Inactive [InActive] Malware problems

Eatgarfield · 2008/12/07

Hello,

During my last scan with Norton Antivirus 2006 (bit outdated, i know) and with MBAM I've found a infostealer.gampass virus, and at first it also noticed a trojan.backdoor and trojan.dropper (these are now gone I think, since on recent scans they have not shown). I went to the Symantec site, which has a removal scheme. However, norton finds the file, but cannot remove it. It says it has found infostealer.gampass and would like to take action. Then it starts removing the file, and suddenly changes into a failed action, signalling the file is still there.
I don't know how dangerous this file is, but I've heard it steals login information, which can't be a positive thing.
Can anyone help me with this?

Thanks in advance
Erwin

noahdfear · 2008/12/07

Welcome to WindowsBBS Erwin

We need to get a bit more information. Please download DDS and save it to your desktop.

Disable any script blocking protection

Double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

I may ask for the Attach.txt log later, so keep it handy.

Does Norton give you the name and location of it's find?

Eatgarfield · 2008/12/08

Ok, well i suppose scriptblocking programs are also anti-virus programs etc.? Anyway I closed all visible applications, then runned the scan. Here is what was in the DDS.txt file. I've also saved the Attach file Norton does not specify any location or name.

DDS (Version 1.0) - NTFSx86
Run by lijklema at 15:07:59,65 on ma 08-12-2008
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2046.1213 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\PSIService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Wireless\Client Manager\CMags.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\lijklema\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.startpagina.nl/
uInternet Settings,ProxyOverride = *.local
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [pdfSaver3] "c:\program files\tracker software\pdf-xchange 3\pdfsaver\pdfSaver3.exe "
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Lexmark X83 Button Monitor] c:\progra~1\lexmar~1\ACMonitor_X83.exe
mRun: [Lexmark X83 Button Manager] c:\progra~1\lexmar~1\AcBtnMgr_X83.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe "
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll "
mRun: [pdfSaver3]
mRun: [MMReminderService] c:\program files\mindjet\mindmanager 6\MMReminderService.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\wirele~1.lnk - c:\program files\wireless\client manager\CMags.EXE
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 3.78\amvconverter\grab.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\mp3 player utilities 3.78\mediamanager\grab.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: emjvcz.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;\??\c:\program files\norton internet security\norton antivirus\SAVRT.SYS [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager; "c:\program files\common files\symantec shared\ccEvtMgr.exe" [2005-9-17 191848]
R2 ccProxy;Symantec Network Proxy; "c:\program files\common files\symantec shared\ccProxy.exe" [2005-9-17 202088]
R2 ccSetMgr;Symantec Settings Manager; "c:\program files\common files\symantec shared\ccSetMgr.exe" [2005-9-17 169320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-17 99328]
R2 navapsvc;Norton AntiVirus Auto-Protect-service; "c:\program files\norton internet security\norton antivirus\navapsvc.exe" [2005-9-23 139888]
R2 Symantec Core LC;Symantec Core LC; "c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2008-2-15 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081207.005\NAVENG.Sys [2008-12-7 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081207.005\NavEx15.Sys [2008-12-7 876112]
R3 wlags51b;Agere Wireless USB Driver;c:\windows\system32\drivers\wlags51b.sys [2008-2-15 178688]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2008-2-16 15104]
S3 SAVScan;Symantec AVScan; "c:\program files\norton internet security\norton antivirus\SAVScan.exe" [2005-8-26 198368]

=============== Created Last 30 ================

2008-12-08 00:01 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-12-07 19:39 <DIR> --d----- c:\program files\EsetOnlineScanner
2008-12-07 17:53 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-07 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-26 19:24 <DIR> --d----- c:\documents and settings\lijklema\.tuxguitar-1.0
2008-11-26 19:19 <DIR> --d----- c:\program files\tuxguitar-1.0
2008-11-25 13:27 <DIR> --d----- c:\windows\system32\nl
2008-11-25 13:27 <DIR> --d----- c:\windows\l2schemas
2008-11-25 13:27 <DIR> --d----- c:\windows\system32\bits
2008-11-25 13:25 <DIR> --d----- c:\windows\ServicePackFiles
2008-11-25 13:24 <DIR> --d----- c:\windows\network diagnostic
2008-11-25 13:23 33,656 a------- c:\windows\system32\sprecovr.exe
2008-11-25 13:01 61,440 -------- c:\windows\system32\kmsvc.dll
2008-11-25 12:56 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-11-25 12:55 1,846,528 -c------ c:\windows\system32\dllcache\win32k.sys
2008-11-25 12:55 2,149,888 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-25 12:55 2,070,400 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-25 12:55 2,193,536 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-25 12:55 2,028,544 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-25 12:54 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-25 12:54 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-11-25 12:54 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-25 10:09 2,968 a------- c:\windows\system32\TDSSlxwp.dll
2008-11-25 10:09 527 a------- c:\windows\system32\TDSSosvd.dat
2008-11-24 19:13 41,344 -------- c:\windows\system32\drivers\ser2pl.sys
2008-11-24 09:38 268 a---h--- C:\sqmdata10.sqm
2008-11-24 09:38 244 a---h--- C:\sqmnoopt10.sqm
2008-11-09 15:45 268 a---h--- C:\sqmdata09.sqm
2008-11-09 15:45 244 a---h--- C:\sqmnoopt09.sqm
2008-11-09 00:17 268 a---h--- C:\sqmdata08.sqm
2008-11-09 00:17 244 a---h--- C:\sqmnoopt08.sqm

