1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Security-websites (mcafee, symantec, ...) won't open !

Discussion in 'Malware and Virus Removal Archive' started by Clavis, 2010/03/03.

  1. 2010/03/03
    Clavis

    Clavis Inactive Thread Starter

    Joined:
    2010/03/03
    Messages:
    7
    Likes Received:
    0
    [Active] Security-websites (mcafee, symantec, ...) won't open !

    After removeing a virus on a laptop, I still cannot open websites of anti-virus-software like McAfee, Symantec, AVG, ... Somehow the browser is redirected to the serach-engine page (in this case AOL-search). Probably the virus altered something on the system (not hosts-file, that one is clean), but I don't know what.
    Made DDS-log, and Attach-log :

    DDS
    ===

    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Admin at 21:39:50,54 on wo 03/03/2010
    Internet Explorer: 8.0.6001.18882
    Microsoft® Windows Vistaâ„¢ Business 6.0.6001.1.1252.32.1043.18.1975.854 [GMT 1:00]

    AV: Total Protection *On-access scanning enabled* (Outdated) {8C354827-2F54-4E28-90DC-AD391E77808C}
    SP: Total Protection *enabled* (Outdated) {DEBE977C-6A5A-49CC-937A-9E8BB3202260}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    FW: Total Protection *disabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}

    ============== Running Processes ===============

    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\System32\svchost.exe -k Cognizance
    c:\Program Files\Fingerprint Sensor\AtService.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    C:\windows\system32\svchost.exe -k rpcss
    C:\windows\System32\svchost.exe -k secsvcs
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k GPSvcGroup
    C:\windows\system32\SLsvc.exe
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\Hpservice.exe
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\taskeng.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    c:\Program Files\ActivIdentity\ActivClient\accoca.exe
    C:\windows\system32\AEADISRV.EXE
    C:\windows\system32\agrsmsvc.exe
    C:\windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Epact-W-VL Demo 1.2.0\EBMLockServerNoLic.exe
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\PROGRA~1\McAfee\MANAGE~1\VScan\ENGINE~1.EXE
    c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\Windows\system32\ifxspmgt.exe
    c:\Windows\system32\ifxtcs.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
    C:\windows\System32\svchost.exe -k HPZ12
    C:\Program Files\PDF Complete\pdfsvc.exe
    c:\Windows\system32\IfxPsdSv.exe
    C:\windows\System32\svchost.exe -k HPZ12
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\SiteAdvisor\6173\SAService.exe
    C:\windows\system32\svchost.exe -k netsvc6
    C:\windows\system32\svchost.exe -k imgsvc
    C:\windows\System32\svchost.exe -k WerSvcGroup
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
    C:\windows\system32\Dwm.exe
    C:\windows\system32\taskeng.exe
    C:\windows\Explorer.EXE
    c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Belgium Identity Card\beid35gui.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    c:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\windows\system32\wuauclt.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
    C:\windows\system32\conime.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\windows\system32\taskeng.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\windows\system32\SearchProtocolHost.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\Users\Admin\Downloads\dds.pif

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.be/
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nl_be&c=83&bd=all&pf=cmnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nl_be&c=83&bd=all&pf=cmnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nl_be&c=83&bd=all&pf=cmnb
    BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6173\SiteAdv.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: BHO_Startup Class: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
    TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6173\SiteAdv.dll
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [<NO NAME>]
    mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe "
    mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
    mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
    mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [MVS Splash] c:\program files\mcafee\managed virusscan\agent\Splash.exe
    mRun: [McAfee Managed Services Tray] c:\program files\mcafee\managed virusscan\agent\StartMyAgtTry.Exe
    mRun: [SiteAdvisor] c:\program files\siteadvisor\6173\SiteAdv.exe
    mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
    mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe "
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SoundMAX] c:\program files\analog devices\soundmax\soundmax.exe /tray
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [beid] "c:\program files\belgium identity card\beid35gui.exe" /startup
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Afbeelding verzenden naar &Bluetooth-apparaat... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: Pagina verzenden naar &Bluetooth-apparaat... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\myRmProt4.9.0.285.dll
    Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6173\SiteAdv.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\APSHook.dll APSHook.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Notification Packages = scecli ASWLNPkg
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe "

    ============= SERVICES / DRIVERS ===============

    R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2008-5-14 51376]
    R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-5-14 12928]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-17 205544]
    R1 o6ko;Automation Service file NDIS PostgreSQL Time List VSSShellExt Files;c:\windows\system32\drivers\o6ko.sys [2007-9-13 32768]
    R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2008-3-21 39712]
    R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-5-14 12496]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
    R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-16 182576]
    R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-1-21 21504]
    R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-1-21 21504]
    R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-10 1168632]
    R2 EBMLockServerNoLic;EBMLockServerNoLic;c:\program files\epact-w-vl demo 1.2.0\ebmlockservernolic.exe servicename: "ebmlockservernolic" initport:6040 --> c:\program files\epact-w-vl demo 1.2.0\EBMLockServerNoLic.exe SERVICENAME:EBMLockServerNoLic [?]
    R2 EngineServer;EngineServer;c:\progra~1\mcafee\manage~1\vscan\ENGINE~1.EXE [2008-6-17 13632]
    R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2008-5-14 34184]
    R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2008-5-14 256512]
    R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2008-6-17 77824]
    R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-4-7 24936]
    R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2008-6-17 540776]
    R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-6-17 202048]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-6-17 576536]
    R2 srvoko6;Thumbnail User HTML Update;c:\windows\system32\svchost.exe -k netsvc6 [2008-1-21 21504]
    R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-5-13 475520]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-11-29 181760]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-17 193840]
    R3 NETw5v32;Stuurprogramma voor Intel(R) Wireless WiFi Link Adapter onder Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
    S3 ACSSCR;ACR38 Smart Card Reader;c:\windows\system32\drivers\a38usb.sys [2009-11-15 35712]
    S3 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2008-6-17 144704]
    S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2008-6-17 79560]
    S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2008-6-17 35240]
    S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2008-6-17 34024]
    S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-8 1112560]

    =============== Created Last 30 ================

    2010-03-03 17:47:41 98816 ----a-w- c:\windows\sed.exe
    2010-03-03 17:47:41 77312 ----a-w- c:\windows\MBR.exe
    2010-03-03 17:47:41 261632 ----a-w- c:\windows\PEV.exe
    2010-03-03 17:47:41 161792 ----a-w- c:\windows\SWREG.exe
    2010-03-03 17:47:38 0 d-s---w- C:\ComboFix
    2010-03-01 23:03:13 0 d-----w- c:\users\admin\appdata\roaming\Malwarebytes
    2010-03-01 23:03:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-01 23:03:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-01 23:03:09 0 d-----w- c:\programdata\Malwarebytes
    2010-03-01 23:03:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-01 22:19:48 0 d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-03-01 22:19:35 0 d-----w- c:\users\admin\appdata\roaming\SUPERAntiSpyware.com
    2010-03-01 22:19:35 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-03-01 22:19:00 0 d-----w- c:\program files\common files\Wise Installation Wizard
    2010-03-01 22:08:01 0 d---a-w- c:\programdata\TEMP
    2010-02-28 22:12:42 0 d-----w- c:\programdata\Stardock
    2010-02-28 22:09:47 268 ---ha-w- C:\sqmdata02.sqm
    2010-02-28 22:09:47 244 ---ha-w- C:\sqmnoopt02.sqm
    2010-02-27 14:08:07 268 ---ha-w- C:\sqmdata01.sqm
    2010-02-27 14:08:07 244 ---ha-w- C:\sqmnoopt01.sqm
    2010-02-27 14:02:12 268 ---ha-w- C:\sqmdata00.sqm
    2010-02-27 14:02:12 244 ---ha-w- C:\sqmnoopt00.sqm
    2010-02-27 13:05:09 0 d-----w- c:\program files\webserver
    2010-02-25 20:46:24 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-02-25 20:46:02 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-02-25 20:46:02 511488 ----a-w- c:\windows\system32\RMActivate.exe
    2010-02-25 20:46:02 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-02-25 20:46:01 472576 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-02-25 20:46:01 472064 ----a-w- c:\windows\system32\secproc.dll
    2010-02-25 20:46:01 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-02-25 20:46:01 329216 ----a-w- c:\windows\system32\msdrm.dll
    2010-02-25 20:46:01 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-02-25 20:46:01 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-02-25 20:17:07 65536 --sha-w- c:\users\admin\ntuser.dat{a779c6e6-224a-11df-874f-00247e9f8c6c}.TM.blf
    2010-02-25 20:17:07 524288 --sha-w- c:\users\admin\ntuser.dat{a779c6e6-224a-11df-874f-00247e9f8c6c}.TMContainer00000000000000000002.regtrans-ms
    2010-02-25 20:17:07 524288 --sha-w- c:\users\admin\ntuser.dat{a779c6e6-224a-11df-874f-00247e9f8c6c}.TMContainer00000000000000000001.regtrans-ms
    2010-02-12 10:27:19 378368 ----a-w- c:\windows\system32\winhttp.dll
    2010-02-11 17:14:20 499712 ----a-w- c:\windows\system32\kerberos.dll
    2010-02-11 17:14:18 270848 ----a-w- c:\windows\system32\schannel.dll
    2010-02-10 10:36:02 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-02-10 10:36:02 301568 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-02-10 10:36:00 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-10 10:36:00 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe

    ==================== Find3M ====================

    2010-03-03 20:19:38 714854 ----a-w- c:\windows\system32\perfh013.dat
    2010-03-03 20:19:38 148548 ----a-w- c:\windows\system32\perfc013.dat
    2010-02-24 08:16:06 181632 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-12-28 12:35:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll
    2009-12-28 12:35:00 1314816 ----a-w- c:\windows\system32\quartz.dll
    2009-12-28 12:32:34 22528 ----a-w- c:\windows\system32\msyuv.dll
    2009-12-28 12:32:32 31744 ----a-w- c:\windows\system32\msvidc32.dll
    2009-12-28 12:32:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
    2009-12-28 12:32:25 13312 ----a-w- c:\windows\system32\msrle32.dll
    2009-12-28 12:31:22 82944 ----a-w- c:\windows\system32\mciavi32.dll
    2009-12-28 12:31:01 50176 ----a-w- c:\windows\system32\iyuv_32.dll
    2009-12-28 12:28:43 91136 ----a-w- c:\windows\system32\avifil32.dll
    2009-12-28 12:28:43 65024 ----a-w- c:\windows\system32\avicap32.dll
    2009-11-19 16:18:25 51200 ----a-w- c:\windows\inf\infpub.dat
    2009-11-19 16:18:25 143360 ----a-w- c:\windows\inf\infstrng.dat
    2009-11-15 11:11:55 86016 ----a-w- c:\windows\inf\infstor.dat
    2009-08-25 21:44:16 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-04-16 04:07:13 41976 ----a-w- c:\windows\inf\perflib\0413\perfd.dat
    2008-04-16 04:07:12 41976 ----a-w- c:\windows\inf\perflib\0413\perfc.dat
    2008-04-16 04:07:12 336440 ----a-w- c:\windows\inf\perflib\0413\perfi.dat
    2008-04-16 04:07:12 336440 ----a-w- c:\windows\inf\perflib\0413\perfh.dat
    2008-01-21 02:43:58 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-08-24 19:42:30 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009082420090825\index.dat
    2009-08-25 19:42:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009082520090826\index.dat
    2009-08-26 19:42:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009082620090827\index.dat
    2009-09-21 18:12:08 49152 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009091420090921\index.dat
    2009-10-05 18:38:29 49152 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009092820091005\index.dat
    2009-10-12 07:18:16 49152 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009100520091012\index.dat
    2009-10-19 07:32:46 49152 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009101220091019\index.dat
    2009-10-19 21:27:13 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009101920091020\index.dat
    2009-10-20 21:01:50 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009102020091021\index.dat
    2009-10-21 19:47:16 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009102120091022\index.dat
    2009-10-22 21:17:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009102220091023\index.dat
    2009-10-23 20:12:40 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009102320091024\index.dat
    2009-10-24 13:16:14 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009102420091025\index.dat
    2009-11-19 15:57:14 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-09-02 16:46:42 16384 --sha-w- c:\windows\temp\cookies\index.dat
    2009-09-02 16:46:42 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
    2009-09-02 16:46:42 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
    2008-06-17 11:04:06 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 21:40:36,36 ===============



    ATTACH
    ======

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft® Windows Vistaâ„¢ Business
    Boot Device: \Device\HarddiskVolume1
    Install Date: 24/08/2009 8:24:32
    System Uptime: 3/03/2010 20:20:35 (1 hours ago)

    Motherboard: Hewlett-Packard | | 30DD
    Processor: Intel(R) Core(TM)2 Duo CPU T9400 @ 2.53GHz | Intel(R) Genuine processor | 2533/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 139 GiB total, 110,518 GiB free.
    D: is FIXED (NTFS) - 9 GiB total, 1,433 GiB free.
    E: is CDROM ()
    F: is FIXED (FAT32) - 1 GiB total, 0,971 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP203: 3/03/2010 2:06:01 - Gepland herstelpunt

