Program Files\ffdshow\ffdshow.ax
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ac6eec15]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hns85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lrx06.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xej73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 E:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12012:TCP"= 12012:TCP:BitComet 12012 TCP
"12012:UDP"= 12012:UDP:BitComet 12012 UDP
"4662:TCP"= 4662:TCP:BitComet 4662 TCP
"4662:UDP"= 4662:UDP:BitComet 4662 UDP

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 SysTool;SysTool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\SysTool.sys [2006-10-10 14:06]
R2 TICalc;TICalc;C:\WINDOWS\system32\drivers\TICalc.sys [1999-08-30 14:51]
S3 CrystalCpuInfo;CrystalCpuInfo;E:\Program Files\OCCT\CpuInfo.sys [2003-11-25 07:50]
S3 iteio;iteio;C:\WINDOWS\system32\drivers\iteio.sys []
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;D:\DOCUME~1\AK47\LOCALS~1\Temp\TCCpuInfo.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 22:43:09
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\WINDOWS\system32\wscntfy.exe
E:\Program Files\SpeedFan\speedfan.exe
.
**************************************************************************
.
Voltooingstijd: 2008-05-16 22:46:30 - machine was rebooted [AK47]
ComboFix-quarantined-files.txt 2008-05-16 20:46:14
ComboFix2.txt 2008-05-15 23:09:43
ComboFix3.txt 2008-05-15 12:12:32
ComboFix4.txt 2008-05-14 23:54:56
ComboFix5.txt 2008-05-14 08:39:11

Pre-Run: 4,709,150,720 bytes beschikbaar
Post-Run: 4,697,862,144 bytes beschikbaar

243 --- E O F --- 2008-05-16 11:33:54


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:02:04, on 16-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
E:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HDDlife.lnk = E:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
O4 - Startup: Kopie van SpeedFan.lnk = E:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - K:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - K:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Save Flash - res://E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159065150921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...160/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\RpcSandraSrv.exe

--
End of file - 6206 bytes


And the attachment for the otscanit log:

Attached Files


  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Looks like just one more to remove and then subject to the result you could be good :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\win_2tf.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

How is your system running now ?
  • 0

#11
Johnny88

Johnny88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

How is your system running now ?

Not experiencing any problems at all. Thanks for your help! :)

The logs:

Combofix:

ComboFix 08-05-12.1 - AK47 2008-05-16 23:55:18.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1643 [GMT 2:00]
Gestart vanuit: D:\Documents and Settings\AK47\Bureaublad\ComboFix.exe
Command switches used :: D:\Documents and Settings\AK47\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
C:\WINDOWS\system32\win_2tf.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\win_2tf.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-04-16 to 2008-05-16 ))))))))))))))))))))))))))))))
.

2008-05-15 13:50 . 2008-05-15 13:50 <DIR> d-------- C:\Program Files\Panda Security
2008-05-15 13:49 . 2008-05-15 13:49 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-15 13:49 . 2008-05-15 13:49 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\SUPERAntiSpyware.com
2008-05-15 01:47 . 2008-05-15 01:47 <DIR> d-------- C:\VundoFix Backups
2008-05-15 01:16 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-15 01:16 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-15 01:16 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-15 01:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-15 01:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-15 01:16 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-15 01:16 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-15 01:16 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-14 01:31 . 2008-05-14 01:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-14 01:14 . 2008-05-14 01:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-14 00:39 . 2008-05-14 00:40 135,168 --a------ C:\zip.exe
2008-05-14 00:39 . 2008-05-14 00:40 19,286 --a------ C:\cleanup.exe
2008-05-14 00:39 . 2008-05-14 00:40 574 --a------ C:\cleanup.bat
2008-05-14 00:16 . 2008-05-14 01:12 <DIR> d-------- C:\RVAXO
2008-05-13 23:24 . 2008-05-13 23:24 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:15 . 2008-05-13 22:28 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-13 21:47 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-13 21:47 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-13 21:47 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-13 21:47 . 2007-07-30 19:18 20,824 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-13 21:27 . 2008-05-13 21:27 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-13 20:12 . 2008-05-13 20:45 687 --a------ C:\WINDOWS\wininit.iniRVAXO
2008-05-13 19:33 . 2008-05-13 19:33 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-13 19:33 . 2008-05-13 19:33 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\Malwarebytes
2008-05-13 19:33 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-13 19:33 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-13 19:29 . 2008-05-13 20:17 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 19:00 . 2008-05-13 19:00 <DIR> d-------- C:\tool
2008-05-13 18:02 . 2008-05-15 01:16 928 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-13 18:00 . 2008-05-13 18:00 <DIR> dr------- D:\Documents and Settings\NetworkService.NT AUTHORITY\Favorieten
2008-05-13 17:52 . 2007-06-13 15:24 1,036,800 --a--c--- C:\WINDOWS\system32\dllcache\explorer.exe
2008-05-13 17:52 . 2004-08-04 01:03 504,832 --a--c--- C:\WINDOWS\system32\dllcache\winlogon.exe
2008-05-13 17:52 . 2004-08-04 01:03 108,544 --a--c--- C:\WINDOWS\system32\dllcache\services.exe
2008-05-13 17:52 . 2005-06-11 01:53 57,856 --a--c--- C:\WINDOWS\system32\dllcache\spoolsv.exe
2008-05-13 17:52 . 2004-08-04 01:03 13,312 --a--c--- C:\WINDOWS\system32\dllcache\lsass.exe
2008-05-13 17:51 . 2008-05-13 17:52 <DIR> d--h----- C:\ErdUndoCache
2008-05-13 17:49 . 2008-05-13 17:50 <DIR> d-------- C:\~ErdUserProfile.$$$
2008-05-13 16:18 . 2008-05-13 17:55 1 --a------ C:\WINDOWS\system32\ds.dat
2008-05-13 16:07 . 2008-05-13 16:07 <DIR> dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Mijn documenten
2008-05-13 16:06 . 2008-05-13 16:07 <DIR> dr-h----- D:\Documents and Settings\LocalService.NT AUTHORITY\Onlangs geopend
2008-05-13 16:06 . 2008-05-13 16:06 <DIR> d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Bureaublad
2008-05-13 15:58 . 2008-05-13 15:58 <DIR> d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Menu Start
2008-05-13 15:58 . 2008-05-13 16:07 <DIR> dr------- D:\Documents and Settings\LocalService.NT AUTHORITY\Favorieten
2008-05-12 21:33 . 2006-09-24 05:56 <DIR> d--h----- D:\Documents and Settings\Reserve\Sjablonen
2008-05-12 21:33 . 2008-05-12 21:34 <DIR> dr-h----- D:\Documents and Settings\Reserve\Onlangs geopend
2008-05-12 21:33 . 2006-09-24 05:56 <DIR> d--h----- D:\Documents and Settings\Reserve\Netwerkprinteromgeving
2008-05-12 21:33 . 2008-05-12 21:34 <DIR> dr------- D:\Documents and Settings\Reserve\Mijn documenten
2008-05-12 21:33 . 2006-09-24 05:56 <DIR> dr------- D:\Documents and Settings\Reserve\Menu Start
2008-05-12 21:33 . 2008-05-12 21:34 <DIR> dr------- D:\Documents and Settings\Reserve\Favorieten
2008-05-12 21:33 . 2006-11-07 18:16 <DIR> d-------- D:\Documents and Settings\Reserve\Bureaublad
2008-05-12 21:33 . 2008-05-12 21:33 <DIR> d-------- D:\Documents and Settings\Reserve
2008-05-12 21:33 . 2008-05-15 00:58 1,024 --ah----- D:\Documents and Settings\Reserve\ntuser.dat.LOG
2008-05-11 15:33 . 2006-01-23 11:51 466,944 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2008-05-11 15:32 . 2006-04-14 14:00 208,896 --a------ C:\WINDOWS\system32\nvusmb.exe
2008-05-11 15:32 . 2006-04-14 14:00 208,896 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-05-11 15:32 . 2006-04-14 20:08 101,888 --a------ C:\WINDOWS\system32\drivers\nvtcp.sys
2008-05-11 15:32 . 2006-02-20 13:00 3,903 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-05-11 15:32 . 2005-12-08 12:06 1,864 --a------ C:\WINDOWS\system32\nvsmb.nvu
2008-05-11 14:50 . 2008-05-11 14:50 <DIR> d-------- C:\Program Files\Common Files\NVIDIA Shared
2008-05-11 02:25 . 2008-05-11 02:25 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\FreeStone Group
2008-05-11 00:29 . 2008-05-11 00:29 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\Command & Conquer 3 Kane's Wrath
2008-05-11 00:28 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-11 00:28 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-11 00:28 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-11 00:28 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-11 00:17 . 2008-05-11 00:17 <DIR> dr-h----- D:\Documents and Settings\AK47\Application Data\SecuROM
2008-05-11 00:15 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-05-06 01:02 . 2008-05-11 02:06 <DIR> d-------- D:\Documents and Settings\AK47\Application Data\Hamachi
2008-05-06 01:02 . 2008-05-06 01:02 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-05-04 02:06 . 2008-05-04 02:11 975 --a------ C:\WINDOWS\eReg.dat
2008-04-27 10:57 . 2008-05-13 12:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-27 10:57 . 2008-04-27 10:57 1,409 --a------ C:\WINDOWS\QTFont.for

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 19:08 --------- d-----w D:\Documents and Settings\AK47\Application Data\LimeWire
2008-05-15 11:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 21:32 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-05-13 21:28 --------- d-----w D:\Documents and Settings\AK47\Application Data\uTorrent
2008-05-13 18:12 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-05-13 10:31 --------- d-----w D:\Documents and Settings\AK47\Application Data\Corel
2008-05-11 12:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 12:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-10 16:24 --------- d-----w D:\Documents and Settings\AK47\Application Data\SopCast
2008-05-02 13:55 2,880 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-30 11:28 --------- d-----w D:\Documents and Settings\AK47\Application Data\Xfire
2008-03-31 15:56 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-31 15:56 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-27 21:19 --------- d-----w D:\Documents and Settings\AK47\Application Data\Uniblue
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:10 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 662,528 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-22 20:42 22,328 ----a-w D:\Documents and Settings\AK47\Application Data\PnkBstrK.sys
2006-10-01 13:07 88 --sh--r C:\WINDOWS\system32\825135B91D.sys
.

((((((((((((((((((((((((((((( snapshot_2008-05-16_ 1.09.09.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-15 23:05:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-16 20:42:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2006-09-11 08:37:22 8,960,936 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 12:35:06 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-06-10 21:16 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 21:43 86016 C:\WINDOWS\system32\nvmctray.dll]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 20992 C:\WINDOWS\LOGI_MWX.EXE]

D:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= E:\Program Files\ffdshow\ffdshow.ax
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ac6eec15]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hns85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lrx06.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xej73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 E:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12012:TCP"= 12012:TCP:BitComet 12012 TCP
"12012:UDP"= 12012:UDP:BitComet 12012 UDP
"4662:TCP"= 4662:TCP:BitComet 4662 TCP
"4662:UDP"= 4662:UDP:BitComet 4662 UDP

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 SysTool;SysTool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\SysTool.sys [2006-10-10 14:06]
R2 TICalc;TICalc;C:\WINDOWS\system32\drivers\TICalc.sys [1999-08-30 14:51]
S3 CrystalCpuInfo;CrystalCpuInfo;E:\Program Files\OCCT\CpuInfo.sys [2003-11-25 07:50]
S3 iteio;iteio;C:\WINDOWS\system32\drivers\iteio.sys []
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;D:\DOCUME~1\AK47\LOCALS~1\Temp\TCCpuInfo.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 23:55:46
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-05-16 23:56:25
ComboFix-quarantined-files.txt 2008-05-16 21:56:06
ComboFix2.txt 2008-05-16 20:46:31
ComboFix3.txt 2008-05-15 23:09:43
ComboFix4.txt 2008-05-15 12:12:32
ComboFix5.txt 2008-05-14 23:54:56

Pre-Run: 4,681,117,696 bytes beschikbaar
Post-Run: 4,669,620,224 bytes beschikbaar

205 --- E O F --- 2008-05-16 11:33:54




HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:56:44, on 16-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
E:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HDDlife.lnk = E:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
O4 - Startup: Kopie van SpeedFan.lnk = E:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - K:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - K:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Save Flash - res://E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - E:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159065150921
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...160/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Pro Home 2007\RpcSandraSrv.exe

--
End of file - 6203 bytes
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Now the best part of the day ----- Your log now appears clean :)

Double click OTScanit once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTScanit wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#13
Johnny88

Johnny88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
That's good to hear, will follow all of suggestions.

Thanks alot for all your help! :)
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP