trojan blockks system repair, startup

Here my HijackThis 2.02 log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:21:58, on 21/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe

Hope this helps?

 

There should be more to your hijack this log than what you have posted. You might want to try that again.

Read this first: Windows BBS - Announcements in Forum : Removing Spyware & Viruses

 

system repair - trojan - doesn't remember settings

Arie, sorry,

Deckard's System Scanner v20071014.68
Run by quasimodo on 2008-07-21 22:46:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-07-21 20:46:16 UTC - RP22 - Deckard's System Scanner Restore Point
1: 2008-07-21 19:35:35 UTC - RP21 - Controlepunt van systeem


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as quasimodo.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:47:27, on 21/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\quasimodo\Bureaublad\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\quasimodo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = LOGOGLE is closing.)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8FFF4FC7-2079-4F05-99C9-3EBE00795F4F} - c:\windows\system32\cvxsmzj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Keyboard Status] C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [a5o8q] C:\WINDOWS\system32\a5o8q.exe
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...w.mazdausa.com/MusaWeb/rx8/tour/noplugin.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4EE87D5D-654F-11D7-828F-B1119AEC2423} (ParCurvCtrl.PCurvCtrl) - http://www.wiskundeonline.nl/ActiveX/ParCurv/Package/ParCurvCtrl.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120044746250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120044715890
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: xvcmecqn - C:\WINDOWS\SYSTEM32\cvxsmzj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cycling Manager 2007 Drivers Auto Removal (pr2akt6c) (pr2akt6c) - Cyanide - C:\WINDOWS\system32\pr2akt6c.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 11862 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1 ",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R0 rnsjbbou - c:\windows\system32\drivers\rnsjbbou.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 EIO - c:\windows\system32\drivers\eio.sys <Not Verified; ASUSTeK Computer Inc.; ASUS Kernel Mode Driver for NT>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.0.0.5) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.0.0.6>
R3 ASUSVRC (ASUSTeK Virtual Capture Device) - c:\windows\system32\drivers\asusvrc.sys <Not Verified; ASUSTeK COMPUTER INC.; Microsoft(R) Windows NT(R) Operating System>
R3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S2 gafwload (Webr@cer 850 USB ADSL Loader) - c:\windows\system32\drivers\gafwload.sys <Not Verified; GlobeSpan Inc.; GlobeSpan USB ADSL Firmware Loader>
S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 BTNetFilter (Bluetooth Network Filter) - c:\windows\system32\drivers\btnetfilter.sys
S3 CardReaderFilter (Card Reader Filter) - c:\windows\system32\drivers\usbcrft.sys <Not Verified; ICSI Technology Ltd.; USB Card Reader and FlashDisk>
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 gkmixern - c:\docume~1\quasim~1\locals~1\temp\gkmixern.sys (file missing)
S3 wanusb (Webr@cer 850 USB ADSL WAN Modem) - c:\windows\system32\drivers\gwausb.sys <Not Verified; GlobeSpan Inc.; GlobeSpan WAN ADSL USB Modem>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 BlueSoleil Hid Service - c:\program files\ivt corporation\bluesoleil\btntservice.exe
R2 CA_LIC_CLNT (CA License Client) - "c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe" <Not Verified; Computer Associates International Inc.; Lic98>
R2 LogWatch (Event Log Watch) - "c:\program files\ca\sharedcomponents\ca_lic\logwatnt.exe" <Not Verified; Computer Associates; Computer Associates LogWatNT>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 Boonty Games - "c:\program files\common files\boonty shared\service\boonty.exe" <Not Verified; BOONTY; Boonty Games>
S3 CA_LIC_SRVR (CA License Server) - "c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe" <Not Verified; Computer Associates International Inc.; Lic98>
S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 x10nets (X10 Device Network Service) - c:\progra~1\common~1\x10\common\x10nets.exe <Not Verified; X10; x10 Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: RT2500 USB Wireless LAN Card
Device ID: USB\VID_148F&PID_2570\6&2BA0E92B&0&1
Manufacturer: Ralink Technology Corp.
Name: RT2500 USB Wireless LAN Card
PNP Device ID: USB\VID_148F&PID_2570\6&2BA0E92B&0&1
Service: RT2500USB

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394-netwerkkaart
Device ID: V1394\NIC1394\924A3010DC00
Manufacturer: Microsoft
Name: 1394-netwerkkaart
PNP Device ID: V1394\NIC1394\924A3010DC00
Service: NIC1394

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth AV/HS Audio
Device ID: ROOT\MEDIA\0000
Manufacturer: IVT Corporation.
Name: Bluetooth AV/HS Audio
PNP Device ID: ROOT\MEDIA\0000
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth PAN Network Adapter
Device ID: ROOT\NET\0000
Manufacturer: IVT Corporation
Name: Bluetooth PAN Network Adapter
PNP Device ID: ROOT\NET\0000
Service: BT


-- Scheduled Tasks -------------------------------------------------------------

2008-07-21 20:13:55 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-07-18 12:07:43 402 --a------ C:\WINDOWS\Tasks\Schedule Task Weekly.job
2008-07-08 09:19:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-21 and 2008-07-21 -----------------------------

2008-07-21 21:21:01 0 d-------- C:\Program Files\Trend Micro
2008-07-21 17:03:01 0 d-------- C:\Documents and Settings\nick\Application Data\Mozilla
2008-07-21 17:03:01 0 d-------- C:\Documents and Settings\nick\Application Data\hfwqrppp
2008-07-21 11:46:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-21 11:45:35 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-21 11:45:35 0 d-------- C:\Documents and Settings\quasimodo\Application Data\SUPERAntiSpyware.com
2008-07-20 00:07:48 0 d-------- C:\Documents and Settings\sam\Application Data\Viewpoint
2008-07-19 11:34:27 0 d-------- C:\WINDOWS\Prefetch
2008-07-19 11:16:45 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-18 08:34:39 0 d-------- C:\Program Files\Registry Easy
2008-07-12 00:06:18 0 d-------- C:\Documents and Settings\sam\Application Data\Mozilla
2008-07-11 20:12:12 0 d-------- C:\Program Files\Ventrilo
2008-07-09 06:08:38 0 d-------- C:\Documents and Settings\quasimodo\Application Data\Mozilla
2008-07-05 12:43:47 0 dr-h----- C:\Documents and Settings\quasimodo\Onlangs geopend
2008-07-05 12:42:05 0 d-------- C:\Program Files\CCleaner
2008-07-05 10:23:51 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-07-02 20:28:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-07-02 20:27:40 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-07-02 20:23:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-07-02 20:23:31 0 dr------- C:\Documents and Settings\LocalService\Favorieten
2008-06-30 18:15:57 0 dr-h----- C:\Documents and Settings\sam\Onlangs geopend
2008-06-30 14:57:04 0 d-------- C:\Documents and Settings\sam\Application Data\hfwqrppp
2008-06-30 08:12:19 0 d-------- C:\Documents and Settings\quasimodo\Application Data\PC Tools
2008-06-30 06:56:45 0 d-------- C:\WINDOWS\system32\nl
2008-06-30 06:56:45 0 d-------- C:\WINDOWS\system32\bits
2008-06-30 06:56:45 0 d-------- C:\WINDOWS\l2schemas
2008-06-30 06:45:49 0 d-------- C:\WINDOWS\EHome
2008-06-28 14:21:23 0 d-------- C:\Documents and Settings\quasimodo\Application Data\hfwqrppp
2008-06-28 14:10:42 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-06-28 14:10:41 0 d-------- C:\Documents and Settings\NetworkService\Application Data\hfwqrppp
2008-06-28 12:55:22 0 d-------- C:\WINDOWS\system32\AppCert


-- Find3M Report ---------------------------------------------------------------

2008-07-21 11:44:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-20 04:08:09 0 d-------- C:\Program Files\Lavasoft
2008-07-19 20:11:16 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-07-19 11:37:30 468486 --a------ C:\WINDOWS\system32\perfh013.dat
2008-07-19 11:37:30 82326 --a------ C:\WINDOWS\system32\perfc013.dat
2008-07-19 11:18:48 0 d-------- C:\Program Files\Messenger
2008-07-19 11:18:34 0 d-------- C:\Program Files\Movie Maker
2008-07-19 11:16:37 0 d-------- C:\Program Files\Windows NT
2008-07-18 09:16:29 0 d-------- C:\Documents and Settings\quasimodo\Application Data\uTorrent
2008-07-18 09:16:29 0 d-------- C:\Documents and Settings\quasimodo\Application Data\Pro Cycling Manager 2007
2008-07-18 09:16:29 0 d-------- C:\Documents and Settings\quasimodo\Application Data\DVD Shrink
2008-07-09 06:07:29 0 d-------- C:\Program Files\Common Files
2008-07-05 11:12:08 0 d-------- C:\Program Files\Userdata
2008-07-05 11:12:08 2575 --a------ C:\Program Files\HBOFF.LOG
2008-07-05 11:12:08 1479 --a----c- C:\Program Files\Hboff.ini
2008-06-30 18:18:28 0 d-------- C:\Program Files\Common Files\Logitech
2008-06-27 22:35:59 20708 --a------ C:\Documents and Settings\quasimodo\Application Data\wklnhst.dat
2008-06-04 15:37:25 0 d-------- C:\Program Files\Curse
2008-05-22 23:44:34 0 d-------- C:\Program Files\Common Files\DVDVideoSoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FFF4FC7-2079-4F05-99C9-3EBE00795F4F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG "= "AGRSMMSG.exe" [04/03/2005 12:01 C:\WINDOWS\AGRSMMSG.exe]
"Dit "= "Dit.exe" [20/07/2004 19:18 C:\WINDOWS\Dit.exe]
"Keyboard Status "= "C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe" [25/01/2005 12:03]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"GSICONEXE "= "GSICON.EXE" [18/05/2001 19:29 C:\WINDOWS\system32\gsicon.exe]
"Zone Labs Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [23/08/2006 23:38]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [28/06/2007 18:43]
"nwiz "= "nwiz.exe" [28/06/2007 18:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [28/06/2007 18:43]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [11/04/2007 16:32 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [29/06/2007 06:24]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [15/08/2007 20:15]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [05/11/2002 20:34]
"GameFace Messenger "= "C:\Program Files\GameFace Messenger\GameFace.exe" [01/11/2006 15:50]
"DSLAGENTEXE "= "dslagent.exe" [18/05/2001 19:29 C:\WINDOWS\system32\DSLAGENT.EXE]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [07/06/2005 00:46]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19/07/2008 16:38]
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" []
"a5o8q "= "C:\WINDOWS\system32\a5o8q.exe" []
"GsiFinal "= "gspndll.dll" [18/05/2001 19:28 C:\WINDOWS\system32\gspnDll.dll]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 19:02]
"ASUS SmartDoctor "= "C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [18/07/2007 16:20]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
"SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28/05/2008 10:33]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [22/03/2008 15:46:17]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [22/03/2008 15:43:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xvcmecqn]
cvxsmzj.dll 04/08/2004 13:59 103424 C:\WINDOWS\system32\cvxsmzj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages "= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tkxnzqky
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 Command - Keeping Software Free
127.0.0.1 032439.com