    ==== Installed Programs ======================


    2007 Microsoft Office system
    32 Bit HP CIO Components Installer
    ActivClient 6.1 x86
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.1 - Nederlands
    Agere Systems HDA Modem
    AuthenTec Fingerprint System
    Belgium e-ID middleware 3.5.2 (build 5775)
    BIOS Configuration for HP ProtectTools
    Credential Manager for HP ProtectTools
    Drive Encryption for HP ProtectTools
    Embedded Security for HP ProtectTools
    Epact-W-VL Demo 1.2.0 (remove only)
    ESU for Microsoft Vista SP1
    File Sanitizer For HP ProtectTools
    Hewlett-Packard Active Check for Health Check
    Hewlett-Packard Asset Agent for Health Check
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP 3D DriveGuard
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Doc Viewer
    HP Easy Setup - Frontend
    HP Help and Support
    HP Integrated Module with Bluetooth wireless technology 6.0.1.6200
    HP JavaCard for HP ProtectTools
    HP ProtectTools Security Manager
    HP ProtectTools Security Manager Suite
    HP Quick Launch Buttons 6.40 D3
    HP QuickLook 2
    HP Software Setup 5.00.A.5
    HP Update
    HP User Guides 0097
    HP Webcam
    HP Webcam Application
    HP Wireless Assistant
    HPNetworkAssistant
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    InterVideo DVD Check
    InterVideo Register Manager
    InterVideo WinDVD
    Java(TM) 6 Update 6
    LightScribe System Software 1.12.37.1
    Malwarebytes' Anti-Malware
    McAfee Browser Protection Service
    McAfee Firewall Protection Service
    McAfee Virus and Spyware Protection Service
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 3.5 Language Pack SP1 - nld
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (Dutch) 2007
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access MUI (French) 2007
    Microsoft Office Access MUI (German) 2007
    Microsoft Office Access MUI (Italian) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel 2007 Help - Aggiornamento (KB963678)
    Microsoft Office Excel MUI (Dutch) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Excel MUI (French) 2007
    Microsoft Office Excel MUI (German) 2007
    Microsoft Office Excel MUI (Italian) 2007
    Microsoft Office Outlook 2007 Help - Aggiornamento (KB963677)
    Microsoft Office Outlook MUI (Dutch) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office Outlook MUI (French) 2007
    Microsoft Office Outlook MUI (German) 2007
    Microsoft Office Outlook MUI (Italian) 2007
    Microsoft Office Powerpoint 2007 Help - Aggiornamento (KB963669)
    Microsoft Office PowerPoint MUI (Dutch) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint MUI (French) 2007
    Microsoft Office PowerPoint MUI (German) 2007
    Microsoft Office PowerPoint MUI (Italian) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (Arabic) 2007
    Microsoft Office Proof (Dutch) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Italian) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (Dutch) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (French) 2007
    Microsoft Office Proofing (German) 2007
    Microsoft Office Proofing (Italian) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (Dutch) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Publisher MUI (French) 2007
    Microsoft Office Publisher MUI (German) 2007
    Microsoft Office Publisher MUI (Italian) 2007
    Microsoft Office Shared MUI (Dutch) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (French) 2007
    Microsoft Office Shared MUI (German) 2007
    Microsoft Office Shared MUI (Italian) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word 2007 Help - Aggiornamento (KB963665)
    Microsoft Office Word MUI (Dutch) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word MUI (French) 2007
    Microsoft Office Word MUI (German) 2007
    Microsoft Office Word MUI (Italian) 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mise à jour Microsoft Office Excel 2007 Help (KB963678)
    Mise à jour Microsoft Office Outlook 2007 Help (KB963677)
    Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)
    Mise à jour Microsoft Office Word 2007 Help (KB963665)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    PDF Complete
    Privacy Manager for HP ProtectTools
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator Business
    Roxio Creator Business v10
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB973704)
    Security Update for Microsoft Office Excel 2007 (KB973593)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB969693)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Sonic CinePlayer Decoder Pack
    SoundMAX
    SUPERAntiSpyware Free Edition
    Synaptics Pointing Device Driver
    Taalpakket voor Microsoft .NET Framework 3.5 SP1 - NL
    Update für Microsoft Office Excel 2007 Help (KB963678)
    Update für Microsoft Office Outlook 2007 Help (KB963677)
    Update für Microsoft Office Powerpoint 2007 Help (KB963669)
    Update für Microsoft Office Word 2007 Help (KB963665)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 (KB974561)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (kb977719)
    Update voor Microsoft Office Excel 2007 Help (KB963678)
    Update voor Microsoft Office Powerpoint 2007 Help (KB963669)
    Update voor Microsoft Office Word 2007 Help (KB963665)
    Vista Default Settings
    Windows Live Messenger

    ==== End Of File ===========================



    Thanks for helping !
     
    Clavis,
    #1
  2. 2010/03/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/03/03
    Clavis

    Clavis Inactive Thread Starter

    Joined:
    2010/03/03
    Messages:
    7
    Likes Received:
    0
    Can't stop or disable "Total Protection" (McAfee). It was a trial-version and it was not extended.
    Started ComboFix anyway ... but it is still running ... hope it will stop anytime ...
     
    Clavis,
    #3
  5. 2010/03/03
    Clavis

    Clavis Inactive Thread Starter

    Joined:
    2010/03/03
    Messages:
    7
    Likes Received:
    0
    Had to kill Combofix-process .. was not responding anymore ...

    Ran HijackThis. This is the logfile :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:22:31, on 3/03/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)
    Boot mode: Normal

    Running processes:
    C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
    C:\windows\system32\taskeng.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\Belgium Identity Card\beid35gui.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    c:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
    c:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    G:\HijackThis.exe
    C:\windows\system32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nl_be&c=83&bd=all&pf=cmnb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nl_be&c=83&bd=all&pf=cmnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nl_be&c=83&bd=all&pf=cmnb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe "
    O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
    O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
    O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
    O4 - HKLM\..\Run: [McAfee Managed Services Tray] C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.Exe
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
    O4 - HKLM\..\Run: [IFXSPMGT] c:\Windows\system32\ifxspmgt.exe /NotifyLogon
    O4 - HKLM\..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\soundmax.exe /tray
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [beid] "C:\Program Files\Belgium Identity Card\beid35gui.exe" /startup
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: Afbeelding verzenden naar &Bluetooth-apparaat... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Pagina verzenden naar &Bluetooth-apparaat... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O13 - Gopher Prefix:
    O20 - AppInit_DLLs: C:\Windows\System32\APSHook.dll C:\Windows\System32\APSHook.dll C:\Windows\System32\APSHook.dll APSHook.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Program Files\ActivIdentity\ActivClient\accoca.exe
    O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\windows\system32\agrsmsvc.exe
    O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - c:\Program Files\Fingerprint Sensor\AtService.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: EBMLockServerNoLic - EBM Consult BV - C:\Program Files\Epact-W-VL Demo 1.2.0\EBMLockServerNoLic.exe
    O23 - Service: EngineServer - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\ENGINE~1.EXE
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
    O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
    O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\windows\system32\Hpservice.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - c:\Windows\system32\ifxspmgt.exe
    O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - c:\Windows\system32\ifxtcs.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe
    O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
    O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - c:\Windows\system32\IfxPsdSv.exe
    O23 - Service: RoxMediaDB10 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6173\SAService.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

    --
    End of file - 11692 bytes
     
    Clavis,
    #4
  6. 2010/03/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #5
  7. 2010/03/03
    Clavis

    Clavis Inactive Thread Starter

    Joined:
    2010/03/03
    Messages:
    7
    Likes Received:
    0
    McAfee completly removed (ComboFix does not give a message anymore). BUt also now program seems to hang. Had to kill it again after more than half an hour ... no respons .. no log).

    HijackThis-log is posted before.

    To be continued tomorrow ... I'm looking forward to a solution of my problem.
     
    Clavis,
    #6
  8. 2010/03/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run Combofix.

    If it still doesn't work, try Safe Mode.
     
    broni,
    #7
  9. 2010/03/04
    Clavis

    Clavis Inactive Thread Starter

    Joined:
    2010/03/03
    Messages:
    7
    Likes Received:
    0
    Combofix doesn't seem to work !
    I ran rkill without any problem (black box came and got a small log-report) but when I ram Combofix ... it hangs.
    Tried in Safe Mode ... same result.

    I get the message that it is looking for infected files and that it will not take more than 10 minutes (or double) .. but even after 30 minutes nothing changed on this screen .. no progress, no movements ...
     
