Post by: rosedaniels on June 15, 2007, 09:57:36 AM
I would sincerely appreciate it if you could help me with this problem:
My daughter uses Wndows Live Messenger to communicate with her schoolmates. Apparently she clicked on a link (as her schoolmates have suffered from the same "problem") and with that action something was copied into the computer.
"It" results in blocking the log-in functionality when starting Windows Live Messenger again ("It" does not seem to 'control' any other program) and it shows to files on the "Bureaublad" (is dutch for "Desk"?): doc.exe and mon.exe. When you delete these two files they reappear after restarting the computer and/or starting Windows Live Messenger.
I Use Mcafee antivirus and this gives a message that it removed "Vundo" when starting Windows Live Messenger.
I discovered that my 'recovery'-option of windows was NOT on so I could not go back to the situation before the infection.
I also used HitmanPro and all that belongs to it to try to 'clean' whatever is there. But I seem to lack sufficient knowledge of what I am exactly doing. So you are my last resort at this time. I downloaded HJT and produced the following log. Hope you can help as you did two years ago.
Logfile of HijackThis v1.99.1
Scan saved at 16:39:59, on 15-6-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm (http://\"http://www.euro.dell.com/countries/nl/nld/gen/default.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/ (http://\"http://www.planet.nl/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm (http://\"http://www.euro.dell.com/countries/nl/nld/gen/default.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/nl/nld/gen/default.htm (http://\"http://www.euro.dell.com/countries/nl/nld/gen/default.htm\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm (http://\"http://www.euro.dell.com/countries/nl/nld/gen/default.htm\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] "C:\WINDOWS\p_981116.exe" /Q:A
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe"
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
Post by: guestolo on June 15, 2007, 07:05:32 PM
Download [color=\"blue\"]VundoFix.exe[/color] (http://\"http://www.atribune.org/ccount/click.php?id=4\")
to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
I'll need to see this report from Vundofix later>>C:\Vundofix.txt
Next:
Then, Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post back the following
1. Post the log from combofix
2. Post the report from vundofix
3. Post a fresh hijackthis log
Post by: rosedaniels on June 17, 2007, 12:31:10 PM
Download [color=\"blue\"]VundoFix.exe[/color] (http://\"http://www.atribune.org/ccount/click.php?id=4\")
to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
I'll need to see this report from Vundofix later>>C:\Vundofix.txt[/quote]
OK first step has been done:
Vundofix said : No files found
However I did click "Remove Vundo" with ofcourse no result.
here is the log file:
VundoFix V6.5.0
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 17:15:12 14-6-2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.5.0
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 17:22:25 14-6-2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.0
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 18:42:34 17-6-2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Post by: rosedaniels on June 17, 2007, 12:57:02 PM
ComboFix 07-06-17 - C:\Documents and Settings\Arjan\Bureaublad\ComboFix.exe
"Arjan" - 2007-06-17 19:32:58 - Service Pack 1 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))
2007-06-17 19:32 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 16:35 <DIR> d-------- C:\HJT
2007-06-14 17:15 <DIR> d-------- C:\VundoFix Backups
2007-06-13 23:05 83,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-06-13 23:05 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-06-13 23:05 57,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-06-13 23:05 53,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-06-13 23:05 39,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-06-13 23:05 29,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-06-13 23:05 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-13 23:04 22,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-06-13 23:04 21,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-06-13 23:04 20,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0509.sys
2007-06-13 23:04 164 --a------ C:\install.dat
2007-06-13 23:04 144,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-06-13 23:04 <DIR> d-------- C:\Program Files\Webroot
2007-06-13 23:04 <DIR> d-------- C:\DOCUME~1\Arjan\APPLIC~1\Webroot
2007-06-13 23:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-13 23:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-13 22:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-13 18:31 70,940 --a------ C:\WINDOWS\SYSTEM32\mon.exe
2007-06-13 18:31 211,944 --a------ C:\WINDOWS\SYSTEM32\doc.exe
2007-06-13 16:58 70,913 --a------ C:\DOCUME~1\Arjan\mon.exe
2007-06-13 16:58 211,944 --a------ C:\DOCUME~1\Arjan\doc.exe
2007-06-11 21:06 <DIR> d-------- C:\WINDOWS\FLV Player
2007-06-11 21:06 <DIR> d-------- C:\Program Files\FLV Player
2007-06-11 20:53 <DIR> d-------- C:\Program Files\Super
2007-06-03 14:10 <DIR> dr-h----- C:\DOCUME~1\Arjan\Onlangs geopend
2007-05-31 23:59 <DIR> d-------- C:\Program Files\Bordermaker26
2007-05-28 10:14 <DIR> d-------- C:\Program Files\AH Fotoservice
2007-05-19 13:10 335 --a------ C:\WINDOWS\mozregistry.dat
2007-05-18 10:27 5,819,200 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-17 14:10:23 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\CoreFTP
2007-06-17 13:26:38 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\OpenOffice.org2
2007-06-16 20:50:44 -------- d-----w C:\Program Files\Trillian
2007-06-16 04:22:50 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\SiteAdvisor
2007-06-15 14:43:56 -------- d-----w C:\Program Files\Hitman Pro
2007-06-14 20:00:14 -------- d-----w C:\Program Files\OpenOffice.org1.1.0
2007-06-13 21:22:19 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\Lavasoft
2007-06-13 14:58:40 -------- d-----w C:\Program Files\MSN Messenger
2007-06-03 20:33:34 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\AdobeUM
2007-05-20 14:35:25 -------- d-----w C:\Program Files\Hema Album Software Advanced
