Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - rosedaniels

Pages: [1] 2
1
Tech Clinic / Vundo infection?
« on: December 03, 2007, 11:21:32 AM »
[quote name=\'guestolo\' post=\'346067\' date=\'Jun 26 2007, 09:37 PM\']Very sorry for the delay Rose
Yes, I noticed these in your kaspersky's log

C:\Documents and Settings\Arjan\Bureaublad\mon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe Infected <- may have been able to disinfect with another scanner, but your steps worked, good work

C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix\Reboot.exe Infected <-false alarm, but you can delete the Whole Smitfraudfix folder

C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir <- this one was in a backup folder from Combofix
You can delete the whole QooBox folder

I hope things are still running good[/quote]


And sorry for not replying;

So just te let you know:
things are still running very good.

tnxs for the help again

2
Tech Clinic / Vundo infection?
« on: June 21, 2007, 12:11:16 PM »
OK,
in your absence I hope to have solved my problem  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

I removed the files listed as 'infected" in the last Kwaspersky report and then I de-installed livemessenger. Computer restarted. None of the files appeared again
I run another scan with McAfee and nothing found. Again computer restart
Then dowloaded LiveMessenger and installed it. Started it up and nothing strage happes. (before, when infected, I could not log in as the startupscreen seemed to be 'taken over').

So as far as I am concerned the problem seems to have disappeared.

If you have reason to 'correct me' having read the last kaspersky log and hostfile-report, please do so!!!

best regards and many thanks so far.

rosedaniels

3
Tech Clinic / Vundo infection?
« on: June 19, 2007, 03:49:31 AM »
And the Host report from HJT, the first lines are 'examplelines in dutch':

# Copyright © 1993-1999 Microsoft Corp.
#
# Dit is een voorbeeld HOSTS-bestand dat wordt gebruikt door Microsoft TCP/IP for Windows.
#
# Dit bestand bevat de toewijzingen van IP-adressen naar hostnamen. Elke vermelding
# moet op een afzonderlijke regel staan. Het IP-adres dient in de eerste kolom te worden
# geplaatst, gevolgd door de bijbehorende hostnaam. Het IP-adres en de hostnaam dienen
# gescheiden te zijn door ten minste één spatie.
#
# Daarnaast kunnen opmerkingen (zoals deze) worden toegevoegd op extra
# regels of gevolgd door de computernaam, voorafgegaan door een #.
#
# Bijvoorbeeld:
#
#      102.54.94.97     rhino.acme.com          # bronserver
#       38.25.63.10     x.acme.com              # x clienthost

127.0.0.1       localhost

4
Tech Clinic / Vundo infection?
« on: June 19, 2007, 03:47:05 AM »
Here's the report from Kaspersky:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Tuesday, June 19, 2007 10:43:00 AM
 Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 19/06/2007
 Kaspersky Anti-Virus database records: 348710
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\

Scan Statistics:
   Total number of scanned objects: 162097
   Number of viruses found: 4
   Number of infected objects: 15 / 0
   Number of suspicious objects: 0
   Duration of the scan process: 02:29:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\tempIpRules.xdb   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{FB019C0B-337E-4CDE-9E21-C90B2961C753}.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log   Object is locked   skipped
C:\Documents and Settings\Arjan\Application Data\SiteAdvisor\SiteAdv.csh   Object is locked   skipped
C:\Documents and Settings\Arjan\Bureaublad\mon.exe/data0003   Infected: Trojan-Downloader.Win32.Agent.brf   skipped
C:\Documents and Settings\Arjan\Bureaublad\mon.exe   NSIS: infected - 1   skipped
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix.zip/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix.zip   ZIP: infected - 1   skipped
C:\Documents and Settings\Arjan\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Geschiedenis\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Temp\hpodvd09.log   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Temp\~DF92B7.tmp   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Arjan\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\Arjan\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\INDEX.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log   Object is locked   skipped
C:\Program Files\MSN Messenger\msnmsgr.exe   Infected: Trojan-Downloader.Win32.Agent.btu   skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters\masters.bak   Object is locked   skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters\Masters.const   Object is locked   skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters\masters.mst   Object is locked   skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters.base   Object is locked   skipped
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir/data0002   Infected: not-a-virus:AdWare.Win32.Virtumonde.jp   skipped
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir/data0003   Infected: Trojan-Downloader.Win32.Agent.brf   skipped
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir   NSIS: infected - 2   skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mon.exe.vir/data0002   Infected: not-a-virus:AdWare.Win32.Virtumonde.jp   skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mon.exe.vir/data0003   Infected: Trojan-Downloader.Win32.Agent.brf   skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mon.exe.vir   NSIS: infected - 2   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\Sti_Trace.log   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Geschiedenis\History.IE5\INDEX.DAT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys   Object is locked   skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd5437.sys   Object is locked   skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\mclsphlr\mon.exe/data0002   Infected: not-a-virus:AdWare.Win32.Virtumonde.jp   skipped
C:\WINDOWS\SYSTEM32\mclsphlr\mon.exe/data0003   Infected: Trojan-Downloader.Win32.Agent.brf   skipped
C:\WINDOWS\SYSTEM32\mclsphlr\mon.exe   NSIS: infected - 2   skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\Temp\mcafee_LCGB9RufIeg9bfk   Object is locked   skipped
C:\WINDOWS\Temp\mcafee_ZHuMlfaJF0gwadD   Object is locked   skipped
C:\WINDOWS\Temp\mcmsc_5sXQyVnBBHDlqoL   Object is locked   skipped
C:\WINDOWS\Temp\mcmsc_GCRQxi7BQTcuUPs   Object is locked   skipped
C:\WINDOWS\Temp\mcmsc_l12c3ZErEdfLMJN   Object is locked   skipped
C:\WINDOWS\Temp\mcmsc_QpJZcle0YcOV1cQ   Object is locked   skipped
C:\WINDOWS\WIADEBUG.LOG   Object is locked   skipped
C:\WINDOWS\WIASERVC.LOG   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped

Scan process completed.

5
Tech Clinic / Vundo infection?
« on: June 18, 2007, 05:09:43 PM »
Took a while, but here it is:

ComboFix 07-06-17 - C:\Documents and Settings\Arjan\Bureaublad\ComboFix.exe
"Arjan" - 2007-06-18 23:52:13 - Service Pack 1  NTFS  
Command switches used :: C:\Documents and Settings\Arjan\Bureaublad\ComboFix-Do.txt


(((((((((((((((((((((((((   Files Created from 2007-05-18 to 2007-06-18  )))))))))))))))))))))))))))))))


2007-06-18 19:18   <DIR>   dr-h-----   C:\DOCUME~1\Arjan\Onlangs geopend
2007-06-18 19:16   <DIR>   d--------   C:\Program Files\CCleaner
2007-06-17 21:51   3,222   --a------   C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-17 19:32   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-15 16:35   <DIR>   d--------   C:\HJT
2007-06-14 17:15   <DIR>   d--------   C:\VundoFix Backups
2007-06-13 23:05   83,024   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-06-13 23:05   626,688   --a------   C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-06-13 23:05   57,424   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-06-13 23:05   53,840   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-06-13 23:05   39,376   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-06-13 23:05   29,264   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-06-13 23:05   <DIR>   d--------   C:\Program Files\Spyware Doctor
2007-06-13 23:04   22,080   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-06-13 23:04   21,056   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-06-13 23:04   20,544   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0509.sys
2007-06-13 23:04   164   --a------   C:\install.dat
2007-06-13 23:04   144,960   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-06-13 23:04   <DIR>   d--------   C:\Program Files\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\Arjan\APPLIC~1\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-13 23:02   <DIR>   d--------   C:\Program Files\Lavasoft
2007-06-13 22:59   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-06-11 21:06   <DIR>   d--------   C:\WINDOWS\FLV Player
2007-06-11 21:06   <DIR>   d--------   C:\Program Files\FLV Player
2007-06-11 20:53   <DIR>   d--------   C:\Program Files\Super
2007-05-31 23:59   <DIR>   d--------   C:\Program Files\Bordermaker26
2007-05-28 10:14   <DIR>   d--------   C:\Program Files\AH Fotoservice
2007-05-19 13:10   335   --a------   C:\WINDOWS\mozregistry.dat


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 19:38:39   --------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-06-18 10:50:12   69,380   ----a-w   C:\WINDOWS\system32\PERFC013.DAT
2007-06-18 10:50:12   442,004   ----a-w   C:\WINDOWS\system32\PERFH013.DAT
2007-06-17 19:19:22   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\OpenOffice.org2
2007-06-17 19:09:31   --------   d-----w   C:\Program Files\OpenOffice.org1.1.0
2007-06-17 14:10:23   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\CoreFTP
2007-06-16 20:50:44   --------   d-----w   C:\Program Files\Trillian
2007-06-16 04:22:50   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\SiteAdvisor
2007-06-15 14:43:56   --------   d-----w   C:\Program Files\Hitman Pro
2007-06-13 21:22:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Lavasoft
2007-06-13 14:58:40   --------   d-----w   C:\Program Files\MSN Messenger
2007-06-03 20:33:34   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\AdobeUM
2007-05-20 14:35:25   --------   d-----w   C:\Program Files\Hema Album Software Advanced
2007-05-18 12:24:01   --------   d-----w   C:\Program Files\Der teuflische Spiegel
2007-05-18 08:28:27   5,819,200   ----a-w   C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-05-12 18:22:18   --------   d-----w   C:\Program Files\GenoPro
2007-05-03 10:05:56   --------   d-----w   C:\Program Files\GIMP-2.0
2007-04-26 18:25:20   --------   d-----w   C:\Program Files\Common Files\ST System Shared
2007-04-26 18:25:19   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-26 18:25:19   --------   d-----w   C:\Program Files\Samsung
2007-04-26 18:25:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Samsung
2007-04-26 16:42:50   --------   d-----w   C:\Program Files\Nikon
2007-04-22 13:38:57   247,866   ----a-w   C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6656.exe
2007-04-22 13:38:57   --------   d-----w   C:\Program Files\Alcohol Toolbar
2007-04-22 13:38:30   223,128   ----a-w   C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-21 20:57:20   --------   d-----w   C:\Program Files\kaspersky


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-04-22 15:38]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}=c:\program files\mcafee.com\mps\mcbrhlpr.dll [2005-10-28 10:30]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}=c:\program files\mcafee.com\mps\popupkiller.dll [2005-10-28 10:30]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}=c:\program files\mcafee\spamkiller\mcapfbho.dll [2005-11-09 15:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-07-25 12:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 15:08]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-11-18 14:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-11 07:00]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc   usnsvc


Contents of the 'Scheduled Tasks' folder
2007-06-12 14:05:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 00:05:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-19  0:06:34
C:\ComboFix-quarantined-files.txt ... 2007-06-19 00:06
C:\ComboFix2.txt ... 2007-06-18 19:07
C:\ComboFix3.txt ... 2007-06-17 19:51

   --- E O F ---

6
Tech Clinic / Vundo infection?
« on: June 18, 2007, 04:30:05 PM »
Our messages 'crossed':

PS, couldn't resist, so I tried WLM and .... it's still there. I removed mon and doc and started WLM and McAfee reported it removed Downloader-BCF. After WLM had started up the mouse was blocked while WLM was busy trying to log in (or omething). So I had to stop the computer manually (press the startbutton for 8 secs)

7
Tech Clinic / Vundo infection?
« on: June 18, 2007, 03:01:43 PM »
Hi questolo,

I removed LiveReg and LiveUpdate 1.80 and checked it in scheduled tasks. There was no symantec netdetect anymore.

The I typed in your CODE in Notepad and followed your instructions. The result was an enormous textfile with huge amounts of hexadecimal codes, etc.
At that point I doubted if I followed your instructions correctly, so I decided tot do it again but then copying your text into Notepad. I followed your instructions again with the result of this textfile:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

Is this what you expected. This result in relation to the extreme first results make me unsure at this point if i didn;t do something wrong?

I still have the first export.txt file. If you want it I can maybe mail it to you? As it is about 89 MB large !! So posting it here is maybe not wise?

To your question how everything is running, I cannot give you a good answer as we did NOT use Windows Live Messenger since I contacted you. And I am not sure to use it again until this problem has been solved. The two files mon.exe and doc.exe are still on my desktop. Do you want me to remove them, and try Windows Live Messenger again and see what happens?


PS, couldn't resist, so I tried WLM and .... it's still there. I removed mon and doc and started WLM  and McAfee reported it removed Downloader-BCF. After WLM had started up the mouse was blocked while WLM was busy trying to log in (or omething). So I had to stop the computer manually (press the startbutton for 8 secs)

8
Tech Clinic / Vundo infection?
« on: June 18, 2007, 12:33:18 PM »
Hi there,
I'll post your question in order:

1. New log from ComboFix:
2. Info about Nortons Live Updater
3. Install.txt from CCleaner

1. New log from Combofix:
ComboFix 07-06-17 - C:\Documents and Settings\Arjan\Bureaublad\ComboFix.exe
"Arjan" - 2007-06-18 18:52:41 - Service Pack 1  NTFS  
Command switches used :: C:\Documents and Settings\Arjan\Bureaublad\ComboFix-Do.txt


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Arjan\doc.exe
C:\DOCUME~1\Arjan\mon.exe
C:\WINDOWS\SYSTEM32\doc.exe
C:\WINDOWS\SYSTEM32\mon.exe


(((((((((((((((((((((((((   Files Created from 2007-05-18 to 2007-06-18  )))))))))))))))))))))))))))))))


2007-06-17 21:51   3,222   --a------   C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-17 19:32   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-15 16:35   <DIR>   d--------   C:\HJT
2007-06-14 17:15   <DIR>   d--------   C:\VundoFix Backups
2007-06-13 23:05   83,024   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-06-13 23:05   626,688   --a------   C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-06-13 23:05   57,424   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-06-13 23:05   53,840   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-06-13 23:05   39,376   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-06-13 23:05   29,264   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-06-13 23:05   <DIR>   d--------   C:\Program Files\Spyware Doctor
2007-06-13 23:04   22,080   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-06-13 23:04   21,056   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-06-13 23:04   20,544   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0509.sys
2007-06-13 23:04   164   --a------   C:\install.dat
2007-06-13 23:04   144,960   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-06-13 23:04   <DIR>   d--------   C:\Program Files\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\Arjan\APPLIC~1\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-13 23:02   <DIR>   d--------   C:\Program Files\Lavasoft
2007-06-13 22:59   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-06-11 21:06   <DIR>   d--------   C:\WINDOWS\FLV Player
2007-06-11 21:06   <DIR>   d--------   C:\Program Files\FLV Player
2007-06-11 20:53   <DIR>   d--------   C:\Program Files\Super
2007-06-03 14:10   <DIR>   dr-h-----   C:\DOCUME~1\Arjan\Onlangs geopend
2007-05-31 23:59   <DIR>   d--------   C:\Program Files\Bordermaker26
2007-05-28 10:14   <DIR>   d--------   C:\Program Files\AH Fotoservice
2007-05-19 13:10   335   --a------   C:\WINDOWS\mozregistry.dat
2007-05-18 10:27   5,819,200   --a------   C:\Program Files\Firefox Setup 2.0.0.3.exe


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 10:50:12   69,380   ----a-w   C:\WINDOWS\system32\PERFC013.DAT
2007-06-18 10:50:12   442,004   ----a-w   C:\WINDOWS\system32\PERFH013.DAT
2007-06-17 19:19:22   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\OpenOffice.org2
2007-06-17 19:09:31   --------   d-----w   C:\Program Files\OpenOffice.org1.1.0
2007-06-17 14:10:23   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\CoreFTP
2007-06-16 20:50:44   --------   d-----w   C:\Program Files\Trillian
2007-06-16 04:22:50   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\SiteAdvisor
2007-06-15 14:43:56   --------   d-----w   C:\Program Files\Hitman Pro
2007-06-13 21:22:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Lavasoft
2007-06-13 14:58:40   --------   d-----w   C:\Program Files\MSN Messenger
2007-06-03 20:33:34   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\AdobeUM
2007-05-20 14:35:25   --------   d-----w   C:\Program Files\Hema Album Software Advanced
2007-05-18 12:24:01   --------   d-----w   C:\Program Files\Der teuflische Spiegel
2007-05-12 18:22:18   --------   d-----w   C:\Program Files\GenoPro
2007-05-03 10:05:56   --------   d-----w   C:\Program Files\GIMP-2.0
2007-04-26 18:25:20   --------   d-----w   C:\Program Files\Common Files\ST System Shared
2007-04-26 18:25:19   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-26 18:25:19   --------   d-----w   C:\Program Files\Samsung
2007-04-26 18:25:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Samsung
2007-04-26 16:42:50   --------   d-----w   C:\Program Files\Nikon
2007-04-22 13:38:57   247,866   ----a-w   C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6656.exe
2007-04-22 13:38:57   --------   d-----w   C:\Program Files\Alcohol Toolbar
2007-04-22 13:38:30   223,128   ----a-w   C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-21 20:57:20   --------   d-----w   C:\Program Files\kaspersky


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-04-22 15:38]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}=c:\program files\mcafee.com\mps\mcbrhlpr.dll [2005-10-28 10:30]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}=c:\program files\mcafee.com\mps\popupkiller.dll [2005-10-28 10:30]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}=c:\program files\mcafee\spamkiller\mcapfbho.dll [2005-11-09 15:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-07-25 12:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 15:08]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-11-18 14:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-11 07:00]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc   usnsvc


Contents of the 'Scheduled Tasks' folder
2007-06-12 14:05:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2005-03-06 19:11:59  C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 19:06:08
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-18 19:07:13
C:\ComboFix-quarantined-files.txt ... 2007-06-18 19:06
C:\ComboFix2.txt ... 2007-06-17 19:51

   --- E O F ---

2. Info about Nortons Live Udater:


I found the following in "Configurations" (I am translating from dutch  windows to english):

Symantec LiveUpdate
- General
   - Interactive Mode
- FTP
   - Use FTP settings for Internet options
- HTTP
   - HTTP settings for internet options
- ISP
   - Internet options in Configuration screen



3. Install.txt from CCleaner
1310Tour
1310Trb
1310_Help
1310
3D Interior Designer 2
ABC (remove only)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.9 - Nederlands
Adobe Shockwave Player
Adobe® Photoshop® Elements 3.0
Age of Empires III Trial
Age of Mythology
AH Fotoservice
Ahead InCD EasyWrite Reader
Ahead Nero Burning ROM
Ahead NeroMediaPlayer
Ahead NeroVision Express
AiOSoftware
AiO_Scan
Alcohol Toolbar
Apple Software Update
ArcSoft Panorama Maker 3.0
Asterix Maffe Meerkamp
Asterix
AutoUpdate
Barbie Cool Looks Designer
Battle Master 2.0
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows XP (KB904706)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899589)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901190)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905495)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913580)
Beveiligingsupdate voor Windows XP (KB914388)
Beveiligingsupdate voor Windows XP (KB914389)
Beveiligingsupdate voor Windows XP (KB914798)
Beveiligingsupdate voor Windows XP (KB917344)
Beveiligingsupdate voor Windows XP (KB917422)
Beveiligingsupdate voor Windows XP (KB917953)
Beveiligingsupdate voor Windows XP (KB919007)
Beveiligingsupdate voor Windows XP (KB920670)
Beveiligingsupdate voor Windows XP (KB920683)
Beveiligingsupdate voor Windows XP (KB920685)
Beveiligingsupdate voor Windows XP (KB921398)
Beveiligingsupdate voor Windows XP (KB921883)
Beveiligingsupdate voor Windows XP (KB922616)
Beveiligingsupdate voor Windows XP (KB922819)
Beveiligingsupdate voor Windows XP (KB923191)
Beveiligingsupdate voor Windows XP (KB923414)
Beveiligingsupdate voor Windows XP (KB924191)
Beveiligingsupdate voor Windows XP (KB924496)
BufferChm
Bugs Bunny & Taz - Op avontuur door de tijd
Bugs Bunny - Reis door de Tijd
Buzz Lightyear of Star Command
Castle Strike Demo
CCleaner (remove only)
Celestia 1.3.2
cladDVD .NET v3.5.6
Classic PhoneTools
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
Cool Edit 96
Copy
Core FTP LE 1.3c
CoverPrint 0.6.0 English
CoverPro
coverXP (remove only)
CreativeProjectsTemplates
CreativeProjects
CueTour
DAO
dBpowerAMP Music Converter
De Kolonisten van Catan
De Sims 2
De Sims™ 2 Familiepret – Accessoires
Declick 2000
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Der teuflische Spiegel
Desktop Guitarist Shareware
Destinations
Digimax Master
Digimax RAW Converter
Digital Line Detect
Dino Island
Director
Disney’s SpellenSpektakel
DivX Player
DivX Web Player
DivX
DocProc
DocumentViewer
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab (remove only)
DVDSentry
Easy CD Creator 5 Basic
Easy Wonen 1
EasyPeg 1
Eigen Homepage LITE
Empire Earth
ET The Extra-Terrestrial Interplanetary Mission
Fax
Finale NotePad 2004
FLAC Installer 1.1.2a (remove only)
Flight Unlimited II
FLV Player
Gaim (alleen verwijderen)
GenoPro
Google Earth
Google Toolbar for Internet Explorer
GrabIt 1.6.2 Beta (build 940)
Help and Support Customization
Hema Album Software Advanced
Henzo Imager
HijackThis 1.99.1
Hitman Pro
Hotfix for MDAC 2.80 (KB911562)
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HPSystemDiagnostics
Image Analyzer
Indeo® Software
InstantShare
Intel® PRO Network Adapters and Drivers
Intel® PROSet
iTunes
JannieBall
JBCD
KaM - The Peasants Rebellion
Knight Rider
KnightsAndMerchants
LEGO Chess
LEGO Creator Knights Kingdom
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Lp2Cd
Mah Jongg III
McAfee SecurityCenter
McAfee Wizard Installatie ongedaan maken
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft .NET Framework 1.1
Microsoft Visio Professional 2002 [English]
Microsoft Works 7.0
Modem Helper
Monsters en Co. Schrik Eiland
Moto Racer
Mozilla Firefox (2.0.0.4)
MP3's Utilities 1.6.38
MSXML4 Parser
MUSICMATCH® Jukebox
Namo WebEditor 3.0
NetObjects Fusion 7.5
NetWaiting
Nikon FotoShare
Nikon View 6
Nokia 3200 USB-Handset Manager
NVIDIA Drivers
OpenOffice.org 1.1.0
OpenOffice.org 2.0
Overland
PC Cleaner 2.0
Peter Jackson's King Kong - The Official Game of the Movie
PhotoGallery
Picasa 2
Pirates of the Caribbean
PowerDVD
PrintMaster 7.00
PrintScreen
ProductContext
QFolder
QuickPar 0.9
QuickProjects
QuickTime
Readme
RealPlayer
Redcat Brutale Bankroof
RedCat Spookkasteel
Rol
RS2
Scan
Secret Weapons Over Normandy
Serif PhotoPlus 5.5
Serif WebPlus 6.0 Wizard Pack
Serif WebPlus 6.0
SimCity 2000® Special Edition
SimSafari
SkinsHP1
Skype 1.3
Sony Sound Forge 7.0
Sound Blaster Live!
SPIDI
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
SpywareBlaster v3.5.1
Stronghold
Syberia 2 Demo
The General 3.4
The Sims Abracadabra
TopStyle Lite (Version 2)
TorrenTopia Client
Total Commander (Remove or Repair)
TrayApp
Trillian
Unload
Update voor Windows XP (KB835409)
Update voor Windows XP (KB898461)
Update voor Windows XP (KB908531)
Update voor Windows XP (KB910437)
Update voor Windows XP (KB911280)
Uru - Ages Beyond Myst Demo
Uru - Ages Beyond Myst
Vakantieboek
VibrateGameDeviceDriver
WAV to MP3 Encoder
Wave Repair 4.8.5
WavePurity
WebFldrs XP
WebReg
Winamp (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinRAR
WinZip
Zoner Draw 3

9
Tech Clinic / Vundo infection?
« on: June 17, 2007, 03:26:10 PM »
And last step 4, an fresh scan of Analyse.exe (renamed from HiJackThis.exe):

Logfile of HijackThis v1.99.1
Scan saved at 22:24:38, on 17-6-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\HJT\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe"
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe






---------------------------------------------------
PS al lot of data, good luck analysing all this

10
Tech Clinic / Vundo infection?
« on: June 17, 2007, 03:23:49 PM »
Step 2: the SmitFraudFix report:

SmitFraudFix v2.195

Scan done at 21:51:46,59, zo 17-06-2007
Run from C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Arjan


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Arjan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Arjan\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler\'s .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Pakketplanner-minipoort
DNS Server Search Order: 10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D8AEF199-7042-406F-BEE3-717B4834FDD8}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D8AEF199-7042-406F-BEE3-717B4834FDD8}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D8AEF199-7042-406F-BEE3-717B4834FDD8}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Step 3: the uninstall list from HJT:

3D Interior Designer 2
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.9 - Nederlands
Adobe Shockwave Player
Age of Empires III Trial
Age of Mythology
AH Fotoservice
Ahead InCD EasyWrite Reader
Ahead Nero Burning ROM
Ahead NeroMediaPlayer
Ahead NeroVision Express
Alcohol Toolbar
Apple Software Update
ArcSoft Panorama Maker 3.0
Asterix
Asterix Maffe Meerkamp
Barbie Cool Looks Designer
Battle Master 2.0
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows XP (KB904706)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899589)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901190)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905495)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913580)
Beveiligingsupdate voor Windows XP (KB914388)
Beveiligingsupdate voor Windows XP (KB914389)
Beveiligingsupdate voor Windows XP (KB917344)
Beveiligingsupdate voor Windows XP (KB917422)
Beveiligingsupdate voor Windows XP (KB917953)
Beveiligingsupdate voor Windows XP (KB919007)
Beveiligingsupdate voor Windows XP (KB920670)
Beveiligingsupdate voor Windows XP (KB920683)
Beveiligingsupdate voor Windows XP (KB920685)
Beveiligingsupdate voor Windows XP (KB921398)
Beveiligingsupdate voor Windows XP (KB921883)
Beveiligingsupdate voor Windows XP (KB922616)
Beveiligingsupdate voor Windows XP (KB922819)
Beveiligingsupdate voor Windows XP (KB923191)
Beveiligingsupdate voor Windows XP (KB923414)
Beveiligingsupdate voor Windows XP (KB924191)
Beveiligingsupdate voor Windows XP (KB924496)
Bugs Bunny - Reis door de Tijd
Bugs Bunny & Taz - Op avontuur door de tijd
Buzz Lightyear of Star Command
Castle Strike Demo
Celestia 1.3.2
cladDVD .NET v3.5.6
Classic PhoneTools
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
Cool Edit 96
Core FTP LE 1.3c
CoverPrint 0.6.0 English
CoverPro
coverXP (remove only)
DAO
dBpowerAMP Music Converter
De Kolonisten van Catan
De Sims 2
De Sims™ 2 Familiepret – Accessoires
Declick 2000
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Der teuflische Spiegel
Desktop Guitarist Shareware
Digimax Master
Digimax RAW Converter
Digital Line Detect
Dino Island
Disney’s SpellenSpektakel
DivX
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab (remove only)
DVDSentry
Easy CD Creator 5 Basic
Easy Wonen 1
EasyPeg 1
Eigen Homepage LITE
Empire Earth
ET The Extra-Terrestrial Interplanetary Mission
Finale NotePad 2004
FLAC Installer 1.1.2a (remove only)
Flight Unlimited II
FLV Player
Gaim (alleen verwijderen)
GenoPro
Google Earth
Google Toolbar for Internet Explorer
GrabIt 1.6.2 Beta (build 940)
Hema Album Software Advanced
Henzo Imager
HijackThis 1.99.1
Hitman Pro
Hotfix for MDAC 2.80 (KB911562)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Image Analyzer
Indeo® Software
Intel® PRO Network Adapters and Drivers
Intel® PROSet
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
JannieBall
JBCD
KaM - The Peasants Rebellion
Knight Rider
KnightsAndMerchants
LEGO Chess
LEGO Creator Knights Kingdom
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Lp2Cd
Mah Jongg III
McAfee SecurityCenter
McAfee Wizard Installatie ongedaan maken
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft Visio Professional 2002 [English]
Microsoft Works 7.0
Modem Helper
Monsters en Co. Schrik Eiland
Moto Racer
Mozilla Firefox (2.0.0.4)
MP3\'s Utilities 1.6.38
MSXML4 Parser
Namo WebEditor 3.0
NetObjects Fusion 7.5
NetWaiting
Nikon FotoShare
Nikon View 6
Nokia 3200 USB-Handset Manager
NVIDIA Drivers
OpenOffice.org 2.0
PC Cleaner 2.0
Peter Jackson\'s King Kong - The Official Game of the Movie
Picasa 2
Pirates of the Caribbean
PowerDVD
PrintMaster 7.00
QuickPar 0.9
QuickTime
RealPlayer
Redcat Brutale Bankroof
RedCat Spookkasteel
Roll
RS2
Secret Weapons Over Normandy
Serif PhotoPlus 5.5
Serif WebPlus 6.0
Serif WebPlus 6.0 Wizard Pack
SimCity 2000® Special Edition
SimSafari
Skype 1.3
Sony Sound Forge 7.0
Sound Blaster Live!
SPIDI
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
SpywareBlaster v3.5.1
Stronghold
Syberia 2 Demo
The General 3.4
The Sims Abracadabra
TopStyle Lite (Version 2)
TorrenTopia Client
Total Commander (Remove or Repair)
Trillian
Update voor Windows XP (KB835409)
Update voor Windows XP (KB898461)
Update voor Windows XP (KB908531)
Update voor Windows XP (KB910437)
Update voor Windows XP (KB911280)
Uru - Ages Beyond Myst
Uru - Ages Beyond Myst Demo
Vakantieboek
VibrateGameDeviceDriver
WAV to MP3 Encoder
Wave Repair 4.8.5
WavePurity
Winamp (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinRAR
WinZip
Zoner Draw 3

11
Tech Clinic / Vundo infection?
« on: June 17, 2007, 03:20:45 PM »
And here are the final results of Virustotal of the mon.exe file:

Complete scanning result of "mon.exe", received in VirusTotal at 06.17.2007, 22:04:04 (CET).

Antivirus   Version   Update   Result
AhnLab-V3   2007.6.16.0   06.15.2007   no virus found
AntiVir   7.4.0.32   06.16.2007   no virus found
Authentium   4.93.8   06.16.2007   no virus found
Avast   4.7.997.0   06.16.2007   no virus found
AVG   7.5.0.467   06.17.2007   no virus found
BitDefender   7.2   06.17.2007   Trojan.Vundo.DMA
CAT-QuickHeal   9.00   06.16.2007   no virus found
ClamAV   devel-20070416   06.17.2007   no virus found
DrWeb   4.33   06.17.2007   Trojan.Virtumod
eSafe   7.0.15.0   06.17.2007   Win32.Agent.brf
eTrust-Vet   30.7.3721   06.15.2007   no virus found
Ewido   4.0   06.17.2007   no virus found
FileAdvisor   1   06.17.2007   no virus found
Fortinet   2.85.0.0   06.17.2007   W32/Agent.BRF!tr.dldr
F-Prot   4.3.2.48   06.15.2007   no virus found
F-Secure   6.70.13030.0   06.15.2007   Trojan-Downloader.Win32.Agent.brf
Ikarus   T3.1.1.8   06.17.2007   no virus found
Kaspersky   4.0.2.24   06.17.2007   not-a-virus:AdWare.Win32.Virtumonde.jp
McAfee   5054   06.15.2007   no virus found
Microsoft   1.2607   06.17.2007   no virus found
NOD32v2   2334   06.15.2007   Win32/Adware.Virtumonde
Norman   5.80.02   06.15.2007   W32/Virtumonde.GWT.dropper
Panda   9.0.0.4   06.17.2007   Spyware/Virtumonde
Prevx1   V2   06.17.2007   no virus found
Sophos   4.18.0   06.12.2007   no virus found
Sunbelt   2.2.907.0   06.16.2007   no virus found
Symantec   10   06.17.2007   no virus found
TheHacker   6.1.6.133   06.15.2007   no virus found
VBA32   3.12.0.2   06.15.2007   AdWare.Win32.Virtumonde.if
VirusBuster   4.3.23:9   06.17.2007   no virus found
Webwasher-Gateway   6.0.1   06.17.2007   no virus found

Aditional Information
File size: 70940 bytes
MD5: b5a8659b4a8e612dbab619a072e25a52
SHA1: 9a191b21764912aab66a2c8e9ee39e0486b01384
packers: BINARYRES
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [email protected] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Creating several executable files on hard-drive.
* File length: 70940 bytes.

[ Changes to filesystem ]
* Creates directory C:WINDOWSTEMP.
* Creates file C:WINDOWSTEMP sx8999.tmp.
* Deletes file C:WINDOWSTEMP sx8999.tmp.
* Creates file C:WINDOWSTEMP irst.exe.
* Creates file C:WINDOWSTEMPsecond.exe.
* Creates file C:WINDOWSTEMP sz0099.tmp.
* Deletes file C:WINDOWSTEMP sz0099.tmp.
* Creates directory C:WINDOWS.
* Creates directory C:WINDOWSTEMP sz0099.tmp.
* Creates file C:WINDOWSTEMP sz0099.tmp sExec.dll.
* Creates file C:WINDOWSTEMP sz0099.tmp s0889.tmp.
* Deletes file C:WINDOWSTEMP sz0099.tmp s0889.tmp.
* Deletes file C:WINDOWSTEMP sz0099.tmpNSEXEC.DLL.
* Deletes directory C:WINDOWSTEMP sz0099.tmp.

[ Signature Scanning ]
* C:WINDOWSTEMP irst.exe (38925 bytes) : W32/Virtumonde.GWT.

12
Tech Clinic / Vundo infection?
« on: June 17, 2007, 03:12:52 PM »
And Virusscan.jotti reported the follwoing about the mon.exe file:


 File:      mon.exe
Status:    
INFECTED/MALWARE
MD5:    b5a8659b4a8e612dbab619a072e25a52
Packers detected:    
PE_PATCH.PECOMPACT, PE_PATCH.UPOLYX, PE_PATCH.UPX, UPX
Bit9 reports:    File not found

 Scan taken on 17 Jun 2007 20:08:29 (GMT)
A-Squared    Found nothing
AntiVir    Found nothing
ArcaVir    Found nothing
Avast    Found nothing
AVG Antivirus    Found nothing
BitDefender    Found Trojan.Vundo.DMA, Trojan.Downloader.Agent.YEG
ClamAV    Found nothing
Dr.Web    Found Trojan.Virtumod, Trojan.DownLoader.24028
F-Prot Antivirus Found nothing
F-Secure Anti-Virus    Found not-a-virus:AdWare.Win32.Virtumonde.jp (4, 1, 400), Trojan-Downloader.Win32.Agent.brf
Fortinet    Found W32/Agent.BRF!tr.dldr
Kaspersky Anti-Virus    Found not-a-virus:AdWare.Win32.Virtumonde.jp, Trojan-Downloader.Win32.Agent.brf
NOD32    Found Win32/Adware.Virtumonde application, Win32/TrojanDownloader.Agent.NOJ
Norman Virus Control    Found nothing
Panda Antivirus    Found nothing
Rising Antivirus    Found nothing
VirusBuster    Found nothing
VBA32    Found AdWare.Win32.Virtumonde.if, Trojan-Downloader.Win32.Agent.brf

13
Tech Clinic / Vundo infection?
« on: June 17, 2007, 03:06:05 PM »
Results from Virusjotti reg the doc.exe file:

 Scan taken on 17 Jun 2007 20:04:41 (GMT)
A-Squared    Found nothing
AntiVir    Found nothing
ArcaVir    Found nothing
Avast    Found nothing
AVG Antivirus    Found nothing
BitDefender    Found nothing
ClamAV    Found nothing
Dr.Web    Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus    Found nothing
Fortinet    Found nothing
Kaspersky Anti-Virus    Found nothing
NOD32    Found nothing
Norman Virus Control    Found nothing
Panda Antivirus    Found nothing
Rising Antivirus    Found nothing
VirusBuster    Found nothing
VBA32    Found nothing

14
Tech Clinic / Vundo infection?
« on: June 17, 2007, 12:58:19 PM »
and the logfile from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 19:57:52, on 17-6-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe"
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe

15
Tech Clinic / Vundo infection?
« on: June 17, 2007, 12:57:02 PM »
Here is the log from combofix:

ComboFix 07-06-17 - C:\Documents and Settings\Arjan\Bureaublad\ComboFix.exe
"Arjan" - 2007-06-17 19:32:58 - Service Pack 1  NTFS  


(((((((((((((((((((((((((   Files Created from 2007-05-17 to 2007-06-17  )))))))))))))))))))))))))))))))


2007-06-17 19:32   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-15 16:35   <DIR>   d--------   C:\HJT
2007-06-14 17:15   <DIR>   d--------   C:\VundoFix Backups
2007-06-13 23:05   83,024   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-06-13 23:05   626,688   --a------   C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-06-13 23:05   57,424   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-06-13 23:05   53,840   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-06-13 23:05   39,376   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-06-13 23:05   29,264   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-06-13 23:05   <DIR>   d--------   C:\Program Files\Spyware Doctor
2007-06-13 23:04   22,080   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-06-13 23:04   21,056   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-06-13 23:04   20,544   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0509.sys
2007-06-13 23:04   164   --a------   C:\install.dat
2007-06-13 23:04   144,960   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-06-13 23:04   <DIR>   d--------   C:\Program Files\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\Arjan\APPLIC~1\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-13 23:02   <DIR>   d--------   C:\Program Files\Lavasoft
2007-06-13 22:59   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-06-13 18:31   70,940   --a------   C:\WINDOWS\SYSTEM32\mon.exe
2007-06-13 18:31   211,944   --a------   C:\WINDOWS\SYSTEM32\doc.exe
2007-06-13 16:58   70,913   --a------   C:\DOCUME~1\Arjan\mon.exe
2007-06-13 16:58   211,944   --a------   C:\DOCUME~1\Arjan\doc.exe
2007-06-11 21:06   <DIR>   d--------   C:\WINDOWS\FLV Player
2007-06-11 21:06   <DIR>   d--------   C:\Program Files\FLV Player
2007-06-11 20:53   <DIR>   d--------   C:\Program Files\Super
2007-06-03 14:10   <DIR>   dr-h-----   C:\DOCUME~1\Arjan\Onlangs geopend
2007-05-31 23:59   <DIR>   d--------   C:\Program Files\Bordermaker26
2007-05-28 10:14   <DIR>   d--------   C:\Program Files\AH Fotoservice
2007-05-19 13:10   335   --a------   C:\WINDOWS\mozregistry.dat
2007-05-18 10:27   5,819,200   --a------   C:\Program Files\Firefox Setup 2.0.0.3.exe


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 14:10:23   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\CoreFTP
2007-06-17 13:26:38   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\OpenOffice.org2
2007-06-16 20:50:44   --------   d-----w   C:\Program Files\Trillian
2007-06-16 04:22:50   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\SiteAdvisor
2007-06-15 14:43:56   --------   d-----w   C:\Program Files\Hitman Pro
2007-06-14 20:00:14   --------   d-----w   C:\Program Files\OpenOffice.org1.1.0
2007-06-13 21:22:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Lavasoft
2007-06-13 14:58:40   --------   d-----w   C:\Program Files\MSN Messenger
2007-06-03 20:33:34   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\AdobeUM
2007-05-20 14:35:25   --------   d-----w   C:\Program Files\Hema Album Software Advanced
2007-05-18 12:24:01   --------   d-----w   C:\Program Files\Der teuflische Spiegel
2007-05-12 18:22:18   --------   d-----w   C:\Program Files\GenoPro
2007-05-03 10:05:56   --------   d-----w   C:\Program Files\GIMP-2.0
2007-04-26 18:25:20   --------   d-----w   C:\Program Files\Common Files\ST System Shared
2007-04-26 18:25:19   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-26 18:25:19   --------   d-----w   C:\Program Files\Samsung
2007-04-26 18:25:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Samsung
2007-04-26 16:42:50   --------   d-----w   C:\Program Files\Nikon
2007-04-22 13:38:57   247,866   ----a-w   C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6656.exe
2007-04-22 13:38:57   --------   d-----w   C:\Program Files\Alcohol Toolbar
2007-04-22 13:38:30   223,128   ----a-w   C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-21 20:57:20   --------   d-----w   C:\Program Files\kaspersky
2007-03-25 08:32:10   69,380   ----a-w   C:\WINDOWS\system32\PERFC013.DAT
2007-03-25 08:32:10   442,004   ----a-w   C:\WINDOWS\system32\PERFH013.DAT


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-04-22 15:38]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}=c:\program files\mcafee.com\mps\mcbrhlpr.dll [2005-10-28 10:30]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}=c:\program files\mcafee.com\mps\popupkiller.dll [2005-10-28 10:30]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}=c:\program files\mcafee\spamkiller\mcapfbho.dll [2005-11-09 15:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-07-25 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 15:08]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-11-18 14:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-11 07:00]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc   usnsvc


Contents of the 'Scheduled Tasks' folder
2007-06-12 14:05:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2005-03-06 19:11:59  C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 19:50:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-17 19:51:24

   --- E O F ---

16
Tech Clinic / Vundo infection?
« on: June 17, 2007, 12:31:10 PM »
[quote name=\'guestolo\' post=\'341320\' date=\'Jun 16 2007, 02:05 AM\']Hi again rosedaniels, can you do the following please

Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,  click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

I'll need to see this report from Vundofix later>>C:\Vundofix.txt[/quote]


OK first step has been done:

Vundofix said : No files found
However I did click "Remove Vundo" with ofcourse no result.

here is the log file:


VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 17:15:12 14-6-2007

Listing files found while scanning....


Beginning removal...

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 17:22:25 14-6-2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 18:42:34 17-6-2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

17
Tech Clinic / Vundo infection?
« on: June 15, 2007, 09:57:36 AM »
Hi there,

I would sincerely appreciate it if you could help me with this problem:

My daughter uses Wndows Live Messenger to communicate with her schoolmates. Apparently she clicked on a link (as her schoolmates have suffered from the same "problem") and with that action something was copied into the computer.
"It" results in blocking the log-in functionality when starting Windows Live Messenger again ("It" does not seem to 'control' any other program) and it shows to files on the "Bureaublad" (is dutch for "Desk"?): doc.exe and mon.exe. When you delete these two files they reappear after restarting the computer and/or starting Windows Live Messenger.
I Use Mcafee antivirus and this gives a message that it removed "Vundo" when starting Windows Live Messenger.

I discovered that my 'recovery'-option of windows was NOT on so I could not go back to the situation before the infection.

I also used HitmanPro and all that belongs to it to try to 'clean' whatever is there. But I seem to lack sufficient knowledge of what I am exactly doing. So you are my last resort at this time. I downloaded HJT and produced the following log. Hope you can help as you did two years ago.

Logfile of HijackThis v1.99.1
Scan saved at 16:39:59, on 15-6-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] "C:\WINDOWS\p_981116.exe" /Q:A
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe"
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe

18
Software / Alternative MSN clients
« on: March 16, 2005, 04:13:22 PM »
My daughter wants to use msn to chat with her friends.
I heard MSn to be a source of trouble, incoming visruses, and so on. I already use Mozilla Firefox as a browser instead of IE.

Does anyone know of alternative Messenger clients to MSN to use in combination with firefox???

19
Tech Clinic / same problems as liptonite
« on: March 13, 2005, 10:03:40 AM »
It all seems to be working fine again.   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Tnxs alot for the advice and help.
You are all doing great work here, especially you guestolo.

It;s good to know that in this sometimes weird internet world there are people like yourself, who help others when they are in trouble.

Tnxs again.

20
Tech Clinic / same problems as liptonite
« on: March 13, 2005, 04:15:17 AM »
Tnxs Questolo

this seems to be working: no more pop-ups, no more warning, no daosearch as startpage. Seems stabel now, but love to have some confirmation from you.

I have done all you asked, foud and deleted the files you mentioned.
In C:\WINDOWS\System32\Services I found this subfolder:
...\{7EF53503-E2D2-4D85-B34A-EBC4F32871A6}
with the following files in it:
SVCHOST.EXE .... 6-3-2005  18.35
SVCHOST.DLL .... 6-3-2005  18.35

And this is the most recent logfile from Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 10:03:46, on 13-3-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Zone Labs\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Administrator\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...83/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210:8111/AxisCamControl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,20/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


I hope everything has worked out so far?

Pages: [1] 2