    Clavis,
    #8
  10. 2010/03/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
    broni,
    #9
  11. 2010/03/05
    Clavis

    Clavis Inactive Thread Starter

    Joined:
    2010/03/03
    Messages:
    7
    Likes Received:
    0
    This is the log :

    09:28:49:180 2484 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
    09:28:49:180 2484 ================================================================================
    09:28:49:180 2484 SystemInfo:

    09:28:49:180 2484 OS Version: 6.0.6001 ServicePack: 1.0
    09:28:49:180 2484 Product type: Workstation
    09:28:49:180 2484 ComputerName: LAPTOP_2009
    09:28:49:180 2484 UserName: Admin
    09:28:49:180 2484 Windows directory: C:\windows
    09:28:49:180 2484 Processor architecture: Intel x86
    09:28:49:180 2484 Number of processors: 2
    09:28:49:180 2484 Page size: 0x1000
    09:28:49:180 2484 Boot type: Normal boot
    09:28:49:180 2484 ================================================================================
    09:28:49:180 2484 UnloadDriverW: NtUnloadDriver error 2
    09:28:49:180 2484 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    09:29:01:394 2484 Initialize success
    09:29:01:394 2484
    09:29:01:394 2484 Scanning Services ...
    09:29:01:394 2484 wfopen_ex: Trying to open file C:\windows\system32\config\system
    09:29:01:394 2484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    09:29:01:394 2484 wfopen_ex: Trying to KLMD file open
    09:29:01:394 2484 wfopen_ex: File opened ok (Flags 2)
    09:29:01:472 2484 wfopen_ex: Trying to open file C:\windows\system32\config\software
    09:29:01:472 2484 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    09:29:01:472 2484 wfopen_ex: Trying to KLMD file open
    09:29:01:472 2484 wfopen_ex: File opened ok (Flags 2)
    09:29:02:018 2484 GetAdvancedServicesInfo: Raw services enum returned 459 services
    09:29:02:018 2484 fclose_ex: Trying to close file C:\windows\system32\config\system
    09:29:02:018 2484 fclose_ex: Trying to close file C:\windows\system32\config\software
    09:29:02:018 2484
    09:29:02:018 2484 Scanning Kernel memory ...
    09:29:02:018 2484 Devices to scan: 2
    09:29:02:018 2484
    09:29:02:018 2484 Driver Name: USBSTOR
    09:29:02:018 2484 IRP_MJ_CREATE : 819F9B40
    09:29:02:018 2484 IRP_MJ_CREATE_NAMED_PIPE : 81C68013
    09:29:02:018 2484 IRP_MJ_CLOSE : 819F9BB8
    09:29:02:018 2484 IRP_MJ_READ : 819F9C30
    09:29:02:018 2484 IRP_MJ_WRITE : 819F9C30
    09:29:02:018 2484 IRP_MJ_QUERY_INFORMATION : 81C68013
    09:29:02:018 2484 IRP_MJ_SET_INFORMATION : 81C68013
    09:29:02:018 2484 IRP_MJ_QUERY_EA : 81C68013
    09:29:02:018 2484 IRP_MJ_SET_EA : 81C68013
    09:29:02:018 2484 IRP_MJ_FLUSH_BUFFERS : 81C68013
    09:29:02:018 2484 IRP_MJ_QUERY_VOLUME_INFORMATION : 81C68013
    09:29:02:018 2484 IRP_MJ_SET_VOLUME_INFORMATION : 81C68013
    09:29:02:018 2484 IRP_MJ_DIRECTORY_CONTROL : 81C68013
    09:29:02:018 2484 IRP_MJ_FILE_SYSTEM_CONTROL : 81C68013
    09:29:02:018 2484 IRP_MJ_DEVICE_CONTROL : 819F9828
    09:29:02:018 2484 IRP_MJ_INTERNAL_DEVICE_CONTROL : 819EE4AA
    09:29:02:018 2484 IRP_MJ_SHUTDOWN : 81C68013
    09:29:02:018 2484 IRP_MJ_LOCK_CONTROL : 81C68013
    09:29:02:018 2484 IRP_MJ_CLEANUP : 81C68013
    09:29:02:018 2484 IRP_MJ_CREATE_MAILSLOT : 81C68013
    09:29:02:018 2484 IRP_MJ_QUERY_SECURITY : 81C68013
    09:29:02:018 2484 IRP_MJ_SET_SECURITY : 81C68013
    09:29:02:018 2484 IRP_MJ_POWER : 819F7F9A
    09:29:02:018 2484 IRP_MJ_SYSTEM_CONTROL : 819F57A2
    09:29:02:018 2484 IRP_MJ_DEVICE_CHANGE : 81C68013
    09:29:02:018 2484 IRP_MJ_QUERY_QUOTA : 81C68013
    09:29:02:018 2484 IRP_MJ_SET_QUOTA : 81C68013
    09:29:02:018 2484 siohd: 0
    09:29:02:034 2484 C:\windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
    09:29:02:034 2484
    09:29:02:034 2484 Driver Name: iaStor
    09:29:02:034 2484 IRP_MJ_CREATE : 8227779A
    09:29:02:034 2484 IRP_MJ_CREATE_NAMED_PIPE : 81C68013
    09:29:02:034 2484 IRP_MJ_CLOSE : 8227779A
    09:29:02:034 2484 IRP_MJ_READ : 81C68013
    09:29:02:034 2484 IRP_MJ_WRITE : 81C68013
    09:29:02:034 2484 IRP_MJ_QUERY_INFORMATION : 81C68013
    09:29:02:034 2484 IRP_MJ_SET_INFORMATION : 81C68013
    09:29:02:034 2484 IRP_MJ_QUERY_EA : 81C68013
    09:29:02:034 2484 IRP_MJ_SET_EA : 81C68013
    09:29:02:034 2484 IRP_MJ_FLUSH_BUFFERS : 81C68013
    09:29:02:034 2484 IRP_MJ_QUERY_VOLUME_INFORMATION : 81C68013
    09:29:02:034 2484 IRP_MJ_SET_VOLUME_INFORMATION : 81C68013
    09:29:02:034 2484 IRP_MJ_DIRECTORY_CONTROL : 81C68013
    09:29:02:034 2484 IRP_MJ_FILE_SYSTEM_CONTROL : 81C68013
    09:29:02:034 2484 IRP_MJ_DEVICE_CONTROL : 822750A0
    09:29:02:034 2484 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8227278C
    09:29:02:034 2484 IRP_MJ_SHUTDOWN : 81C68013
    09:29:02:034 2484 IRP_MJ_LOCK_CONTROL : 81C68013
    09:29:02:034 2484 IRP_MJ_CLEANUP : 81C68013
    09:29:02:034 2484 IRP_MJ_CREATE_MAILSLOT : 81C68013
    09:29:02:034 2484 IRP_MJ_QUERY_SECURITY : 81C68013
    09:29:02:034 2484 IRP_MJ_SET_SECURITY : 81C68013
    09:29:02:034 2484 IRP_MJ_POWER : 8226E5F4
    09:29:02:034 2484 IRP_MJ_SYSTEM_CONTROL : 8226DB54
    09:29:02:034 2484 IRP_MJ_DEVICE_CHANGE : 81C68013
    09:29:02:034 2484 IRP_MJ_QUERY_QUOTA : 81C68013
    09:29:02:034 2484 IRP_MJ_SET_QUOTA : 81C68013
    09:29:02:034 2484 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
    09:29:02:034 2484 sion
    09:29:02:050 2484 C:\windows\system32\drivers\iastor.sys - Verdict: Clean
    09:29:02:050 2484
    09:29:02:050 2484 Completed
    09:29:02:050 2484
    09:29:02:050 2484 Results:
    09:29:02:050 2484 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    09:29:02:050 2484 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    09:29:02:050 2484 File objects infected / cured / cured on reboot: 0 / 0 / 0
    09:29:02:050 2484
    09:29:02:050 2484 KLMD(ARK) unloaded successfully
     
    Clavis,
    #10
  12. 2010/03/05
    Clavis

    Clavis Inactive Thread Starter

    Joined:
    2010/03/03
    Messages:
    7
    Likes Received:
    0
    Found the "bloody bastard" ...

    O6KO.sys and O6KO.dll

    creates a scvhost-service which blokked the access to the security-sites.
    These files are part of KOOBFACE worm and/or Trojan_Dropper.Win32.Agent.bqsv.
    Followed the instructions of ThreatExpert website to remove ... and now it is possible again to access anything I want !!

    This thread may be closed !!

    ... and I am happy !! :):)
     
    Clavis,
    #11
  13. 2010/03/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good going :)

    I still strongly suggest, you post Combofix log.
     
    broni,
    #12

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...