2007-05-18 12:24:01 -------- d-----w C:\Program Files\Der teuflische Spiegel
2007-05-12 18:22:18 -------- d-----w C:\Program Files\GenoPro
2007-05-03 10:05:56 -------- d-----w C:\Program Files\GIMP-2.0
2007-04-26 18:25:20 -------- d-----w C:\Program Files\Common Files\ST System Shared
2007-04-26 18:25:19 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-26 18:25:19 -------- d-----w C:\Program Files\Samsung
2007-04-26 18:25:19 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\Samsung
2007-04-26 16:42:50 -------- d-----w C:\Program Files\Nikon
2007-04-22 13:38:57 247,866 ----a-w C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6656.exe
2007-04-22 13:38:57 -------- d-----w C:\Program Files\Alcohol Toolbar
2007-04-22 13:38:30 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-21 20:57:20 -------- d-----w C:\Program Files\kaspersky
2007-03-25 08:32:10 69,380 ----a-w C:\WINDOWS\system32\PERFC013.DAT
2007-03-25 08:32:10 442,004 ----a-w C:\WINDOWS\system32\PERFH013.DAT
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-04-22 15:38]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}=c:\program files\mcafee.com\mps\mcbrhlpr.dll [2005-10-28 10:30]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}=c:\program files\mcafee.com\mps\popupkiller.dll [2005-10-28 10:30]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}=c:\program files\mcafee\spamkiller\mcapfbho.dll [2005-11-09 15:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-07-25 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 15:08]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-11-18 14:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-11 07:00]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
Contents of the 'Scheduled Tasks' folder
2007-06-12 14:05:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2005-03-06 19:11:59 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-06-17 19:50:07
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-06-17 19:51:24
--- E O F ---
Post by: rosedaniels on June 17, 2007, 12:58:19 PM
Logfile of HijackThis v1.99.1
Scan saved at 19:57:52, on 17-6-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/ (http://\"http://www.planet.nl/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm (http://\"http://www.euro.dell.com/countries/nl/nld/gen/default.htm\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm (http://\"http://www.euro.dell.com/countries/nl/nld/gen/default.htm\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe"
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
Post by: guestolo on June 17, 2007, 01:21:51 PM
1. Can you go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
OR
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Use the browse button and navigate to the file on your harddrive
C:\WINDOWS\SYSTEM32\mon.exe<-this file
Right click on the file, and choose Select>>or double click on it
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same thing with the next one too
C:\WINDOWS\SYSTEM32\doc.exe<-this file
In addition
2. If you have an older version of Smitfraudfix, delete it
Download [color=\"red\"]SmitfraudFix[/color] (http://\"http://siri.urz.free.fr/Fix/SmitfraudFix.zip\")[/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
3. Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
4. After you post the uninstall list
Can you do the following, navigate to hijackthis.exe
C:\HJT\HijackThis.exe>>Right click on HijackThis.exe and rename it to Analyse.exe
Then run a fresh scan and save logfile and post the new log please
If you could do the above 4 steps, then we will take it from there
Post by: rosedaniels on June 17, 2007, 03:06:05 PM
Scan taken on 17 Jun 2007 20:04:41 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Post by: rosedaniels on June 17, 2007, 03:12:52 PM
File: mon.exe
Status:
INFECTED/MALWARE
MD5: b5a8659b4a8e612dbab619a072e25a52
Packers detected:
PE_PATCH.PECOMPACT, PE_PATCH.UPOLYX, PE_PATCH.UPX, UPX
Bit9 reports: File not found
Scan taken on 17 Jun 2007 20:08:29 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Vundo.DMA, Trojan.Downloader.Agent.YEG
ClamAV Found nothing
Dr.Web Found Trojan.Virtumod, Trojan.DownLoader.24028
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.jp (4, 1, 400), Trojan-Downloader.Win32.Agent.brf
Fortinet Found W32/Agent.BRF!tr.dldr
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Virtumonde.jp, Trojan-Downloader.Win32.Agent.brf
NOD32 Found Win32/Adware.Virtumonde application, Win32/TrojanDownloader.Agent.NOJ
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.Virtumonde.if, Trojan-Downloader.Win32.Agent.brf
Post by: rosedaniels on June 17, 2007, 03:20:45 PM
Complete scanning result of "mon.exe", received in VirusTotal at 06.17.2007, 22:04:04 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 no virus found
AntiVir 7.4.0.32 06.16.2007 no virus found
Authentium 4.93.8 06.16.2007 no virus found
Avast 4.7.997.0 06.16.2007 no virus found
AVG 7.5.0.467 06.17.2007 no virus found
BitDefender 7.2 06.17.2007 Trojan.Vundo.DMA
CAT-QuickHeal 9.00 06.16.2007 no virus found
ClamAV devel-20070416 06.17.2007 no virus found
DrWeb 4.33 06.17.2007 Trojan.Virtumod
eSafe 7.0.15.0 06.17.2007 Win32.Agent.brf
eTrust-Vet 30.7.3721 06.15.2007 no virus found
Ewido 4.0 06.17.2007 no virus found
FileAdvisor 1 06.17.2007 no virus found
Fortinet 2.85.0.0 06.17.2007 W32/Agent.BRF!tr.dldr
F-Prot 4.3.2.48 06.15.2007 no virus found
F-Secure 6.70.13030.0 06.15.2007 Trojan-Downloader.Win32.Agent.brf
Ikarus T3.1.1.8 06.17.2007 no virus found
Kaspersky 4.0.2.24 06.17.2007 not-a-virus:AdWare.Win32.Virtumonde.jp
McAfee 5054 06.15.2007 no virus found
Microsoft 1.2607 06.17.2007 no virus found
NOD32v2 2334 06.15.2007 Win32/Adware.Virtumonde
Norman 5.80.02 06.15.2007 W32/Virtumonde.GWT.dropper
Panda 9.0.0.4 06.17.2007 Spyware/Virtumonde
Prevx1 V2 06.17.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.17.2007 no virus found
TheHacker 6.1.6.133 06.15.2007 no virus found
VBA32 3.12.0.2 06.15.2007 AdWare.Win32.Virtumonde.if
VirusBuster 4.3.23:9 06.17.2007 no virus found
Webwasher-Gateway 6.0.1 06.17.2007 no virus found
Aditional Information
File size: 70940 bytes
MD5: b5a8659b4a8e612dbab619a072e25a52
SHA1: 9a191b21764912aab66a2c8e9ee39e0486b01384
packers: BINARYRES
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [email protected] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Creating several executable files on hard-drive.
* File length: 70940 bytes.
[ Changes to filesystem ]
* Creates directory C:WINDOWSTEMP.
* Creates file C:WINDOWSTEMP sx8999.tmp.
* Deletes file C:WINDOWSTEMP sx8999.tmp.
* Creates file C:WINDOWSTEMP irst.exe.
* Creates file C:WINDOWSTEMPsecond.exe.
* Creates file C:WINDOWSTEMP sz0099.tmp.
* Deletes file C:WINDOWSTEMP sz0099.tmp.
* Creates directory C:WINDOWS.
* Creates directory C:WINDOWSTEMP sz0099.tmp.
* Creates file C:WINDOWSTEMP sz0099.tmp sExec.dll.
* Creates file C:WINDOWSTEMP sz0099.tmp s0889.tmp.
* Deletes file C:WINDOWSTEMP sz0099.tmp s0889.tmp.
* Deletes file C:WINDOWSTEMP sz0099.tmpNSEXEC.DLL.
* Deletes directory C:WINDOWSTEMP sz0099.tmp.
[ Signature Scanning ]
* C:WINDOWSTEMP irst.exe (38925 bytes) : W32/Virtumonde.GWT.
Post by: rosedaniels on June 17, 2007, 03:23:49 PM
SmitFraudFix v2.195
Scan done at 21:51:46,59, zo 17-06-2007
Run from C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Arjan
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Arjan\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Arjan\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler\'s .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel® PRO/100 VE Network Connection - Pakketplanner-minipoort
DNS Server Search Order: 10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D8AEF199-7042-406F-BEE3-717B4834FDD8}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D8AEF199-7042-406F-BEE3-717B4834FDD8}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D8AEF199-7042-406F-BEE3-717B4834FDD8}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Step 3: the uninstall list from HJT:
3D Interior Designer 2
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.9 - Nederlands
Adobe Shockwave Player
Age of Empires III Trial
Age of Mythology
AH Fotoservice
Ahead InCD EasyWrite Reader
Ahead Nero Burning ROM
Ahead NeroMediaPlayer
Ahead NeroVision Express
Alcohol Toolbar
Apple Software Update
ArcSoft Panorama Maker 3.0
Asterix
Asterix Maffe Meerkamp
Barbie Cool Looks Designer
Battle Master 2.0
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows XP (KB904706)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899589)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901190)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905495)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913580)
Beveiligingsupdate voor Windows XP (KB914388)
Beveiligingsupdate voor Windows XP (KB914389)
Beveiligingsupdate voor Windows XP (KB917344)
Beveiligingsupdate voor Windows XP (KB917422)
Beveiligingsupdate voor Windows XP (KB917953)
Beveiligingsupdate voor Windows XP (KB919007)
Beveiligingsupdate voor Windows XP (KB920670)
Beveiligingsupdate voor Windows XP (KB920683)
Beveiligingsupdate voor Windows XP (KB920685)
Beveiligingsupdate voor Windows XP (KB921398)
Beveiligingsupdate voor Windows XP (KB921883)
Beveiligingsupdate voor Windows XP (KB922616)
Beveiligingsupdate voor Windows XP (KB922819)
Beveiligingsupdate voor Windows XP (KB923191)
Beveiligingsupdate voor Windows XP (KB923414)
Beveiligingsupdate voor Windows XP (KB924191)
Beveiligingsupdate voor Windows XP (KB924496)
Bugs Bunny - Reis door de Tijd
Bugs Bunny & Taz - Op avontuur door de tijd
Buzz Lightyear of Star Command
Castle Strike Demo
Celestia 1.3.2
cladDVD .NET v3.5.6
Classic PhoneTools
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
Cool Edit 96
Core FTP LE 1.3c
CoverPrint 0.6.0 English
CoverPro
coverXP (remove only)
DAO
dBpowerAMP Music Converter
De Kolonisten van Catan
De Sims 2
De Sims™ 2 Familiepret – Accessoires
Declick 2000
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Der teuflische Spiegel
Desktop Guitarist Shareware
Digimax Master
Digimax RAW Converter
Digital Line Detect
Dino Island
Disney’s SpellenSpektakel
DivX
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab (remove only)
DVDSentry
Easy CD Creator 5 Basic
Easy Wonen 1
EasyPeg 1
Eigen Homepage LITE
Empire Earth
ET The Extra-Terrestrial Interplanetary Mission
Finale NotePad 2004
FLAC Installer 1.1.2a (remove only)
Flight Unlimited II
FLV Player
Gaim (alleen verwijderen)
GenoPro
Google Earth
Google Toolbar for Internet Explorer
GrabIt 1.6.2 Beta (build 940)
Hema Album Software Advanced
Henzo Imager
HijackThis 1.99.1
Hitman Pro
Hotfix for MDAC 2.80 (KB911562)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Image Analyzer
Indeo® Software
Intel® PRO Network Adapters and Drivers
Intel® PROSet
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
JannieBall
JBCD
KaM - The Peasants Rebellion
Knight Rider
KnightsAndMerchants
LEGO Chess
LEGO Creator Knights Kingdom
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Lp2Cd
Mah Jongg III
McAfee SecurityCenter
McAfee Wizard Installatie ongedaan maken
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft Visio Professional 2002 [English]
Microsoft Works 7.0
Modem Helper
Monsters en Co. Schrik Eiland
Moto Racer
Mozilla Firefox (2.0.0.4)
MP3\'s Utilities 1.6.38
MSXML4 Parser
Namo WebEditor 3.0
NetObjects Fusion 7.5
NetWaiting
Nikon FotoShare
Nikon View 6
Nokia 3200 USB-Handset Manager
NVIDIA Drivers
OpenOffice.org 2.0
PC Cleaner 2.0
Peter Jackson\'s King Kong - The Official Game of the Movie
Picasa 2
Pirates of the Caribbean
PowerDVD
PrintMaster 7.00
QuickPar 0.9
QuickTime
RealPlayer
Redcat Brutale Bankroof
RedCat Spookkasteel
Roll
RS2
Secret Weapons Over Normandy
Serif PhotoPlus 5.5
Serif WebPlus 6.0
Serif WebPlus 6.0 Wizard Pack
SimCity 2000® Special Edition
SimSafari
Skype 1.3
Sony Sound Forge 7.0
Sound Blaster Live!
SPIDI
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
SpywareBlaster v3.5.1
Stronghold
Syberia 2 Demo
The General 3.4
The Sims Abracadabra
TopStyle Lite (Version 2)
TorrenTopia Client
Total Commander (Remove or Repair)
Trillian
Update voor Windows XP (KB835409)
Update voor Windows XP (KB898461)
Update voor Windows XP (KB908531)
Update voor Windows XP (KB910437)
Update voor Windows XP (KB911280)
Uru - Ages Beyond Myst
Uru - Ages Beyond Myst Demo
Vakantieboek
VibrateGameDeviceDriver
WAV to MP3 Encoder
Wave Repair 4.8.5
WavePurity
Winamp (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinRAR
WinZip
Zoner Draw 3
Post by: rosedaniels on June 17, 2007, 03:26:10 PM
Logfile of HijackThis v1.99.1
Scan saved at 22:24:38, on 17-6-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\HJT\Analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/ (http://\"http://www.planet.nl/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm (http://\"http://www.euro.dell.com/countries/nl/nld/gen/default.htm\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm (http://\"http://www.euro.dell.com/countries/nl/nld/gen/default.htm\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe"
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
---------------------------------------------------
PS al lot of data, good luck analysing all this
Post by: guestolo on June 17, 2007, 09:07:11 PM
[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system.
- Download the latest version of Java Runtime Environment (JRE) 6u1 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
- Scroll down to where it says "Java Runtime Environment (JRE) 6u1, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement[/i]".
- The page will refresh.
- Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop (12.56 MB).
Access your Add/remove programs
Click the Remove or Change/Remove button.
on the following
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Don't install the new version yet
Open notepad and copy/paste the text in the quotebox below into it:
Don't include the word 'quote' please
Quote
File::
C:\WINDOWS\SYSTEM32\mon.exe
C:\WINDOWS\SYSTEM32\doc.exe
C:\DOCUME~1\Arjan\mon.exe
C:\DOCUME~1\Arjan\doc.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=-
Save this as ComboFix-Do.txt to your desktop
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
(http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif)
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt
If no reboot was necessary, can you reboot anyways then go ahead and install the latest version of Sun Java
Post the new log from Combofix
NOTE: I see entries related to Norton's (Symantec's)
Do you still have anything from Norton's relying on the Live updater installed?
Can I also have you do the following
Download: CCleaner (freeware)
http://www.filehippo.com/download_ccleaner/ (http://\"http://www.filehippo.com/download_ccleaner/\")
Run the installer, and uncheck the option to install Yahoo toolbar when and if you are prompted
Once installed, run CCleaner
Next: click Options click the Advanced button
Uncheck: "Only delete files in Windows temp folders older than 48 hrs."
NEXT: Click the Cleaner
Then click Run Cleaner (bottom right)
OK the prompt, let it finish
Once finished can you also do the following, I want to check for other Norton products
Click the TOOLS button then click the Save to text file.. button on the right hand side
Save install.txt to your desktop then can you copy>>paste back here it's contents also along with the new combofix.txt
Post by: rosedaniels on June 18, 2007, 12:33:18 PM
I'll post your question in order:
1. New log from ComboFix:
2. Info about Nortons Live Updater
3. Install.txt from CCleaner
1. New log from Combofix:
ComboFix 07-06-17 - C:\Documents and Settings\Arjan\Bureaublad\ComboFix.exe
"Arjan" - 2007-06-18 18:52:41 - Service Pack 1 NTFS
Command switches used :: C:\Documents and Settings\Arjan\Bureaublad\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Arjan\doc.exe
C:\DOCUME~1\Arjan\mon.exe
C:\WINDOWS\SYSTEM32\doc.exe
C:\WINDOWS\SYSTEM32\mon.exe
((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))
2007-06-17 21:51 3,222 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-17 19:32 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 16:35 <DIR> d-------- C:\HJT
2007-06-14 17:15 <DIR> d-------- C:\VundoFix Backups
2007-06-13 23:05 83,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-06-13 23:05 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-06-13 23:05 57,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-06-13 23:05 53,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-06-13 23:05 39,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-06-13 23:05 29,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-06-13 23:05 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-13 23:04 22,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-06-13 23:04 21,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-06-13 23:04 20,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0509.sys
2007-06-13 23:04 164 --a------ C:\install.dat
2007-06-13 23:04 144,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-06-13 23:04 <DIR> d-------- C:\Program Files\Webroot
2007-06-13 23:04 <DIR> d-------- C:\DOCUME~1\Arjan\APPLIC~1\Webroot
2007-06-13 23:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-13 23:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-13 22:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-11 21:06 <DIR> d-------- C:\WINDOWS\FLV Player
2007-06-11 21:06 <DIR> d-------- C:\Program Files\FLV Player
2007-06-11 20:53 <DIR> d-------- C:\Program Files\Super
2007-06-03 14:10 <DIR> dr-h----- C:\DOCUME~1\Arjan\Onlangs geopend
2007-05-31 23:59 <DIR> d-------- C:\Program Files\Bordermaker26
2007-05-28 10:14 <DIR> d-------- C:\Program Files\AH Fotoservice
2007-05-19 13:10 335 --a------ C:\WINDOWS\mozregistry.dat
2007-05-18 10:27 5,819,200 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-18 10:50:12 69,380 ----a-w C:\WINDOWS\system32\PERFC013.DAT
2007-06-18 10:50:12 442,004 ----a-w C:\WINDOWS\system32\PERFH013.DAT
2007-06-17 19:19:22 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\OpenOffice.org2
2007-06-17 19:09:31 -------- d-----w C:\Program Files\OpenOffice.org1.1.0
2007-06-17 14:10:23 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\CoreFTP
2007-06-16 20:50:44 -------- d-----w C:\Program Files\Trillian
2007-06-16 04:22:50 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\SiteAdvisor
2007-06-15 14:43:56 -------- d-----w C:\Program Files\Hitman Pro
2007-06-13 21:22:19 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\Lavasoft
2007-06-13 14:58:40 -------- d-----w C:\Program Files\MSN Messenger
2007-06-03 20:33:34 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\AdobeUM
2007-05-20 14:35:25 -------- d-----w C:\Program Files\Hema Album Software Advanced
2007-05-18 12:24:01 -------- d-----w C:\Program Files\Der teuflische Spiegel
2007-05-12 18:22:18 -------- d-----w C:\Program Files\GenoPro
2007-05-03 10:05:56 -------- d-----w C:\Program Files\GIMP-2.0
2007-04-26 18:25:20 -------- d-----w C:\Program Files\Common Files\ST System Shared
2007-04-26 18:25:19 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-26 18:25:19 -------- d-----w C:\Program Files\Samsung
2007-04-26 18:25:19 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\Samsung
2007-04-26 16:42:50 -------- d-----w C:\Program Files\Nikon
2007-04-22 13:38:57 247,866 ----a-w C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6656.exe
2007-04-22 13:38:57 -------- d-----w C:\Program Files\Alcohol Toolbar
2007-04-22 13:38:30 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-21 20:57:20 -------- d-----w C:\Program Files\kaspersky
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-04-22 15:38]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}=c:\program files\mcafee.com\mps\mcbrhlpr.dll [2005-10-28 10:30]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}=c:\program files\mcafee.com\mps\popupkiller.dll [2005-10-28 10:30]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}=c:\program files\mcafee\spamkiller\mcapfbho.dll [2005-11-09 15:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-07-25 12:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 15:08]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-11-18 14:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-11 07:00]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
Contents of the 'Scheduled Tasks' folder
2007-06-12 14:05:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2005-03-06 19:11:59 C:\WINDOWS\tasks\Symantec NetDetect.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-06-18 19:06:08
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-06-18 19:07:13
C:\ComboFix-quarantined-files.txt ... 2007-06-18 19:06
C:\ComboFix2.txt ... 2007-06-17 19:51
--- E O F ---
2. Info about Nortons Live Udater:
I found the following in "Configurations" (I am translating from dutch windows to english):
Symantec LiveUpdate
- General
- Interactive Mode
- FTP
- Use FTP settings for Internet options
- HTTP
- HTTP settings for internet options
- ISP
- Internet options in Configuration screen
3. Install.txt from CCleaner
1310Tour
1310Trb
1310_Help
1310
3D Interior Designer 2
ABC (remove only)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.9 - Nederlands
Adobe Shockwave Player
Adobe® Photoshop® Elements 3.0
Age of Empires III Trial
Age of Mythology
AH Fotoservice
Ahead InCD EasyWrite Reader
Ahead Nero Burning ROM
Ahead NeroMediaPlayer
Ahead NeroVision Express
AiOSoftware
AiO_Scan
Alcohol Toolbar
Apple Software Update
ArcSoft Panorama Maker 3.0
Asterix Maffe Meerkamp
Asterix
AutoUpdate
Barbie Cool Looks Designer
Battle Master 2.0
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows XP (KB904706)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899589)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901190)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905495)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913580)
Beveiligingsupdate voor Windows XP (KB914388)
Beveiligingsupdate voor Windows XP (KB914389)
Beveiligingsupdate voor Windows XP (KB914798)
Beveiligingsupdate voor Windows XP (KB917344)
Beveiligingsupdate voor Windows XP (KB917422)
Beveiligingsupdate voor Windows XP (KB917953)
Beveiligingsupdate voor Windows XP (KB919007)
Beveiligingsupdate voor Windows XP (KB920670)
Beveiligingsupdate voor Windows XP (KB920683)
Beveiligingsupdate voor Windows XP (KB920685)
Beveiligingsupdate voor Windows XP (KB921398)
Beveiligingsupdate voor Windows XP (KB921883)
Beveiligingsupdate voor Windows XP (KB922616)
Beveiligingsupdate voor Windows XP (KB922819)
Beveiligingsupdate voor Windows XP (KB923191)
Beveiligingsupdate voor Windows XP (KB923414)
Beveiligingsupdate voor Windows XP (KB924191)
Beveiligingsupdate voor Windows XP (KB924496)
BufferChm
Bugs Bunny & Taz - Op avontuur door de tijd
Bugs Bunny - Reis door de Tijd
Buzz Lightyear of Star Command
Castle Strike Demo
CCleaner (remove only)
Celestia 1.3.2
cladDVD .NET v3.5.6
Classic PhoneTools
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
Cool Edit 96
Copy
Core FTP LE 1.3c
CoverPrint 0.6.0 English
CoverPro
coverXP (remove only)
CreativeProjectsTemplates
CreativeProjects
CueTour
DAO
dBpowerAMP Music Converter
De Kolonisten van Catan
De Sims 2
De Sims™ 2 Familiepret – Accessoires
Declick 2000
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Der teuflische Spiegel
Desktop Guitarist Shareware
Destinations
Digimax Master
Digimax RAW Converter
Digital Line Detect
Dino Island
Director
Disney’s SpellenSpektakel
DivX Player
DivX Web Player
DivX
DocProc
DocumentViewer
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab (remove only)
DVDSentry
Easy CD Creator 5 Basic
Easy Wonen 1
EasyPeg 1
Eigen Homepage LITE
Empire Earth
ET The Extra-Terrestrial Interplanetary Mission
Fax
Finale NotePad 2004
FLAC Installer 1.1.2a (remove only)
Flight Unlimited II
FLV Player
Gaim (alleen verwijderen)
GenoPro
Google Earth
Google Toolbar for Internet Explorer
GrabIt 1.6.2 Beta (build 940)
Help and Support Customization
Hema Album Software Advanced
Henzo Imager
HijackThis 1.99.1
Hitman Pro
Hotfix for MDAC 2.80 (KB911562)
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HPSystemDiagnostics
Image Analyzer
Indeo® Software
InstantShare
Intel® PRO Network Adapters and Drivers
Intel® PROSet
iTunes
JannieBall
JBCD
KaM - The Peasants Rebellion
Knight Rider
KnightsAndMerchants
LEGO Chess
LEGO Creator Knights Kingdom
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Lp2Cd
Mah Jongg III
McAfee SecurityCenter
McAfee Wizard Installatie ongedaan maken
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft .NET Framework 1.1
Microsoft Visio Professional 2002 [English]
Microsoft Works 7.0
Modem Helper
Monsters en Co. Schrik Eiland
Moto Racer
Mozilla Firefox (2.0.0.4)
MP3's Utilities 1.6.38
MSXML4 Parser
MUSICMATCH® Jukebox
Namo WebEditor 3.0
NetObjects Fusion 7.5
NetWaiting
Nikon FotoShare
Nikon View 6
Nokia 3200 USB-Handset Manager
NVIDIA Drivers
OpenOffice.org 1.1.0
OpenOffice.org 2.0
Overland
PC Cleaner 2.0
Peter Jackson's King Kong - The Official Game of the Movie
PhotoGallery
Picasa 2
Pirates of the Caribbean
PowerDVD
PrintMaster 7.00
PrintScreen
ProductContext
QFolder
QuickPar 0.9
QuickProjects
QuickTime
Readme
RealPlayer
Redcat Brutale Bankroof
RedCat Spookkasteel
Rol
RS2
Scan
Secret Weapons Over Normandy
Serif PhotoPlus 5.5
Serif WebPlus 6.0 Wizard Pack
Serif WebPlus 6.0
SimCity 2000® Special Edition
SimSafari
SkinsHP1
Skype 1.3
Sony Sound Forge 7.0
Sound Blaster Live!
SPIDI
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
SpywareBlaster v3.5.1
Stronghold
Syberia 2 Demo
The General 3.4
The Sims Abracadabra
TopStyle Lite (Version 2)
TorrenTopia Client
Total Commander (Remove or Repair)
TrayApp
Trillian
Unload
Update voor Windows XP (KB835409)
Update voor Windows XP (KB898461)
Update voor Windows XP (KB908531)
Update voor Windows XP (KB910437)
Update voor Windows XP (KB911280)
Uru - Ages Beyond Myst Demo
Uru - Ages Beyond Myst
Vakantieboek
VibrateGameDeviceDriver
WAV to MP3 Encoder
Wave Repair 4.8.5
WavePurity
WebFldrs XP
WebReg
Winamp (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinRAR
WinZip
Zoner Draw 3
Post by: guestolo on June 18, 2007, 02:13:17 PM
I was just checking for another Norton entry from the install list, but it wasn't found
You can access your add/remove programs and remove
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Reboot the computer after both are removed, don't worry about prompts if it mentions it's software is still installed
Back in Windows
Can you go to START>>All programs>>Accessories>>System tools>>Scheduled tasks
Does Symantec NetDetect still remain?
Also, can you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as Export.bat
Save this file on the desktop
Code: [Select]
regedit /e Export.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer"Double click on Export.bat>>a text file should appear on desktop called Export.txt
Can you copy>>paste back here the contents please
How is everything running now?
Post by: rosedaniels on June 18, 2007, 03:01:43 PM
I removed LiveReg and LiveUpdate 1.80 and checked it in scheduled tasks. There was no symantec netdetect anymore.
The I typed in your CODE in Notepad and followed your instructions. The result was an enormous textfile with huge amounts of hexadecimal codes, etc.
At that point I doubted if I followed your instructions correctly, so I decided tot do it again but then copying your text into Notepad. I followed your instructions again with the result of this textfile:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"NoCDBurning"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
Is this what you expected. This result in relation to the extreme first results make me unsure at this point if i didn;t do something wrong?
I still have the first export.txt file. If you want it I can maybe mail it to you? As it is about 89 MB large !! So posting it here is maybe not wise?
To your question how everything is running, I cannot give you a good answer as we did NOT use Windows Live Messenger since I contacted you. And I am not sure to use it again until this problem has been solved. The two files mon.exe and doc.exe are still on my desktop. Do you want me to remove them, and try Windows Live Messenger again and see what happens?
PS, couldn't resist, so I tried WLM and .... it's still there. I removed mon and doc and started WLM and McAfee reported it removed Downloader-BCF. After WLM had started up the mouse was blocked while WLM was busy trying to log in (or omething). So I had to stop the computer manually (press the startbutton for 8 secs)
Post by: guestolo on June 18, 2007, 04:28:58 PM
Yes, go ahead and delete mon.exe and doc.exe from desktop
Let see how things are with Live messenger
Post by: rosedaniels on June 18, 2007, 04:30:05 PM
PS, couldn't resist, so I tried WLM and .... it's still there. I removed mon and doc and started WLM and McAfee reported it removed Downloader-BCF. After WLM had started up the mouse was blocked while WLM was busy trying to log in (or omething). So I had to stop the computer manually (press the startbutton for 8 secs)
Post by: guestolo on June 18, 2007, 04:32:23 PM
Post by: rosedaniels on June 18, 2007, 05:09:43 PM
ComboFix 07-06-17 - C:\Documents and Settings\Arjan\Bureaublad\ComboFix.exe
"Arjan" - 2007-06-18 23:52:13 - Service Pack 1 NTFS
Command switches used :: C:\Documents and Settings\Arjan\Bureaublad\ComboFix-Do.txt
((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))
2007-06-18 19:18 <DIR> dr-h----- C:\DOCUME~1\Arjan\Onlangs geopend
2007-06-18 19:16 <DIR> d-------- C:\Program Files\CCleaner
2007-06-17 21:51 3,222 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-17 19:32 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 16:35 <DIR> d-------- C:\HJT
2007-06-14 17:15 <DIR> d-------- C:\VundoFix Backups
2007-06-13 23:05 83,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-06-13 23:05 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-06-13 23:05 57,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-06-13 23:05 53,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-06-13 23:05 39,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-06-13 23:05 29,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-06-13 23:05 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-13 23:04 22,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-06-13 23:04 21,056 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-06-13 23:04 20,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0509.sys
2007-06-13 23:04 164 --a------ C:\install.dat
2007-06-13 23:04 144,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-06-13 23:04 <DIR> d-------- C:\Program Files\Webroot
2007-06-13 23:04 <DIR> d-------- C:\DOCUME~1\Arjan\APPLIC~1\Webroot
2007-06-13 23:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-13 23:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-13 22:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-11 21:06 <DIR> d-------- C:\WINDOWS\FLV Player
2007-06-11 21:06 <DIR> d-------- C:\Program Files\FLV Player
2007-06-11 20:53 <DIR> d-------- C:\Program Files\Super
2007-05-31 23:59 <DIR> d-------- C:\Program Files\Bordermaker26
2007-05-28 10:14 <DIR> d-------- C:\Program Files\AH Fotoservice
2007-05-19 13:10 335 --a------ C:\WINDOWS\mozregistry.dat
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-18 19:38:39 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-18 10:50:12 69,380 ----a-w C:\WINDOWS\system32\PERFC013.DAT
2007-06-18 10:50:12 442,004 ----a-w C:\WINDOWS\system32\PERFH013.DAT
2007-06-17 19:19:22 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\OpenOffice.org2
2007-06-17 19:09:31 -------- d-----w C:\Program Files\OpenOffice.org1.1.0
2007-06-17 14:10:23 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\CoreFTP
2007-06-16 20:50:44 -------- d-----w C:\Program Files\Trillian
2007-06-16 04:22:50 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\SiteAdvisor
2007-06-15 14:43:56 -------- d-----w C:\Program Files\Hitman Pro
2007-06-13 21:22:19 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\Lavasoft
2007-06-13 14:58:40 -------- d-----w C:\Program Files\MSN Messenger
2007-06-03 20:33:34 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\AdobeUM
2007-05-20 14:35:25 -------- d-----w C:\Program Files\Hema Album Software Advanced
2007-05-18 12:24:01 -------- d-----w C:\Program Files\Der teuflische Spiegel
2007-05-18 08:28:27 5,819,200 ----a-w C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-05-12 18:22:18 -------- d-----w C:\Program Files\GenoPro
2007-05-03 10:05:56 -------- d-----w C:\Program Files\GIMP-2.0
2007-04-26 18:25:20 -------- d-----w C:\Program Files\Common Files\ST System Shared
2007-04-26 18:25:19 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-26 18:25:19 -------- d-----w C:\Program Files\Samsung
2007-04-26 18:25:19 -------- d-----w C:\DOCUME~1\Arjan\APPLIC~1\Samsung
2007-04-26 16:42:50 -------- d-----w C:\Program Files\Nikon
2007-04-22 13:38:57 247,866 ----a-w C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6656.exe
2007-04-22 13:38:57 -------- d-----w C:\Program Files\Alcohol Toolbar
2007-04-22 13:38:30 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-21 20:57:20 -------- d-----w C:\Program Files\kaspersky
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-04-22 15:38]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}=c:\program files\mcafee.com\mps\mcbrhlpr.dll [2005-10-28 10:30]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}=c:\program files\mcafee.com\mps\popupkiller.dll [2005-10-28 10:30]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}=c:\program files\mcafee\spamkiller\mcapfbho.dll [2005-11-09 15:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-07-25 12:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 15:08]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-11-18 14:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-11 07:00]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
Contents of the 'Scheduled Tasks' folder
2007-06-12 14:05:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-06-19 00:05:13
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-06-19 0:06:34
C:\ComboFix-quarantined-files.txt ... 2007-06-19 00:06
C:\ComboFix2.txt ... 2007-06-18 19:07
C:\ComboFix3.txt ... 2007-06-17 19:51
--- E O F ---
Post by: guestolo on June 18, 2007, 05:51:37 PM
Just for a double check
Can you do the following
From my signature below,
Use INTERNET EXPLORER
Run an online virus scan at Kaspersky's
At the link click Run Online Scanner
Accept the prompt at the Welcome screen
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
***Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
***Scan Options:
Scan Archives
Scan Mail Bases
- Click OK
- Now under select a target to scan:
Select My Computer
- This program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
***Now click on the Save as Text button:
- Save the file to your desktop.