8816 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-21 22:48:52 ------------

Hope I done it right this time

Jan

 

Install and run this program and post the log file it creates.
http://www.malwaresupport.com/mbam/program/mbam-setup.exe

 

mbam mbam yes.... no

did dowload it, did the the setup, but didn't solve my problem. It well did point out some wrong files, but I couldn't remove them. (restart etc...) After that I was offline again and had to do some tricks to get me online again. (as of now). Your program did probably point out the wrong files, but the 'restart' didn't remove them, nor did they repair my repair-points.

Thanks anyway (getting bit depressed )

 

sorry, the log

Malwarebytes' Anti-Malware 1.22
Database versie: 979
Windows 5.1.2600 Service Pack 3

20:36:17 22/07/2008
mbam-log-7-22-2008 (20-36-17).txt

Scan type: Volledige Scan (C:\|D:\|E:\|F:\|)
Objecten gescand: 256652
Verstreken tijd: 54 minute(s), 37 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 2
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 1
Bestanden geïnfecteerd: 7

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
C:\WINDOWS\system32\AppCert\wnl32.dll (Trojan.Downloader) -> Unloaded module successfully.
C:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> Unloaded module successfully.

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
C:\WINDOWS\system32\AppCert (Trojan.Downloader) -> Delete on reboot.

Bestanden geïnfecteerd:
C:\WINDOWS\system32\AppCert\filter.drv (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\hb241g.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\options.dat (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AppCert\wnl32.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\AppCert\wsil32.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\sam\Local Settings\Temp\CmdLineExt02.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\quasimodo\Bureaublad\services.txt (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Something stange going on Watson (just a joke)

 

Yes, something strange going on, indeed.

It looks like malwarebytes got rid of a few of them. Can you be more specific about what is going on with your system? What kind of tricks are you doing to get online? These programs may not help your restore points and we may have to get rid of them anyway to be sure the trojans are gone.

Did anything improve or change after running Malwarebytes? Have you run a full system scan with your anti-virus program?



Ok, let's try this. Running ComboFix - MajorGeeks Support Forums

Print out the instructions for running combofix and read them carefully. Download the combofix program from the link and save it to your desktop.

This is a very tricky program and it does strange things when it's running, so please follow the instructions carefully. In some cases it might cause your computer to lock up.

 

didi the combo

And indeed the combo made a restore point, even after reboot. Still on the net. Let's try to install something silly, see if it works.
For the time thank you, but where is my AVAST?

Jan,

 

No, let's wait a bit before we install something silly. When combofix finished it produced a log file of what it did. You need to post that here so someone else can review it. It should be located at c:\combofix.txt Please see if you can find this file and post it.

Do you mean the icon for avast is gone ? Can you access it through the programs menu?

 

Seems allright again, thanks

Didin't do 'the silly', rand combofix and gosh I have repair points again form yesterday!!!! The system seems stable, removed ZoneAlarm (before)
Task manager seems clean in processes

Thanks very much, couldn't have done it without your help!

Jan

 

Hi Jan
If you feel your system is back to normal then you need to delete Combofix and Decker system scanner.

Combofix is a very powerful tool and not meant to be used as a normal scanner, it could do harm to your system if ran needlessly.
Both these tools are updated almost daily and a out of date version does you no good.

Please do this.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.

Delete dss.exe from your desktop and this folder C:\Deckard

I would run a on-line scan to make sure there is nothing lurking.
Here are instructions for Kaspersky, if anything is found I would post the log.

Do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop if anything is found and post it here.

Geri

 

kapersky and new infections

Sorry for the late answer, but, read on.
Ran Kaperksy several times (it is SLOOOOWW), but it stops after a fraction of the files available (less then 10%), however it found something today a least, an infection in a sound file. (WMA).
When I tried (as a premium paid user of RS) to install a multiple dowload tool, teatimer went crazy, had to block. Was infected by removalfile.bat (in my user temp directory (it is still there, iI can remove it, but want to read what's in it - blocked it from executing) Lost my previous recovery points AGAIN, ran Spybot, which found VIRTUMONDE with the BAT in it and a key (whatever it means) SBI $E7C36CB1.
In Win32 there was a malignant file calles efcBRQJY, which I manually removed, A Regkey was added 1D0339CA-7BCD-4161-83A8-7DADA344DF083. Don't have clue what it means. Ran Windowsdefender afterwards which says that my computer is running normally.
First the Kapersky scan results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 2, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 01, 2008 17:10:26
Records in database: 1040933
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan statistics:
Files scanned: 259644
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 06:04:29


File name / Threat name / Threats count
M:\oldshared\Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.l 1

The selected area was scanned.

Second the Windowsdefender
1.
Error encountered:
Code 0x80508019. The file or drive you are trying to scan does not exist on this computer. Choose another file or drive, and then scan your computer again.

Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
regkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\b0c6dc0b

runkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\b0c6dc0b

file:
C:\WINDOWS\system32\twoexypx.dll

Category:
Not Yet Classified

2.
Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
appinitdll:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs:jrtncm.dll

file:
C:\WINDOWS\system32\jrtncm.dll

Category:
Not Yet Classified

3.
ode 0x80508019. The file or drive you are trying to scan does not exist on this computer. Choose another file or drive, and then scan your computer again.

Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{76ac071b-c62e-42d5-84d9-071e3d8fb782}

regkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76ac071b-c62e-42d5-84d9-071e3d8fb782}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{76ac071b-c62e-42d5-84d9-071e3d8fb782}

bho:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76ac071b-c62e-42d5-84d9-071e3d8fb782}

file:
C:\WINDOWS\system32\jrtncm.dll

Category:
Not Yet Classified

4.
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
file:
C:\WINDOWS\system32\drivers\etc\hosts

Category:
Not Yet Classified

5.
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{1D0339CA-7BCD-4161-83A8-7DADA344DFD8}

regkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D0339CA-7BCD-4161-83A8-7DADA344DFD8}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{1D0339CA-7BCD-4161-83A8-7DADA344DFD8}

bho:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D0339CA-7BCD-4161-83A8-7DADA344DFD8}

file:
C:\WINDOWS\system32\cbXNFUlL.dll

Category:
Not Yet Classified

6.
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
regkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Malwarebytes Anti-Malware Reboot

runkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Malwarebytes Anti-Malware Reboot

file:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Category:
Not Yet Classified

7.
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
driver:
MBAMSwissArmy

file:
C:\WINDOWS\system32\drivers\mbamswissarmy.sys

Category:
Not Yet Classified

All Defender files or processes were succesfully blocked, only not the ones I manually deleted.

I the mean time, the system seems stable again. (Haven't rebooted yet , so God knows what's comming up)

Jan

 

Hi Jan

OK lets start from the beginning, so it is done correctly.

First delete the combofix you have if you have not deleted it.
Here is how.
Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing the infected files there as well.

Now please open MBAM and click the update tab and check for updates.
Now click the Scanner tab and follow these instructions to run MBAM.

• Select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply.

Now do this as instructed.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the MBAM log and the Combofix log.

Thanks
Geri

 

wonderfull, it works again

Thanks Geri,

That Combofix, (used it for the second time, other icon, but nevertheless) did it seemingly. Only I get fed up with the teatimer and have my doubts over Avast altogether. Since 2004 I have never had any trouble with e-trust (but I was so stupid I deleted it) and zonealarm. I think I'm in for a new combination that is as fast as those were. Any worthy suggestions?

(In the mean time I hope nothing goes wrong again - because I really surf safe - but well, most of us would say that) And I can't change the OS due to the boys (games and so, you know), only maybe the browser (still have the updated IE 6 - don't like tabs and so)

Here are the logs:

Combofix:

ComboFix 08-07-31.06 - quasimodo 2008-08-02 9:14:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.629 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\quasimodo\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\quasimodo\Application Data\macromedia\Flash Player\#SharedObjects\6WTCT5Q5\interclick.com
C:\Documents and Settings\quasimodo\Application Data\macromedia\Flash Player\#SharedObjects\6WTCT5Q5\interclick.com\ud.sol
C:\Documents and Settings\quasimodo\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\quasimodo\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\Bank.dll
C:\WINDOWS\system32\cvxsmzj.dll . . . . konden niet verwijderd worden

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TKXNZQKY
-------\Service_tkxnzqky


(((((((((((((((((((( Bestanden Gemaakt van 2008-07-02 to 2008-08-02 ))))))))))))))))))))))))))))))
.

2008-08-02 08:13 . 2008-08-02 08:13 685,056 --a------ C:\WINDOWS\is-ICEFL.exe
2008-08-02 08:13 . 2008-08-02 08:13 11,729 --a------ C:\WINDOWS\is-ICEFL.msg
2008-08-02 08:13 . 2008-08-02 08:13 460 --a------ C:\WINDOWS\is-ICEFL.lst
2008-08-02 08:03 . 2008-08-02 09:08 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-08-01 18:59 . 2008-08-01 18:59 114,176 --a------ C:\WINDOWS\system32\vxhlxowo.dll
2008-08-01 18:59 . 2008-08-01 18:59 114,176 --a------ C:\WINDOWS\system32\jrtncm.dll
2008-07-28 16:55 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-22 19:39 . 2008-07-22 19:39 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\Malwarebytes
2008-07-22 19:39 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-22 19:38 . 2008-08-02 08:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 19:38 . 2008-07-22 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 19:38 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 21:21 . 2008-07-21 21:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 17:03 . 2008-07-21 17:03 <DIR> d-------- C:\Documents and Settings\nick\Application Data\hfwqrppp
2008-07-21 16:34 . 2008-08-02 09:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-21 16:34 . 2008-07-21 16:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-21 11:46 . 2008-07-21 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-21 11:45 . 2008-07-21 11:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-21 11:45 . 2008-07-21 11:45 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\SUPERAntiSpyware.com
2008-07-20 00:07 . 2008-07-20 00:07 <DIR> d-------- C:\Documents and Settings\sam\Application Data\Viewpoint
2008-07-19 20:05 . 2008-07-19 20:05 24 --a------ C:\Documents and Settings\nick\filter.drv
2008-07-19 11:16 . 2008-07-19 11:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-19 11:02 . 2004-08-04 00:54 327,168 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-07-18 09:02 . 2008-07-18 09:02 42 --a------ C:\WINDOWS\system32\RegistryEasy.lie
2008-07-18 08:34 . 2008-08-01 13:56 <DIR> d-------- C:\Program Files\Registry Easy
2008-07-11 20:12 . 2008-07-11 20:12 <DIR> d-------- C:\Program Files\Ventrilo
2008-07-11 13:45 . 2008-07-11 13:45 24 --a------ C:\Documents and Settings\sam\filter.drv
2008-07-09 06:20 . 2008-07-19 11:27 2,675 --a------ C:\WINDOWS\imsins.BAK
2008-07-05 12:43 . 2008-08-02 08:59 <DIR> dr-h----- C:\Documents and Settings\quasimodo\Onlangs geopend
2008-07-05 12:42 . 2008-07-05 12:42 <DIR> d-------- C:\Program Files\CCleaner
2008-07-02 20:23 . 2008-07-02 20:23 <DIR> dr------- C:\Documents and Settings\LocalService\Favorieten

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 07:21 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-07-28 14:55 --------- d-----w C:\Program Files\Java
2008-07-22 20:33 --------- d-----w C:\Program Files\BoontyGames
2008-07-21 09:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-20 02:08 --------- d-----w C:\Program Files\Lavasoft
2008-07-20 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 12:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\sam\Application Data\Ventrilo
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\sam\Application Data\Pro Cycling Manager 2007
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\uTorrent
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\Pro Cycling Manager 2007
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\DVD Shrink
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\nick\Application Data\Ventrilo
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-07-05 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-05 09:12 2,575 ----a-w C:\Program Files\HBOFF.LOG
2008-07-05 09:12 1,479 -c--a-w C:\Program Files\Hboff.ini
2008-07-05 09:12 --------- d-----w C:\Program Files\Userdata
2008-07-01 21:15 24 ----a-w C:\Documents and Settings\quasimodo\filter.drv
2008-06-30 16:24 4,222 ----a-w C:\Documents and Settings\sam\Application Data\wklnhst.dat
2008-06-30 16:18 --------- d-----w C:\Program Files\Common Files\Logitech
2008-06-30 12:57 --------- d-----w C:\Documents and Settings\sam\Application Data\hfwqrppp
2008-06-30 10:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 06:12 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\PC Tools
2008-06-28 12:21 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\hfwqrppp
2008-06-28 12:10 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\hfwqrppp
2008-06-27 20:35 20,708 ----a-w C:\Documents and Settings\quasimodo\Application Data\wklnhst.dat
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:36 272,640 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 19:45 4,870 ----a-w C:\Documents and Settings\nick\Application Data\wklnhst.dat
2008-06-04 13:37 --------- d-----w C:\Program Files\Curse
2008-03-29 14:08 67,736 ----a-w C:\Documents and Settings\sam\Application Data\GDIPFONTCACHEV1.DAT
2008-03-28 20:47 1 ----a-w C:\Documents and Settings\quasimodo\SI.bin
2008-03-27 12:57 67,736 ----a-w C:\Documents and Settings\quasimodo\Application Data\GDIPFONTCACHEV1.DAT
2007-11-10 14:38 67,736 ----a-w C:\Documents and Settings\nick\Application Data\GDIPFONTCACHEV1.DAT
2007-07-05 09:11 6,004,736 ----a-w C:\Program Files\HBOFF.EXE
2007-07-05 09:11 275,968 ----a-w C:\Program Files\HomeBank.exe
2007-07-05 08:57 180,736 ----a-w C:\Program Files\HBMSG00.dll
2007-07-05 08:57 176,640 ----a-w C:\Program Files\HBMSG02.dll
2007-07-05 08:57 175,104 ----a-w C:\Program Files\HBMSG01.dll
2007-07-05 08:57 164,352 ----a-w C:\Program Files\HBMSG03.dll
2007-06-25 08:24 84,480 ----a-w C:\Program Files\HBConnMon.exe
2007-06-25 08:24 744 -c--a-w C:\Program Files\hboff.exe.manifest
2007-06-25 08:24 71,168 ----a-w C:\Program Files\HbCalc.exe
2007-06-25 08:24 25,690 -c--a-w C:\Program Files\HBERRORINI.DE
2007-06-25 08:24 25,298 -c--a-w C:\Program Files\HBERRORINI.FR
2007-06-25 08:24 24,620 -c--a-w C:\Program Files\HBERRORINI.NL
2007-06-25 08:24 23,001 -c--a-w C:\Program Files\HBERRORINI.EN
2005-01-27 13:59 8 --sha-r C:\WINDOWS\system32\62A95D688F.sys
2007-12-14 13:25 6,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FFF4FC7-2079-4F05-99C9-3EBE00795F4F}]
2008-08-02 09:16 103424 --a------ c:\windows\system32\cvxsmzj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:02 15360]
"ASUS SmartDoctor "= "C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 16:20 1114112]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Keyboard Status "= "C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe" [2005-01-25 12:03 411648]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 18:43 8466432]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 18:43 81920]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 20:34 188416]
"GameFace Messenger "= "C:\Program Files\GameFace Messenger\GameFace.exe" [2006-11-01 15:50 2154496]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [BU]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"a5o8q "= "C:\WINDOWS\system32\a5o8q.exe" [BU]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"Dit "= "Dit.exe" [2004-07-20 19:18 90112 C:\WINDOWS\Dit.exe]
"GSICONEXE "= "GSICON.EXE" [2001-05-18 19:29 90112 C:\WINDOWS\system32\gsicon.exe]
"nwiz "= "nwiz.exe" [2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"DSLAGENTEXE "= "dslagent.exe" [2001-05-18 19:29 16384 C:\WINDOWS\system32\DSLAGENT.EXE]
"GsiFinal "= "gspndll.dll" [2001-05-18 19:28 81920 C:\WINDOWS\system32\gspnDll.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:02 15360]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-30 10:10 68856]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-22 15:46:17 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-22 15:43:38 692224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2 "= asusasv2.dll

Mbam:

Malwarebytes' Anti-Malware 1.24
Database versie: 1012
Windows 5.1.2600 Service Pack 3

9:00:32 2/08/2008
mbam-log-8-2-2008 (09-00-32).txt

Scan type: Volledige Scan (C:\|D:\|E:\|F:\|)
Objecten gescand: 215300
Verstreken tijd: 41 minute(s), 40 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 1
Registersleutels geïnfecteerd: 4
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 2
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 6

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
C:\WINDOWS\system32\cbXNFUlL.dll (Trojan.Vundo) -> Delete on reboot.

Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{811ca0dc-6f1f-4ee6-aeb9-50fd04fdbc41} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{811ca0dc-6f1f-4ee6-aeb9-50fd04fdbc41} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxnfull -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxnfull -> Delete on reboot.

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
C:\WINDOWS\system32\cbXNFUlL.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LlUFNXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LlUFNXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twoexypx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xpyxeowt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:25, on 2/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logogle.com/ggl.php?hl=ja&lo=Ik HOUDT VAN PAPA (EN NICK OOK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8FFF4FC7-2079-4F05-99C9-3EBE00795F4F} - c:\windows\system32\cvxsmzj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Keyboard Status] C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [a5o8q] C:\WINDOWS\system32\a5o8q.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4EE87D5D-654F-11D7-828F-B1119AEC2423} (ParCurvCtrl.PCurvCtrl) - http://www.wiskundeonline.nl/ActiveX/ParCurv/Package/ParCurvCtrl.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120044746250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120044715890
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 10906 bytes


Greetings and thanks,

Jan

 

Hi Jan

quasimodo has uTorrent showing P2P file sharing is a dangerous practice, see my note below.

I use eTrust AV and I would not use anything else, IMHO it is one of the best.

Please do this.

We need to have some files scanned.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • C:\WINDOWS\is-ICEFL.exe
  C:\WINDOWS\imsins.BAK
  C:\WINDOWS\system32\62A95D688F.sys
  C:\WINDOWS\system32\KGyGaAvL.sys
  
• Click on the submit button
  
• Please post the results in your next reply.

Now do this.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\system32\vxhlxowo.dll
C:\WINDOWS\system32\jrtncm.dll
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\a5o8q.exe

Folder::
C:\Documents and Settings\nick\Application Data\hfwqrppp
C:\Documents and Settings\sam\Application Data\hfwqrppp
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FFF4FC7-2079-4F05-99C9-3EBE00795F4F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "a5o8q "=- 

Please post the combofix log and the Jotti results.

Thanks
Geri

P2P software ( Limewire, BitTorrent uTorrent etc… ) is installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Virus and Spyware removal.

 

na jotti en combofix

Geri,

Dit what you asked me to, everything seems to be working, only that teatimer is annoying me. (window is still open asks me to accept - or not - to change the Search Page to microsoft. Well, I can accept it and change it again aftwerwards - the explorer settings are reset anyway). By the way, I removed AVAST and installed as a stop gap F-secure from my provider (Scarlet). Seems a decent scanner, but it makes everything (especially surfing slower, and it slows the computer furher down if ther's no reboot after some hours, so it seems to leak memory).

As promised here are the logs: (sorry for the timelag)

1.Jotti:

is-ICEFL.exe
Status: OK
MD5: faa7a3c2f20d54b0a0d6f3437fc11d50
Packers detected: -
File: imsins.BAK
Status: OK
MD5: 9bdc866b5429997d9c07f349973a4765
Packers detected: -
File: 62A95D688F.sys
Status: OK
MD5: ba898b29f0dbf9307f494475a8393f03
Packers detected: -
File: KGyGaAvL.sys
Status: OK
MD5: e43f1492f8fff71993bfe38c6542d904
Packers detected: -

2.Combofix

ComboFix 08-08-08.07 - quasimodo 2008-08-09 13:34:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.477 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\quasimodo\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\quasimodo\Bureaublad\CFScript
* Nieuw herstelpunt werd aangemaakt
* Resident AV is active


WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\a5o8q.exe
C:\WINDOWS\system32\jrtncm.dll
C:\WINDOWS\system32\vxhlxowo.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\hfwqrppp
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\profiles.ini
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\cert8.db
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\compatibility.ini
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\compreg.dat
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\cookies.sqlite
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\formhistory.sqlite
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\key3.db
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\localstore.rdf
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\permissions.sqlite
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\places.sqlite-journal
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\places.sqlite
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\pluginreg.dat
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\prefs.js
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\secmod.db
C:\Documents and Settings\NetworkService\Application Data\hfwqrppp\Profiles\2ztd0xoe.default\xpti.dat
C:\Documents and Settings\nick\Application Data\hfwqrppp
C:\Documents and Settings\nick\Application Data\hfwqrppp\profiles.ini
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\cert8.db
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\compatibility.ini
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\compreg.dat
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\cookies.sqlite
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\formhistory.sqlite
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\key3.db
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\localstore.rdf
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\permissions.sqlite
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\places.sqlite-journal
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\places.sqlite
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\pluginreg.dat
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\prefs.js
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\secmod.db
C:\Documents and Settings\nick\Application Data\hfwqrppp\Profiles\qedtusv5.default\xpti.dat
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\profiles.ini
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\cert8.db
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\compatibility.ini
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\compreg.dat
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\cookies.sqlite
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\formhistory.sqlite
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\key3.db
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\localstore.rdf
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\permissions.sqlite
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\places.sqlite-journal
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\places.sqlite
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\pluginreg.dat
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\prefs.js
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\secmod.db
C:\Documents and Settings\quasimodo\Application Data\hfwqrppp\Profiles\7ordbe2i.default\xpti.dat
C:\Documents and Settings\sam\Application Data\hfwqrppp
C:\Documents and Settings\sam\Application Data\hfwqrppp\profiles.ini
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\cert8.db
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\compatibility.ini
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\compreg.dat
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\cookies.sqlite
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\formhistory.sqlite
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\key3.db
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\localstore.rdf
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\permissions.sqlite
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\places.sqlite-journal
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\places.sqlite
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\pluginreg.dat
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\prefs.js
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\secmod.db
C:\Documents and Settings\sam\Application Data\hfwqrppp\Profiles\0izsdk24.default\xpti.dat
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\actskn43.ocx

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-07-09 to 2008-08-09 ))))))))))))))))))))))))))))))
.

2008-08-07 01:58 . 2008-08-07 01:58 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-02 12:36 . 2008-08-03 00:18 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\F-Secure
2008-08-02 12:35 . 2008-08-02 12:35 <DIR> d-------- C:\Documents and Settings\LocalService\Bureaublad
2008-08-02 12:20 . 2008-08-02 12:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-08-02 12:20 . 2008-08-02 12:37 51,072 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-08-02 12:20 . 2008-08-02 12:37 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-08-02 12:19 . 2008-08-02 12:41 <DIR> d-------- C:\Program Files\Scarlet Secure PC
2008-08-02 12:17 . 2008-08-02 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-08-02 08:13 . 2008-08-02 08:13 685,056 --a------ C:\WINDOWS\is-ICEFL.exe
2008-08-02 08:13 . 2008-08-02 08:13 11,729 --a------ C:\WINDOWS\is-ICEFL.msg
2008-08-02 08:13 . 2008-08-02 08:13 460 --a------ C:\WINDOWS\is-ICEFL.lst
2008-08-02 08:03 . 2008-08-09 13:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-07-28 16:55 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-22 19:39 . 2008-07-22 19:39 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\Malwarebytes
2008-07-22 19:39 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-22 19:38 . 2008-08-02 08:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 19:38 . 2008-07-22 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 19:38 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 21:21 . 2008-07-21 21:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 11:46 . 2008-07-21 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-21 11:45 . 2008-07-21 11:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-21 11:45 . 2008-07-21 11:45 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\SUPERAntiSpyware.com
2008-07-20 00:07 . 2008-07-20 00:07 <DIR> d-------- C:\Documents and Settings\sam\Application Data\Viewpoint
2008-07-19 20:05 . 2008-07-19 20:05 24 --a------ C:\Documents and Settings\nick\filter.drv
2008-07-19 11:16 . 2008-07-19 11:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-19 11:02 . 2004-08-04 00:54 327,168 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-07-18 09:02 . 2008-07-18 09:02 42 --a------ C:\WINDOWS\system32\RegistryEasy.lie
2008-07-18 08:34 . 2008-08-01 13:56 <DIR> d-------- C:\Program Files\Registry Easy
2008-07-11 20:12 . 2008-07-11 20:12 <DIR> d-------- C:\Program Files\Ventrilo
2008-07-11 13:45 . 2008-07-11 13:45 24 --a------ C:\Documents and Settings\sam\filter.drv
2008-07-09 06:20 . 2008-07-19 11:27 2,675 --a------ C:\WINDOWS\imsins.BAK

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 11:41 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-08-06 20:40 67,736 ----a-w C:\Documents and Settings\quasimodo\Application Data\GDIPFONTCACHEV1.DAT
2008-08-02 07:16 103,424 ----a-w C:\WINDOWS\system32\idizphz.dll
2008-07-28 14:55 --------- d-----w C:\Program Files\Java
2008-07-22 20:34 19,530,621 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_22_21_03_46_full.dmp.zip
2008-07-22 20:33 --------- d-----w C:\Program Files\BoontyGames
2008-07-21 18:11 19,565,789 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_21_19_35_24_full.dmp.zip
2008-07-21 17:34 19,701,328 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_21_16_34_59_full.dmp.zip
2008-07-21 09:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-20 18:08 19,707,333 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_20_18_34_32_full.dmp.zip
2008-07-20 02:08 --------- d-----w C:\Program Files\Lavasoft
2008-07-20 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 18:11 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-19 12:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\sam\Application Data\Ventrilo
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\sam\Application Data\Pro Cycling Manager 2007
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\uTorrent
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\Pro Cycling Manager 2007
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\DVD Shrink
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\nick\Application Data\Ventrilo
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-07-05 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-05 10:42 --------- d-----w C:\Program Files\CCleaner
2008-07-05 09:12 2,575 ----a-w C:\Program Files\HBOFF.LOG
2008-07-05 09:12 1,479 -c--a-w C:\Program Files\Hboff.ini
2008-07-05 09:12 --------- d-----w C:\Program Files\Userdata
2008-07-01 21:15 24 ----a-w C:\Documents and Settings\quasimodo\filter.drv
2008-06-30 16:24 4,222 ----a-w C:\Documents and Settings\sam\Application Data\wklnhst.dat
2008-06-30 16:18 --------- d-----w C:\Program Files\Common Files\Logitech
2008-06-30 10:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 06:12 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\PC Tools
2008-06-27 20:35 20,708 ----a-w C:\Documents and Settings\quasimodo\Application Data\wklnhst.dat
2008-06-20 17:49 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:36 272,640 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 19:45 4,870 ----a-w C:\Documents and Settings\nick\Application Data\wklnhst.dat
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:56 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:56 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:56 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:56 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-03-29 14:08 67,736 ----a-w C:\Documents and Settings\sam\Application Data\GDIPFONTCACHEV1.DAT
2008-03-28 20:47 1 ----a-w C:\Documents and Settings\quasimodo\SI.bin
2007-11-10 14:38 67,736 ----a-w C:\Documents and Settings\nick\Application Data\GDIPFONTCACHEV1.DAT
2007-07-05 09:11 6,004,736 ----a-w C:\Program Files\HBOFF.EXE
2007-07-05 09:11 275,968 ----a-w C:\Program Files\HomeBank.exe
2007-07-05 08:57 180,736 ----a-w C:\Program Files\HBMSG00.dll
2007-07-05 08:57 176,640 ----a-w C:\Program Files\HBMSG02.dll
2007-07-05 08:57 175,104 ----a-w C:\Program Files\HBMSG01.dll
2007-07-05 08:57 164,352 ----a-w C:\Program Files\HBMSG03.dll
2007-06-25 08:24 84,480 ----a-w C:\Program Files\HBConnMon.exe
2007-06-25 08:24 744 -c--a-w C:\Program Files\hboff.exe.manifest
2007-06-25 08:24 71,168 ----a-w C:\Program Files\HbCalc.exe
2007-06-25 08:24 25,690 -c--a-w C:\Program Files\HBERRORINI.DE
2007-06-25 08:24 25,298 -c--a-w C:\Program Files\HBERRORINI.FR
2007-06-25 08:24 24,620 -c--a-w C:\Program Files\HBERRORINI.NL
2007-06-25 08:24 23,001 -c--a-w C:\Program Files\HBERRORINI.EN
2005-01-27 13:59 8 --sha-r C:\WINDOWS\system32\62A95D688F.sys
2007-12-14 13:25 6,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-02_ 9.25.00.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
- 2008-04-05 00:42:54 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-08-05 07:16:20 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-07-19 09:37:30 62,944 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-02 10:20:57 65,928 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-19 09:37:30 82,326 ----a-w C:\WINDOWS\system32\perfc013.dat
+ 2008-08-02 10:20:57 85,310 ----a-w C:\WINDOWS\system32\perfc013.dat
- 2008-07-19 09:37:30 402,954 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-02 10:20:57 409,644 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-07-19 09:37:30 468,486 ----a-w C:\WINDOWS\system32\perfh013.dat
+ 2008-08-02 10:20:57 475,176 ----a-w C:\WINDOWS\system32\perfh013.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FFF4FC7-2079-4F05-99C9-3EBE00795F4F}]
2008-08-02 09:16 103424 --a------ c:\windows\system32\cvxsmzj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:02 15360]
"ASUS SmartDoctor "= "C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 16:20 1114112]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Keyboard Status "= "C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe" [2005-01-25 12:03 411648]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 18:43 8466432]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 18:43 81920]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 20:34 188416]
"GameFace Messenger "= "C:\Program Files\GameFace Messenger\GameFace.exe" [2006-11-01 15:50 2154496]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [BU]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"F-Secure Manager "= "C:\Program Files\Scarlet Secure PC\Common\FSM32.EXE" [2007-04-26 19:12 183208]
"F-Secure TNB "= "C:\Program Files\Scarlet Secure PC\FSGUI\TNBUtil.exe" [2007-04-26 19:10 740208]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"Dit "= "Dit.exe" [2004-07-20 19:18 90112 C:\WINDOWS\Dit.exe]
"GSICONEXE "= "GSICON.EXE" [2001-05-18 19:29 90112 C:\WINDOWS\system32\gsicon.exe]
"nwiz "= "nwiz.exe" [2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"DSLAGENTEXE "= "dslagent.exe" [2001-05-18 19:29 16384 C:\WINDOWS\system32\DSLAGENT.EXE]
"GsiFinal "= "gspndll.dll" [2001-05-18 19:28 81920 C:\WINDOWS\system32\gspnDll.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:02 15360]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-30 10:10 68856]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-22 15:46:17 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-22 15:43:38 692224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2 "= asusasv2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
cmicnfg.cpl [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\system32\\fxsclnt.exe "=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
"D:\\Valve\\Condition Zero\\czero.exe "=
"F:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe "=
"F:\\Program Files\\Warcraft III\\Warcraft III.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=
"F:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"D:\\program files\\EA GAMES\\The Battle for Middle-earth(tm)\\game.dat "=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724
"1723:TCP "= 1723:TCPxpsp2res.dll,-22015
"1701:UDP "= 1701:UDPxpsp2res.dll,-22016
"500:UDP "= 500:UDPxpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-08-02 12:37]
R0 rnsjbbou;rnsjbbou;C:\WINDOWS\system32\drivers\rnsjbbou.sys [2004-08-04 13:59]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Scarlet Secure PC\HIPS\fshs.sys [2008-08-02 12:36]
R2 CA_LIC_CLNT;CA License Client;c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2003-04-07 12:46]
R2 LogWatch;Event Log Watch;c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 12:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 23:38]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-02-09 18:02]
R3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\WINDOWS\system32\DRIVERS\AsusVRC.sys [2007-01-29 18:12]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-01 14:58]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Scarlet Secure PC\Anti-Virus\minifilter\fsgk.sys [2007-04-26 19:07]
R3 wbscr;Winbond Smartcard Reader for I/O;C:\WINDOWS\system32\drivers\wbscr.sys [2002-04-24 13:07]
S2 gafwload;Webr@cer 850 USB ADSL Loader;C:\WINDOWS\system32\DRIVERS\gafwload.sys [2001-05-18 19:35]
S3 Boonty Games;Boonty Games;C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe [2006-05-20 21:16]
S3 CA_LIC_SRVR;CA License Server;c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2003-04-07 12:45]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-08-09 13:41]
S3 gkmixern;gkmixern;C:\DOCUME~1\QUASIM~1\LOCALS~1\Temp\gkmixern.sys []
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Scarlet Secure PC\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 19:08]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Scarlet Secure PC\Anti-Virus\Win2K\FSrec.sys [2007-04-26 19:08]
.
Inhoud van de 'Gedeelde Taken' map

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]

2008-08-09 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-01 C:\WINDOWS\Tasks\Schedule Task Weekly.job
- C:\Program Files\Registry Easy\RE.exe [2008-07-17 15:49]

2008-08-09 C:\WINDOWS\Tasks\Scheduled scanning task.job
- C:\PROGRA~1\SCARLE~1\ANTI-V~1\fsav.exe [2007-04-26 13:42]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 13:42:04
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32st.exe
C:\Program Files\Scarlet Secure PC\Common\FSMA32.EXE
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32.exe
C:\Program Files\Scarlet Secure PC\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Scarlet Secure PC\Common\FCH32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Scarlet Secure PC\Common\FAMEH32.EXE
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Scarlet Secure PC\FSGUI\fsguidll.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsaua.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fssm32.exe
C:\Program Files\Scarlet Secure PC\FWES\program\fsdfwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsus.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Voltooingstijd: 2008-08-09 13:48:20 - machine was rebooted [quasimodo]
ComboFix-quarantined-files.txt 2008-08-09 11:48:08
ComboFix2.txt 2008-08-02 07:25:36
ComboFix3.txt 2008-07-22 22:36:57

Pre-Run: 45,550,268,416 bytes beschikbaar
Post-Run: 45,535,354,880 bytes beschikbaar

352 --- E O F --- 2008-08-08 19:49:23


P.S.: I've no Limewire of other programs of that kind installed. Only the source was still on the drive. Removed them too. Will have a look in the registry for leftovers?

Thanks a lot anyway

Jan

 

Hi Jan
Please do this.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\system32\idizphz.dll
c:\windows\system32\cvxsmzj.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FFF4FC7-2079-4F05-99C9-3EBE00795F4F}] 

Please post the combox log and a new HJT log.

Thanks
Geri

 

combo and hijack log

Hello Geri,

Here are the logs:

1. COMBO:

ComboFix 08-08-12.01 - quasimodo 2008-08-13 2:36:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.466 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\quasimodo\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\quasimodo\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
* Resident AV is active


WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
c:\windows\system32\cvxsmzj.dll
C:\WINDOWS\system32\idizphz.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cvxsmzj.dll . . . . konden niet verwijderd worden
C:\WINDOWS\system32\idizphz.dll . . . . konden niet verwijderd worden

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-07-13 to 2008-08-13 ))))))))))))))))))))))))))))))
.

2008-08-12 13:53 . 2008-08-12 14:23 <DIR> d-------- C:\Documents and Settings\nick\Application Data\Mijn Battle for Middle-earth bestanden
2008-08-11 14:46 . 2008-08-11 22:11 <DIR> d-------- C:\Documents and Settings\nick\Application Data\F-Secure
2008-08-10 00:45 . 2008-08-13 02:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-10 00:45 . 2008-08-10 00:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-07 01:58 . 2008-08-07 01:58 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-02 12:36 . 2008-08-03 00:18 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\F-Secure
2008-08-02 12:35 . 2008-08-02 12:35 <DIR> d-------- C:\Documents and Settings\LocalService\Bureaublad
2008-08-02 12:20 . 2008-08-02 12:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-08-02 12:20 . 2008-08-02 12:37 51,072 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-08-02 12:20 . 2008-08-02 12:37 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-08-02 12:19 . 2008-08-02 12:41 <DIR> d-------- C:\Program Files\Scarlet Secure PC
2008-08-02 12:17 . 2008-08-02 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-08-02 08:13 . 2008-08-02 08:13 685,056 --a------ C:\WINDOWS\is-ICEFL.exe
2008-08-02 08:13 . 2008-08-02 08:13 11,729 --a------ C:\WINDOWS\is-ICEFL.msg
2008-08-02 08:13 . 2008-08-02 08:13 460 --a------ C:\WINDOWS\is-ICEFL.lst
2008-08-02 08:03 . 2008-08-13 02:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-07-28 16:55 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-22 19:39 . 2008-07-22 19:39 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\Malwarebytes
2008-07-22 19:39 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-22 19:38 . 2008-08-02 08:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 19:38 . 2008-07-22 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 19:38 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 21:21 . 2008-07-21 21:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 11:46 . 2008-07-21 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-21 11:45 . 2008-07-21 11:45 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-21 11:45 . 2008-07-21 11:45 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\SUPERAntiSpyware.com
2008-07-20 00:07 . 2008-07-20 00:07 <DIR> d-------- C:\Documents and Settings\sam\Application Data\Viewpoint
2008-07-19 20:05 . 2008-07-19 20:05 24 --a------ C:\Documents and Settings\nick\filter.drv
2008-07-19 11:16 . 2008-07-19 11:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-19 11:02 . 2004-08-04 00:54 327,168 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-07-18 09:02 . 2008-07-18 09:02 42 --a------ C:\WINDOWS\system32\RegistryEasy.lie
2008-07-18 08:34 . 2008-08-09 14:42 <DIR> d-------- C:\Program Files\Registry Easy

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 00:43 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-08-12 15:56 4,906 ----a-w C:\Documents and Settings\nick\Application Data\wklnhst.dat
2008-08-12 09:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-12 09:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-12 09:18 --------- d-----w C:\Program Files\Lavasoft
2008-08-12 09:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 20:40 67,736 ----a-w C:\Documents and Settings\quasimodo\Application Data\GDIPFONTCACHEV1.DAT
2008-08-02 07:16 103,424 ----a-w C:\WINDOWS\system32\idizphz.dll
2008-07-28 14:55 --------- d-----w C:\Program Files\Java
2008-07-22 20:34 19,530,621 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_22_21_03_46_full.dmp.zip
2008-07-22 20:33 --------- d-----w C:\Program Files\BoontyGames
2008-07-21 18:11 19,565,789 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_21_19_35_24_full.dmp.zip
2008-07-21 17:34 19,701,328 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_21_16_34_59_full.dmp.zip
2008-07-20 18:08 19,707,333 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_20_18_34_32_full.dmp.zip
2008-07-20 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 18:11 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\sam\Application Data\Ventrilo
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\sam\Application Data\Pro Cycling Manager 2007
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\uTorrent
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\Pro Cycling Manager 2007
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\DVD Shrink
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\nick\Application Data\Ventrilo
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-07-11 18:12 --------- d-----w C:\Program Files\Ventrilo
2008-07-11 11:45 24 ----a-w C:\Documents and Settings\sam\filter.drv
2008-07-05 10:42 --------- d-----w C:\Program Files\CCleaner
2008-07-05 09:12 2,575 ----a-w C:\Program Files\HBOFF.LOG
2008-07-05 09:12 1,479 -c--a-w C:\Program Files\Hboff.ini
2008-07-05 09:12 --------- d-----w C:\Program Files\Userdata
2008-07-01 21:15 24 ----a-w C:\Documents and Settings\quasimodo\filter.drv
2008-06-30 16:24 4,222 ----a-w C:\Documents and Settings\sam\Application Data\wklnhst.dat
2008-06-30 16:18 --------- d-----w C:\Program Files\Common Files\Logitech
2008-06-30 10:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 06:12 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\PC Tools
2008-06-27 20:35 20,708 ----a-w C:\Documents and Settings\quasimodo\Application Data\wklnhst.dat
2008-06-20 17:49 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:36 272,640 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-03-29 14:08 67,736 ----a-w C:\Documents and Settings\sam\Application Data\GDIPFONTCACHEV1.DAT
2008-03-28 20:47 1 ----a-w C:\Documents and Settings\quasimodo\SI.bin
2007-11-10 14:38 67,736 ----a-w C:\Documents and Settings\nick\Application Data\GDIPFONTCACHEV1.DAT
2007-07-05 09:11 6,004,736 ----a-w C:\Program Files\HBOFF.EXE
2007-07-05 09:11 275,968 ----a-w C:\Program Files\HomeBank.exe
2007-07-05 08:57 180,736 ----a-w C:\Program Files\HBMSG00.dll
2007-07-05 08:57 176,640 ----a-w C:\Program Files\HBMSG02.dll
2007-07-05 08:57 175,104 ----a-w C:\Program Files\HBMSG01.dll
2007-07-05 08:57 164,352 ----a-w C:\Program Files\HBMSG03.dll
2007-06-25 08:24 84,480 ----a-w C:\Program Files\HBConnMon.exe
2007-06-25 08:24 744 -c--a-w C:\Program Files\hboff.exe.manifest
2007-06-25 08:24 71,168 ----a-w C:\Program Files\HbCalc.exe
2007-06-25 08:24 25,690 -c--a-w C:\Program Files\HBERRORINI.DE
2007-06-25 08:24 25,298 -c--a-w C:\Program Files\HBERRORINI.FR
2007-06-25 08:24 24,620 -c--a-w C:\Program Files\HBERRORINI.NL
2007-06-25 08:24 23,001 -c--a-w C:\Program Files\HBERRORINI.EN
2005-01-27 13:59 8 --sha-r C:\WINDOWS\system32\62A95D688F.sys
2007-12-14 13:25 6,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FFF4FC7-2079-4F05-99C9-3EBE00795F4F}]
2008-08-02 09:16 103424 --a------ c:\windows\system32\cvxsmzj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor "= "C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 16:20 1114112]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-30 14:45 1829712]
"SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:02 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Keyboard Status "= "C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe" [2005-01-25 12:03 411648]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 18:43 8466432]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 18:43 81920]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 20:34 188416]
"GameFace Messenger "= "C:\Program Files\GameFace Messenger\GameFace.exe" [2006-11-01 15:50 2154496]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [BU]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"F-Secure Manager "= "C:\Program Files\Scarlet Secure PC\Common\FSM32.EXE" [2007-04-26 19:12 183208]
"F-Secure TNB "= "C:\Program Files\Scarlet Secure PC\FSGUI\TNBUtil.exe" [2007-04-26 19:10 740208]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"Dit "= "Dit.exe" [2004-07-20 19:18 90112 C:\WINDOWS\Dit.exe]
"GSICONEXE "= "GSICON.EXE" [2001-05-18 19:29 90112 C:\WINDOWS\system32\gsicon.exe]
"nwiz "= "nwiz.exe" [2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"DSLAGENTEXE "= "dslagent.exe" [2001-05-18 19:29 16384 C:\WINDOWS\system32\DSLAGENT.EXE]
"GsiFinal "= "gspndll.dll" [2001-05-18 19:28 81920 C:\WINDOWS\system32\gspnDll.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:02 15360]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-30 10:10 68856]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-22 15:46:17 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-22 15:43:38 692224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2 "= asusasv2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
cmicnfg.cpl [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\system32\\fxsclnt.exe "=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
"D:\\Valve\\Condition Zero\\czero.exe "=
"F:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe "=
"F:\\Program Files\\Warcraft III\\Warcraft III.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=
"F:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"D:\\program files\\EA GAMES\\The Battle for Middle-earth(tm)\\game.dat "=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724
"1723:TCP "= 1723:TCPxpsp2res.dll,-22015
"1701:UDP "= 1701:UDPxpsp2res.dll,-22016
"500:UDP "= 500:UDPxpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-08-02 12:37]
R0 rnsjbbou;rnsjbbou;C:\WINDOWS\system32\drivers\rnsjbbou.sys [2004-08-04 13:59]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Scarlet Secure PC\HIPS\fshs.sys [2008-08-02 12:36]
R2 CA_LIC_CLNT;CA License Client;c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2003-04-07 12:46]
R2 LogWatch;Event Log Watch;c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 12:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 23:38]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-02-09 18:02]
R3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\WINDOWS\system32\DRIVERS\AsusVRC.sys [2007-01-29 18:12]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-01 14:58]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Scarlet Secure PC\Anti-Virus\minifilter\fsgk.sys [2007-04-26 19:07]
R3 wbscr;Winbond Smartcard Reader for I/O;C:\WINDOWS\system32\drivers\wbscr.sys [2002-04-24 13:07]
S2 gafwload;Webr@cer 850 USB ADSL Loader;C:\WINDOWS\system32\DRIVERS\gafwload.sys [2001-05-18 19:35]
S3 Boonty Games;Boonty Games;C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe [2006-05-20 21:16]
S3 CA_LIC_SRVR;CA License Server;c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2003-04-07 12:45]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-08-13 02:43]
S3 gkmixern;gkmixern;C:\DOCUME~1\QUASIM~1\LOCALS~1\Temp\gkmixern.sys []
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Scarlet Secure PC\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 19:08]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Scarlet Secure PC\Anti-Virus\Win2K\FSrec.sys [2007-04-26 19:08]
.
Inhoud van de 'Gedeelde Taken' map

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]

2008-08-13 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-01 C:\WINDOWS\Tasks\Schedule Task Weekly.job
- C:\Program Files\Registry Easy\RE.exe [2008-07-17 15:49]

2008-08-13 C:\WINDOWS\Tasks\Scheduled scanning task.job
- C:\PROGRA~1\SCARLE~1\ANTI-V~1\fsav.exe [2007-04-26 13:42]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 02:43:31
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32st.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32.exe
C:\Program Files\Scarlet Secure PC\Common\FSMA32.EXE
C:\Program Files\Scarlet Secure PC\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Scarlet Secure PC\Common\FCH32.EXE
C:\Program Files\Scarlet Secure PC\Common\FAMEH32.EXE
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Scarlet Secure PC\FSGUI\fsguidll.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fssm32.exe
C:\Program Files\Scarlet Secure PC\FWES\program\fsdfwd.exe
C:\PROGRA~1\SCARLE~1\ANTI-V~1\fsav32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsaua.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsus.exe
.
**************************************************************************
.
Voltooingstijd: 2008-08-13 2:49:48 - machine was rebooted [quasimodo]
ComboFix-quarantined-files.txt 2008-08-13 00:49:36
ComboFix2.txt 2008-08-09 11:48:23
ComboFix3.txt 2008-08-02 07:25:36
ComboFix4.txt 2008-07-22 22:36:57

Pre-Run: 45,066,072,064 bytes beschikbaar
Post-Run: 45,057,277,952 bytes beschikbaar

268 --- E O F --- 2008-08-08 19:49:23

2.HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:36, on 13/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32st.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\FSGK32.EXE
C:\Program Files\Scarlet Secure PC\Common\FSMA32.EXE
C:\Program Files\Scarlet Secure PC\Common\FSMB32.EXE
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Scarlet Secure PC\Common\FCH32.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Scarlet Secure PC\Common\FAMEH32.EXE
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsqh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\GameFace Messenger\GameFace.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Scarlet Secure PC\Common\FSM32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Scarlet Secure PC\FSGUI\fsguidll.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fssm32.exe
C:\Program Files\Scarlet Secure PC\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsav32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsaua.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsus.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logogle.com/ggl.php?hl=ja&lo=Ik HOUDT VAN PAPA (EN NICK OOK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8FFF4FC7-2079-4F05-99C9-3EBE00795F4F} - c:\windows\system32\cvxsmzj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Keyboard Status] C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Scarlet Secure PC\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Scarlet Secure PC\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4EE87D5D-654F-11D7-828F-B1119AEC2423} (ParCurvCtrl.PCurvCtrl) - http://www.wiskundeonline.nl/ActiveX/ParCurv/Package/ParCurvCtrl.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120044746250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120044715890
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Scarlet Secure PC\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Scarlet Secure PC\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Scarlet Secure PC\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 11924 bytes

Thanks beforehand, I can't read this as you do.

Jan

 

Hi

I kind of have the same problem.
I'm guessing this says something like it did not remove them??
konden niet verwijderd worden

Because they weren't deleted. So lets try this again.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
Tea Timer needs to be disabled along with the other applacations.


Now Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

KillAll::
File::
C:\WINDOWS\system32\idizphz.dll
c:\windows\system32\cvxsmzj.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FFF4FC7-2079-4F05-99C9-3EBE00795F4F}] 

Please post the combox log and a new HJT log.

Thanks
Geri

 

combo and hijack logs

1.COMBO:

ComboFix 08-08-21.02 - quasimodo 2008-08-22 20:18:18.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.610 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\quasimodo\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\quasimodo\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE ::
c:\windows\system32\cvxsmzj.dll
C:\WINDOWS\system32\idizphz.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cvxsmzj.dll . . . . konden niet verwijderd worden
C:\WINDOWS\system32\idizphz.dll . . . . konden niet verwijderd worden

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-07-22 to 2008-08-22 ))))))))))))))))))))))))))))))
.

2008-08-22 19:43 . 2008-08-22 19:43 <DIR> d-------- C:\Program Files\PCPitstop
2008-08-17 02:17 . 2008-08-17 02:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-08-17 02:10 . 2008-08-17 02:12 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-16 21:18 . 2008-08-19 21:23 <DIR> d-------- C:\Program Files\EasyZip
2008-08-16 21:18 . 1999-05-21 21:10 129,024 --a------ C:\WINDOWS\system32\ZipDll.dll
2008-08-16 21:18 . 1999-05-21 21:10 115,712 --a------ C:\WINDOWS\system32\UnzDll.dll
2008-08-16 21:18 . 1997-02-17 16:23 53,248 --a------ C:\WINDOWS\system32\UNRAR.DLL
2008-08-16 21:17 . 1996-07-18 13:06 297,472 --a------ C:\WINDOWS\uninst.exe
2008-08-13 15:22 . 2008-05-01 16:37 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 15:21 . 2008-04-11 21:06 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 13:53 . 2008-08-12 14:23 <DIR> d-------- C:\Documents and Settings\nick\Application Data\Mijn Battle for Middle-earth bestanden
2008-08-11 14:46 . 2008-08-11 22:11 <DIR> d-------- C:\Documents and Settings\nick\Application Data\F-Secure
2008-08-10 00:45 . 2008-08-22 20:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-10 00:45 . 2008-08-10 00:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-07 01:58 . 2008-08-07 01:58 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-02 12:36 . 2008-08-03 00:18 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\F-Secure
2008-08-02 12:35 . 2008-08-02 12:35 <DIR> d-------- C:\Documents and Settings\LocalService\Bureaublad
2008-08-02 12:20 . 2008-08-02 12:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-08-02 12:20 . 2008-08-02 12:37 51,072 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-08-02 12:20 . 2008-08-02 12:37 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-08-02 12:19 . 2008-08-02 12:41 <DIR> d-------- C:\Program Files\Scarlet Secure PC
2008-08-02 12:17 . 2008-08-02 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-08-02 08:13 . 2008-08-02 08:13 685,056 --a------ C:\WINDOWS\is-ICEFL.exe
2008-08-02 08:13 . 2008-08-02 08:13 11,729 --a------ C:\WINDOWS\is-ICEFL.msg
2008-08-02 08:13 . 2008-08-02 08:13 460 --a------ C:\WINDOWS\is-ICEFL.lst
2008-08-02 08:03 . 2008-08-22 20:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-08-01 14:13 . 2008-08-20 09:56 4,196,405 --a------ C:\WINDOWS\pfirewall.log.old
2008-07-28 16:55 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-22 19:39 . 2008-07-22 19:39 <DIR> d-------- C:\Documents and Settings\quasimodo\Application Data\Malwarebytes
2008-07-22 19:39 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-22 19:38 . 2008-08-02 08:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 19:38 . 2008-07-22 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 19:38 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-22 18:23 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-08-22 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-08-22 15:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 00:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-19 16:43 --------- d-----w C:\Program Files\Registry Easy
2008-08-17 00:09 --------- d-----w C:\Program Files\Windows Media Connect
2008-08-14 13:17 --------- d-----w C:\Documents and Settings\nick\Application Data\Ahead
2008-08-12 15:56 4,906 ----a-w C:\Documents and Settings\nick\Application Data\wklnhst.dat
2008-08-12 09:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-12 09:18 --------- d-----w C:\Program Files\Lavasoft
2008-08-12 09:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 20:40 67,736 ----a-w C:\Documents and Settings\quasimodo\Application Data\GDIPFONTCACHEV1.DAT
2008-08-02 07:16 103,424 ----a-w C:\WINDOWS\system32\idizphz.dll
2008-07-28 14:55 --------- d-----w C:\Program Files\Java
2008-07-22 20:34 19,530,621 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_22_21_03_46_full.dmp.zip
2008-07-22 20:33 --------- d-----w C:\Program Files\BoontyGames
2008-07-21 19:21 --------- d-----w C:\Program Files\Trend Micro
2008-07-21 18:11 19,565,789 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_21_19_35_24_full.dmp.zip
2008-07-21 17:34 19,701,328 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_21_16_34_59_full.dmp.zip
2008-07-21 09:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-21 09:45 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-07-21 09:45 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\SUPERAntiSpyware.com
2008-07-20 18:08 19,707,333 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_07_20_18_34_32_full.dmp.zip
2008-07-20 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 22:07 --------- d-----w C:\Documents and Settings\sam\Application Data\Viewpoint
2008-07-19 18:11 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-19 18:05 24 ----a-w C:\Documents and Settings\nick\filter.drv
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\sam\Application Data\Ventrilo
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\sam\Application Data\Pro Cycling Manager 2007
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\uTorrent
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\Pro Cycling Manager 2007
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\DVD Shrink
2008-07-18 07:16 --------- d-----w C:\Documents and Settings\nick\Application Data\Ventrilo
2008-07-11 18:12 --------- d-----w C:\Program Files\Ventrilo
2008-07-11 11:45 24 ----a-w C:\Documents and Settings\sam\filter.drv
2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-05 10:42 --------- d-----w C:\Program Files\CCleaner
2008-07-05 09:12 2,575 ----a-w C:\Program Files\HBOFF.LOG
2008-07-05 09:12 1,479 -c--a-w C:\Program Files\Hboff.ini
2008-07-05 09:12 --------- d-----w C:\Program Files\Userdata
2008-07-01 21:15 24 ----a-w C:\Documents and Settings\quasimodo\filter.drv
2008-06-30 16:24 4,222 ----a-w C:\Documents and Settings\sam\Application Data\wklnhst.dat
2008-06-30 16:18 --------- d-----w C:\Program Files\Common Files\Logitech
2008-06-30 10:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 06:12 --------- d-----w C:\Documents and Settings\quasimodo\Application Data\PC Tools
2008-06-27 20:35 20,708 ----a-w C:\Documents and Settings\quasimodo\Application Data\wklnhst.dat
2008-06-24 16:46 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:12 669,184 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:49 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-03-29 14:08 67,736 ----a-w C:\Documents and Settings\sam\Application Data\GDIPFONTCACHEV1.DAT
2008-03-28 20:47 1 ----a-w C:\Documents and Settings\quasimodo\SI.bin
2007-11-10 14:38 67,736 ----a-w C:\Documents and Settings\nick\Application Data\GDIPFONTCACHEV1.DAT
2007-07-05 09:11 6,004,736 ----a-w C:\Program Files\HBOFF.EXE
2007-07-05 09:11 275,968 ----a-w C:\Program Files\HomeBank.exe
2007-07-05 08:57 180,736 ----a-w C:\Program Files\HBMSG00.dll
2007-07-05 08:57 176,640 ----a-w C:\Program Files\HBMSG02.dll
2007-07-05 08:57 175,104 ----a-w C:\Program Files\HBMSG01.dll
2007-07-05 08:57 164,352 ----a-w C:\Program Files\HBMSG03.dll
2007-06-25 08:24 84,480 ----a-w C:\Program Files\HBConnMon.exe
2007-06-25 08:24 744 -c--a-w C:\Program Files\hboff.exe.manifest
2007-06-25 08:24 71,168 ----a-w C:\Program Files\HbCalc.exe
2007-06-25 08:24 25,690 -c--a-w C:\Program Files\HBERRORINI.DE
2007-06-25 08:24 25,298 -c--a-w C:\Program Files\HBERRORINI.FR
2007-06-25 08:24 24,620 -c--a-w C:\Program Files\HBERRORINI.NL
2007-06-25 08:24 23,001 -c--a-w C:\Program Files\HBERRORINI.EN
2005-01-27 13:59 8 --sha-r C:\WINDOWS\system32\62A95D688F.sys
2007-12-14 13:25 6,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FFF4FC7-2079-4F05-99C9-3EBE00795F4F}]
2008-08-02 09:16 103424 --a------ c:\windows\system32\cvxsmzj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor "= "C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 16:20 1114112]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:02 15360]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Keyboard Status "= "C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe" [2005-01-25 12:03 411648]
"NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 18:43 8466432]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 18:43 81920]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 20:34 188416]
"GameFace Messenger "= "C:\Program Files\GameFace Messenger\GameFace.exe" [2006-11-01 15:50 2154496]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"ISTray "= "C:\Program Files\Spyware Doctor\pctsTray.exe" [BU]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"F-Secure Manager "= "C:\Program Files\Scarlet Secure PC\Common\FSM32.EXE" [2007-04-26 19:12 183208]
"F-Secure TNB "= "C:\Program Files\Scarlet Secure PC\FSGUI\TNBUtil.exe" [2007-04-26 19:10 740208]
"PC Pitstop Optimize Reminder "= "C:\Program Files\PCPitstop\Optimize2\Reminder.exe" [2008-01-31 13:54 145648]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"Dit "= "Dit.exe" [2004-07-20 19:18 90112 C:\WINDOWS\Dit.exe]
"GSICONEXE "= "GSICON.EXE" [2001-05-18 19:29 90112 C:\WINDOWS\system32\gsicon.exe]
"nwiz "= "nwiz.exe" [2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"DSLAGENTEXE "= "dslagent.exe" [2001-05-18 19:29 16384 C:\WINDOWS\system32\DSLAGENT.EXE]
"GsiFinal "= "gspndll.dll" [2001-05-18 19:28 81920 C:\WINDOWS\system32\gspnDll.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:02 15360]
"DWQueuedReporting "= "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-30 10:10 68856]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-03-22 15:46:17 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-22 15:43:38 692224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2 "= asusasv2.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
cmicnfg.cpl [BU]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer "=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe "=
"C:\\WINDOWS\\system32\\fxsclnt.exe "=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "=
"D:\\Valve\\Condition Zero\\czero.exe "=
"F:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe "=
"F:\\Program Files\\Warcraft III\\Warcraft III.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=
"F:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"D:\\program files\\EA GAMES\\The Battle for Middle-earth(tm)\\game.dat "=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724
"1723:TCP "= 1723:TCPxpsp2res.dll,-22015
"1701:UDP "= 1701:UDPxpsp2res.dll,-22016
"500:UDP "= 500:UDPxpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2008-08-02 12:37]
R0 rnsjbbou;rnsjbbou;C:\WINDOWS\system32\drivers\rnsjbbou.sys [2004-08-04 13:59]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Scarlet Secure PC\HIPS\fshs.sys [2008-08-02 12:36]
R2 CA_LIC_CLNT;CA License Client;c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2003-04-07 12:46]
R2 LogWatch;Event Log Watch;c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 12:29]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-02-09 18:02]
R3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\WINDOWS\system32\DRIVERS\AsusVRC.sys [2007-01-29 18:12]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-01 14:58]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Scarlet Secure PC\Anti-Virus\minifilter\fsgk.sys [2007-04-26 19:07]
R3 wbscr;Winbond Smartcard Reader for I/O;C:\WINDOWS\system32\drivers\wbscr.sys [2002-04-24 13:07]
S2 gafwload;Webr@cer 850 USB ADSL Loader;C:\WINDOWS\system32\DRIVERS\gafwload.sys [2001-05-18 19:35]
S3 Boonty Games;Boonty Games;C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe [2006-05-20 21:16]
S3 CA_LIC_SRVR;CA License Server;c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2003-04-07 12:45]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-08-22 20:23]
S3 gkmixern;gkmixern;C:\DOCUME~1\QUASIM~1\LOCALS~1\Temp\gkmixern.sys []
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Scarlet Secure PC\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 19:08]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Scarlet Secure PC\Anti-Virus\Win2K\FSrec.sys [2007-04-26 19:08]
.
Inhoud van de 'Gedeelde Taken' map

2008-08-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]

2008-08-22 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-15 C:\WINDOWS\Tasks\Schedule Task Weekly.job
- C:\Program Files\Registry Easy\RE.exe [2008-07-17 15:49]

2008-08-22 C:\WINDOWS\Tasks\Scheduled scanning task.job
- C:\PROGRA~1\SCARLE~1\ANTI-V~1\fsav.exe [2007-04-26 13:42]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 20:23:24
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32st.exe
C:\Program Files\Scarlet Secure PC\Common\FSMA32.EXE
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32.exe
C:\Program Files\Scarlet Secure PC\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Scarlet Secure PC\Common\FCH32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsqh.exe
C:\Program Files\Scarlet Secure PC\Common\FAMEH32.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Scarlet Secure PC\FSGUI\fsguidll.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsaua.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fssm32.exe
C:\Program Files\Scarlet Secure PC\FWES\program\fsdfwd.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Voltooingstijd: 2008-08-22 20:32:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-22 18:31:22
ComboFix2.txt 2008-08-16 00:15:29
ComboFix3.txt 2008-08-13 00:49:51
ComboFix4.txt 2008-08-09 11:48:23
ComboFix5.txt 2008-08-22 18:17:29

Pre-Run: 43,875,590,144 bytes beschikbaar
Post-Run: 43,940,732,928 bytes beschikbaar

275 --- E O F --- 2008-08-21 20:03:39

2.Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:35:57, on 22/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32st.exe
C:\Program Files\Scarlet Secure PC\Common\FSMA32.EXE
C:\Program Files\Scarlet Secure PC\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Scarlet Secure PC\Common\FSMB32.EXE
c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Scarlet Secure PC\Common\FCH32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsqh.exe
C:\Program Files\Scarlet Secure PC\Common\FAMEH32.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Scarlet Secure PC\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Scarlet Secure PC\FSGUI\fsguidll.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsaua.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fssm32.exe
C:\Program Files\Scarlet Secure PC\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Scarlet Secure PC\FSAUA\program\fsus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Scarlet Secure PC\Anti-Virus\fsav32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logogle.com/ggl.php?hl=ja&lo=Ik HOUDT VAN PAPA (EN NICK OOK)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8FFF4FC7-2079-4F05-99C9-3EBE00795F4F} - c:\windows\system32\cvxsmzj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Keyboard Status] C:\PROGRA~1\Medion Tools\KeyStat\KeyStat.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Scarlet Secure PC\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Scarlet Secure PC\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4EE87D5D-654F-11D7-828F-B1119AEC2423} (ParCurvCtrl.PCurvCtrl) - http://www.wiskundeonline.nl/ActiveX/ParCurv/Package/ParCurvCtrl.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120044746250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120044715890
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - c:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Scarlet Secure PC\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Scarlet Secure PC\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Scarlet Secure PC\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Scarlet Secure PC\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - c:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 11541 bytes


What now?

Thanks anyway, The system's running quasi normal, only internet is slow on opening pages and downloading files.

Jan