==================== Find3M ====================

2008-11-25 13:41 445,274 a------- c:\windows\system32\perfh013.dat
2008-11-25 13:41 70,660 a------- c:\windows\system32\perfc013.dat
2008-11-25 13:29 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-24 12:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 20:22 19,518 a------- c:\windows\hpqins13.dat
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-14 17:29 5,120 a------- c:\windows\system32\BReWErS.dll
2008-10-02 10:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-21 18:39 2,724 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-19 22:55 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-09-19 22:55 200,704 a------- c:\windows\system32\ssldivx.dll
2008-09-15 16:28 1,846,528 a------- c:\windows\system32\win32k.sys
2008-09-12 15:43 286,720 -------- c:\windows\Setup1.exe
2008-09-12 15:43 73,216 a------- c:\windows\ST6UNST.EXE
2008-09-10 02:16 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-04-28 11:15 1 a------- c:\documents and settings\lijklema\SI.bin
2008-04-02 19:13 22,328 a------- c:\docume~1\lijklema\applic~1\PnkBstrK.sys
2001-06-20 15:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2008-02-17 19:43 8 ---shr-- c:\windows\system32\6622C2784B.sys

============= FINISH: 15:08:40,82 ===============

noahdfear · 2008/12/08

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix

Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click ComboFix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed when prompted.

Eatgarfield · 2008/12/09

ComboFix 08-12-07.04 - lijklema 2008-12-09 13:05:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.1418 [GMT 1:00]
Gestart vanuit: c:\documents and settings\lijklema\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\BReWErS.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSStkdu.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE

(((((((((((((((((((( Bestanden Gemaakt van 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))))
.

2008-12-08 00:01 . 2008-12-08 00:01 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-07 23:59 . 2008-12-08 00:00 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-12-07 19:39 . 2008-12-07 20:33 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-07 17:53 . 2008-12-07 17:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 17:53 . 2008-12-07 19:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 13:50 . 2008-12-07 13:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-26 19:24 . 2008-11-26 19:24 <DIR> d-------- c:\documents and settings\lijklema\.tuxguitar-1.0
2008-11-26 19:19 . 2008-11-26 19:20 <DIR> d-------- c:\program files\tuxguitar-1.0
2008-11-25 13:27 . 2008-11-25 13:27 <DIR> d-------- c:\windows\system32\nl
2008-11-25 13:27 . 2008-11-25 13:27 <DIR> d-------- c:\windows\system32\bits
2008-11-25 13:27 . 2008-11-25 13:27 <DIR> d-------- c:\windows\l2schemas
2008-11-25 13:25 . 2008-11-25 13:25 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-25 13:23 . 2007-08-10 20:52 33,656 --a------ c:\windows\system32\sprecovr.exe
2008-11-25 13:01 . 2008-04-14 18:02 1,888,992 --------- c:\windows\system32\ati3duag.dll
2008-11-25 12:56 . 2008-09-08 11:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-25 12:55 . 2008-08-14 14:27 2,193,536 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-25 12:55 . 2008-08-14 14:27 2,149,888 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-25 12:55 . 2008-08-14 14:27 2,070,400 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-25 12:55 . 2008-08-14 14:27 2,028,544 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-25 12:55 . 2008-09-15 16:28 1,846,528 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-25 12:54 . 2008-09-04 18:17 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-25 12:54 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-25 12:54 . 2008-10-15 17:37 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-24 19:13 . 2003-02-19 14:04 41,344 --------- c:\windows\system32\drivers\ser2pl.sys
2008-11-24 09:38 . 2008-11-24 09:38 268 --ah----- C:\sqmdata10.sqm
2008-11-24 09:38 . 2008-11-24 09:38 244 --ah----- C:\sqmnoopt10.sqm
2008-11-09 15:45 . 2008-11-09 15:45 268 --ah----- C:\sqmdata09.sqm
2008-11-09 15:45 . 2008-11-09 15:45 244 --ah----- C:\sqmnoopt09.sqm
2008-11-09 00:17 . 2008-11-09 00:17 268 --ah----- C:\sqmdata08.sqm
2008-11-09 00:17 . 2008-11-09 00:17 244 --ah----- C:\sqmnoopt08.sqm