Could you also do the following
supply a host file list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open Hosts File Manager
Click the "Open in Notepad" button
copy>>Paste back here the Whole contents
Post by: rosedaniels on June 19, 2007, 03:47:05 AM
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 19, 2007 10:43:00 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/06/2007
Kaspersky Anti-Virus database records: 348710
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 162097
Number of viruses found: 4
Number of infected objects: 15 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:29:22
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\tempIpRules.xdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{FB019C0B-337E-4CDE-9E21-C90B2961C753}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\Arjan\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped
C:\Documents and Settings\Arjan\Bureaublad\mon.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\Documents and Settings\Arjan\Bureaublad\mon.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Arjan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Temp\~DF92B7.tmp Object is locked skipped
C:\Documents and Settings\Arjan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Arjan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Arjan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\MSN Messenger\msnmsgr.exe Infected: Trojan-Downloader.Win32.Agent.btu skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir/data0003 Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mon.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mon.exe.vir/data0003 Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mon.exe.vir NSIS: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Geschiedenis\History.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd5437.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\mclsphlr\mon.exe/data0002 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\SYSTEM32\mclsphlr\mon.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\WINDOWS\SYSTEM32\mclsphlr\mon.exe NSIS: infected - 2 skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\mcafee_LCGB9RufIeg9bfk Object is locked skipped
C:\WINDOWS\Temp\mcafee_ZHuMlfaJF0gwadD Object is locked skipped
C:\WINDOWS\Temp\mcmsc_5sXQyVnBBHDlqoL Object is locked skipped
C:\WINDOWS\Temp\mcmsc_GCRQxi7BQTcuUPs Object is locked skipped
C:\WINDOWS\Temp\mcmsc_l12c3ZErEdfLMJN Object is locked skipped
C:\WINDOWS\Temp\mcmsc_QpJZcle0YcOV1cQ Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Post by: rosedaniels on June 19, 2007, 03:49:31 AM
# Copyright © 1993-1999 Microsoft Corp.
#
# Dit is een voorbeeld HOSTS-bestand dat wordt gebruikt door Microsoft TCP/IP for Windows.
#
# Dit bestand bevat de toewijzingen van IP-adressen naar hostnamen. Elke vermelding
# moet op een afzonderlijke regel staan. Het IP-adres dient in de eerste kolom te worden
# geplaatst, gevolgd door de bijbehorende hostnaam. Het IP-adres en de hostnaam dienen
# gescheiden te zijn door ten minste één spatie.
#
# Daarnaast kunnen opmerkingen (zoals deze) worden toegevoegd op extra
# regels of gevolgd door de computernaam, voorafgegaan door een #.
#
# Bijvoorbeeld:
#
# 102.54.94.97 rhino.acme.com # bronserver
# 38.25.63.10 x.acme.com # x clienthost
127.0.0.1 localhost
Post by: rosedaniels on June 21, 2007, 12:11:16 PM
in your absence I hope to have solved my problem
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> I removed the files listed as 'infected" in the last Kwaspersky report and then I de-installed livemessenger. Computer restarted. None of the files appeared again
I run another scan with McAfee and nothing found. Again computer restart
Then dowloaded LiveMessenger and installed it. Started it up and nothing strage happes. (before, when infected, I could not log in as the startupscreen seemed to be 'taken over').
So as far as I am concerned the problem seems to have disappeared.
If you have reason to 'correct me' having read the last kaspersky log and hostfile-report, please do so!!!
best regards and many thanks so far.
rosedaniels
Post by: guestolo on June 26, 2007, 03:37:51 PM
Yes, I noticed these in your kaspersky's log
C:\Documents and Settings\Arjan\Bureaublad\mon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe Infected <- may have been able to disinfect with another scanner, but your steps worked, good work
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix\Reboot.exe Infected <-false alarm, but you can delete the Whole Smitfraudfix folder
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir <- this one was in a backup folder from Combofix
You can delete the whole QooBox folder
I hope things are still running good
Post by: rosedaniels on December 03, 2007, 11:21:32 AM
Yes, I noticed these in your kaspersky's log
C:\Documents and Settings\Arjan\Bureaublad\mon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe Infected <- may have been able to disinfect with another scanner, but your steps worked, good work
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix\Reboot.exe Infected <-false alarm, but you can delete the Whole Smitfraudfix folder
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir <- this one was in a backup folder from Combofix
You can delete the whole QooBox folder
I hope things are still running good[/quote]
And sorry for not replying;
So just te let you know:
things are still running very good.
tnxs for the help again
Post by: guestolo on December 03, 2007, 10:27:22 PM