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 11:58 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-08 21:25 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-07 22:40 --------- d-----w c:\documents and settings\lijklema\Application Data\Azureus
2008-12-07 19:42 --------- d-----w c:\program files\Azureus
2008-12-07 19:34 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 10:52 --------- d-----w c:\program files\Norton Internet Security
2008-11-26 13:44 --------- d-----w c:\program files\DivX
2008-11-25 12:45 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-08 17:32 --------- d-----w c:\documents and settings\lijklema\Application Data\Bioshock
2008-10-27 12:01 --------- d-----w c:\program files\Gpotato
2008-10-25 16:55 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-25 16:55 --------- d-----w c:\program files\Adobe Media Player
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 21:37 --------- d-----w c:\program files\Tracker Software
2008-10-14 21:37 --------- d-----w c:\program files\Mindjet
2008-10-14 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\Mindjet
2008-10-14 20:14 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-12 18:43 --------- d-----w c:\program files\Google
2008-09-12 14:43 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-09-12 14:43 286,720 ------w c:\windows\Setup1.exe
2008-04-28 10:15 1 ----a-w c:\documents and settings\lijklema\SI.bin
2008-04-02 18:13 22,328 ----a-w c:\documents and settings\lijklema\Application Data\PnkBstrK.sys
2001-06-20 14:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
2008-02-17 18:43 8 --sh--r c:\windows\system32\6622C2784B.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools Lite "= "c:\program files\DAEMON Tools Lite\daemon.exe" [2008-03-21 486856]
"igndlm.exe "= "c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"pdfSaver3 "= "c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-08-17 64512]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Lexmark X83 Button Manager "= "c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-10 53248]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-03-07 53096]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"PrinTray "= "c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"snp2std "= "c:\windows\vsnp2std.exe" [2006-09-15 675840]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"MMReminderService "= "c:\program files\Mindjet\MindManager 6\MMReminderService.exe" [2005-09-13 28672]
"hpqSRMon "= "c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"nwiz "= "nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-04-04 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Wireless Client Manager.lnk - c:\program files\Wireless\Client Manager\CMags.EXE [2008-02-15 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=emjvcz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\FrostWire\\FrostWire.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe "=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
R3 wlags51b;Agere Wireless USB Driver;c:\windows\system32\DRIVERS\wlags51b.sys [2008-02-15 178688]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2008-02-16 15104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - COMHOST
.
Inhoud van de 'Gedeelde Taken' map

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-05 c:\windows\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - lijklema.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-28 12:00]
.
- - - - ORPHANS VERWIJDERD - - - -

HKLM-Run-Recguard - c:\windows\SMINST\RECGUARD.EXE
HKLM-Run-Lexmark X83 Button Monitor - c:\progra~1\LEXMAR~1\ACMonitor_X83.exe
HKLM-Run-tsnp2std - c:\windows\tsnp2std.exe
HKLM-Run-pdfSaver3 - (no file)

.
------- Bijkomende Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.startpagina.nl/
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 3.78\AMVConverter\grab.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 3.78\MediaManager\grab.html

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\JordanApplet.dll
O16 -: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE}
hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab
c:\windows\Downloaded Program Files\jordanapplet.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 13:09:22
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\PSIService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Voltooingstijd: 2008-12-09 13:12:35 - machine werd herstart
ComboFix-quarantined-files.txt 2008-12-09 12:12:32

Pre-Run: 164.639.457.280 bytes beschikbaar
Post-Run: 164,709,670,912 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

239 --- E O F --- 2008-12-08 22:39:23

noahdfear · 2008/12/09

Looks pretty good. 1 item to clean up.
Highlight and copy the contents of the code box below.
Code:
reg add  "HKLM\software\microsoft\windows nt\currentversion\windows" /v AppInit_DLLs /t REG_SZ /d " " /f
exit
cls
Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

Now, please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Post the Kaspersky log and a fresh HijackThis log.

Log in or Sign up

Inactive [InActive] Malware problems

Eatgarfield Inactive Thread Starter

noahdfear Inactive

Eatgarfield Inactive Thread Starter

noahdfear Inactive

Eatgarfield Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Inactive [InActive] Malware problems

Eatgarfield Inactive Thread Starter

noahdfear Inactive

Eatgarfield Inactive Thread Starter

noahdfear Inactive

Eatgarfield Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches