Jump to content

Malwarebytes

Backdoor.Bot infection

- - - - -
Started by Ruud, Aug 03 2009 10:14 PM

13 replies to this topic

#1
Ruud
Posted 03 August 2009 - 10:14 PM

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Holland
Hello, I'am new here. I live in Holland and I do my best to read and write in english. A long time ago the www.virushelp.nl advised me to use Mbam because there was a little problem with my PC. Running Windows XP SP3.

Once a week I run Mbam. The last time I got the message that my PC has a backdoor.bot infection.
Is there something more that I have to do or is it a false possitive?

This was the logging:

Malwarebytes' Anti-Malware 1.39
Database versie: 2542
Windows 5.1.2600 Service Pack 3

2-8-2009 1:13:57
mbam-log-2009-08-02 (01-13-57).txt

Scan type: Volledige Scan (C:\|)
Objecten gescand: 196142
Verstreken tijd: 2 hour(s), 14 minute(s), 16 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 2
Registerwaarden geïnfecteerd: 3
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 3

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
HKEY_CLASSES_ROOT\CLSID\{5ed1bdb7-cc6e-43bc-978d-41b97330a0a9} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{78766964-0000-001b-8100-00aa00389b71} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\program files\common files\Elecard\minidivx.ax (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\program files\common files\Elecard\mlcom.ax (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\program files\common files\Elecard\mpgdec.ax (Backdoor.Bot) -> Quarantined and deleted successfully.

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
c:\program files\common files\Elecard\minidivx.ax (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\common files\Elecard\mlcom.ax (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\common files\Elecard\mpgdec.ax (Backdoor.Bot) -> Quarantined and deleted successfully.

The latest Mbam logging:
Malwarebytes' Anti-Malware 1.40
Database versie: 2551
Windows 5.1.2600 Service Pack 3

4-8-2009 0:15:17
mbam-log-2009-08-04 (00-15-17).txt

Scan type: Volledige Scan (C:\|)
Objecten gescand: 197403
Verstreken tijd: 2 hour(s), 18 minute(s), 4 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)


The HJT logging:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:16:21, on 4-8-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\McAfee\MCAFEE~1\FireTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\freecell.exe
C:\DATA\Programmas\VeiligEnAnderen\6.HyackThisVersie2.02\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeFireTray] "C:\PROGRA~1\McAfee\MCAFEE~1\Firetray.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\DATA\Programmas\VeiligEnAnderen\5.Mbam\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Agenda-herinneringen.lnk = ?
O4 - Global Startup: QuickScan (OpticFilm 7200).lnk = C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Doel van koppeling converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Doel van koppeling toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O15 - Trusted Zone: http://www.duesseldorf.de
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://housecall65.trendmicro.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228518054843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228517900328
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

--
End of file - 6781 bytes

#2
Ruud
Posted 07 August 2009 - 07:13 AM

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Holland
* There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

#3
AdvancedSetup
Posted 08 August 2009 - 07:35 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Well the latest log shows you're ok now. Are you still having an issue with Malware?


Please run the following scanner


[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#4
Ruud
Posted 08 August 2009 - 08:20 PM

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Holland
I only got the message that there was a backdoor.bot infection.
I dont know if there is something wrong, therefor I asked for help.
This is the DDS.txt

DDS (Ver_09-07-30.01) - NTFSx86
Run by Eigenaar at 22:15:27,51 on za 08-08-2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2031.1268 [GMT 2:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
svchost.exe
C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\McAfee\MCAFEE~1\FireTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\DATA\Programmas\eMule\eMule.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Eigenaar\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Aanmeldhulp voor Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [LogitechGalleryRepair] "c:\program files\logitech\video\ISStart.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeFireTray] "c:\progra~1\mcafee\mcafee~1\Firetray.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
StartupFolder: c:\docume~1\eigenaar\menust~1\progra~1\opstar~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\micros~2.lnk - c:\program files\common files\microsoft shared\works

shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\quicks~1.lnk - c:\program files\plustek\opticfilm 7200\QuickScan.exe
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Converteren naar Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Toevoegen aan bestaande PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: airfrance.com\w3
Trusted Zone: belastingdienst.nl\mijn
Trusted Zone: cocensus.nl\webmail
Trusted Zone: duesseldorf.de\www
Trusted Zone: ing.nl\mijn
Trusted Zone: klm.com\secure
Trusted Zone: live.com\login
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: nuon.nl\www
Trusted Zone: postbank.nl\mijn
Trusted Zone: postbank.nl\rentepunten
Trusted Zone: trendmicro.com\housecall65
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-

469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-

1719D1177202/LegitCheckControl.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-

373c3e5552fc/msSecAdv.cab?1088084614546
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-

ffe15472cabc/WebCleaner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1249415505734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

1249413699843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} - hxxp://www.microsoft.com/security/controls/DoomCln.CAB
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2F9D054-D2B5-4CE8-9BDF-8BF3A81DB7E9} - hxxp://download.microsoft.com/download/a/3/7/a377aea1-7b14-4fa1-933c-

43e657b37995/ProductIDGatherer.CAB
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-14 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-29 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-29 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-29 168776]
S3 PDSched;PDScheduler;c:\program files\raxco\perfectdisk\PDSched.exe [2005-11-29 241731]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S4 adiusbae;USB ADSL LAN Adapter;c:\windows\system32\drivers\adiusbae.sys --> c:\windows\system32\drivers\adiusbae.sys [?]
S4 cpuz130;cpuz130;\??\c:\docume~1\eigenaar\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\eigenaar\locals~1\temp\cpuz130

\cpuz_x32.sys [?]
S4 esihdrv;esihdrv;\??\c:\docume~1\eigenaar\locals~1\temp\esihdrv.sys --> c:\docume~1\eigenaar\locals~1\temp\esihdrv.sys [?]
S4 FXKQYLEM;FXKQYLEM;c:\docume~1\eigenaar\locals~1\temp\fxkqylem.exe --> c:\docume~1\eigenaar\locals~1\temp\FXKQYLEM.exe [?]
S4 HZFKBMV;HZFKBMV;c:\docume~1\eigenaar\locals~1\temp\hzfkbmv.exe --> c:\docume~1\eigenaar\locals~1\temp\HZFKBMV.exe [?]
S4 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S4 LJRV;LJRV;c:\docume~1\eigenaar\locals~1\temp\ljrv.exe --> c:\docume~1\eigenaar\locals~1\temp\LJRV.exe [?]
S4 mbr;mbr;\??\c:\docume~1\eigenaar\locals~1\temp\mbr.sys --> c:\docume~1\eigenaar\locals~1\temp\mbr.sys [?]
S4 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S4 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys --> c:\windows\system32

\drivers\savonaccesscontrol.sys [?]
S4 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys --> c:\windows\system32

\drivers\savonaccessfilter.sys [?]
S4 ZNK;ZNK;c:\docume~1\eigenaar\locals~1\temp\znk.exe --> c:\docume~1\eigenaar\locals~1\temp\ZNK.exe [?]

=============== Created Last 30 ================

2009-08-08 21:23 <DIR> --d-hr-- c:\documents and settings\eigenaar\Onlangs geopend
2009-08-04 21:59 <DIR> --d----- C:\_AcroTemp
2009-08-04 21:39 <DIR> --d----- c:\docume~1\eigenaar\applic~1\Windows Desktop Search
2009-08-04 21:31 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-08-04 21:31 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-08-04 21:31 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-08-04 19:35 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-08-04 19:21 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-08-04 18:53 <DIR> --d----- c:\program files\Microsoft

==================== Find3M ====================

2009-08-04 21:34 536,884 a------- c:\windows\system32\perfh013.dat
2009-08-04 21:34 101,106 a------- c:\windows\system32\perfc013.dat
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-03 19:00 915,456 a------- c:\windows\system32\wininet.dll
2009-06-17 14:20 12,648 a------- c:\windows\system32\drivers\psi_mf.sys
2009-06-16 16:40 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 16:40 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 21:11 1,295,360 a------- c:\windows\system32\quartz.dll
2009-06-02 18:11 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-05-29 23:37 205,824 a------- c:\windows\system32\xvidvfw.dll
2009-05-29 23:31 881,664 a------- c:\windows\system32\xvidcore.dll
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2008-09-16 22:59 47,360 a------- c:\docume~1\eigenaar\applic~1\pcouffin.sys
2007-11-30 00:19 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-06-20 21:53 817 a---h--- c:\documents and settings\eigenaar\hpothb07.dat
2005-05-11 13:32 42,648 a------- c:\docume~1\eigenaar\applic~1\GDIPFONTCACHEV1.DAT
2002-07-26 17:02 153,088 a------- c:\program files\UNWISE.EXE
2009-01-22 12:48 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-05-14 15:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5

\mshist012008051420080515\index.dat

============= FINISH: 22:16:02,56 ===============

And this is the Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8-6-2004 14:23:47
System Uptime: 8-8-2009 15:26:38 (7 hours ago)

Motherboard: Intel Corporation | | D865GBF
Processor: Intel® Pentium® 4 CPU 2.80GHz | J2E1 | 2793/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 81,65 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Intel® 537EP Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10008086&REV_04\4&2E98101C&0&28F0
Manufacturer: Intel Corporation
Name: Intel® 537EP Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10008086&REV_04\4&2E98101C&0&28F0
Service: Modem

==== System Restore Points ===================

RP37: 8-7-2009 17:25:39 - Controlepunt van systeem
RP38: 8-8-2009 16:08:49 - Software Distribution Service 3.0
RP39: 8-8-2009 16:09:37 - Controlepunt van systeem
RP40: 8-8-2009 16:09:46 - Software Distribution Service 3.0
RP41: 8-8-2009 16:09:51 - Software Distribution Service 3.0
RP42: 28-7-2009 22:38:42 - Controlepunt van systeem
RP43: 8-8-2009 16:10:04 - Software Distribution Service 3.0
RP44: 8-8-2009 16:10:11 - Software Distribution Service 3.0
RP45: 8-8-2009 16:10:16 - Software Distribution Service 3.0
RP46: 29-7-2009 9:54:13 - Geïnstalleerd: Microsoft Fix it 50291
RP47: 30-7-2009 10:24:07 - Controlepunt van systeem
RP48: 8-8-2009 16:10:21 - Software Distribution Service 3.0
RP49: 8-8-2009 16:10:27 - Software Distribution Service 3.0
RP50: 1-8-2009 19:51:56 - Controlepunt van systeem
RP51: 2-8-2009 20:24:07 - Controlepunt van systeem
RP52: 3-8-2009 22:48:38 - Controlepunt van systeem
RP53: 4-8-2009 6:46:28 - Software Distribution Service 3.0
RP54: 4-8-2009 17:19:09 - Installed Microsoft Office Enterprise 2007
RP55: 4-8-2009 17:46:08 - Printerstuurprogramma Send To Microsoft OneNot is geïnstalleerd
RP56: 4-8-2009 18:12:35 - Software Distribution Service 3.0
RP57: 4-8-2009 18:42:25 - Software Distribution Service 3.0
RP58: 4-8-2009 18:52:30 - Software Distribution Service 3.0
RP59: 4-8-2009 19:18:17 - Software Distribution Service 3.0
RP60: 4-8-2009 19:34:22 - Verwijderd: Microsoft Office Outlook Connector
RP61: 4-8-2009 19:35:36 - Geïnstalleerd: Microsoft Office Outlook Connector
RP62: 4-8-2009 20:20:25 - Configured Microsoft Office Enterprise 2007
RP63: 4-8-2009 20:29:41 - Configured Microsoft Office Enterprise 2007
RP64: 4-8-2009 20:54:10 - Configured Microsoft Office Enterprise 2007
RP65: 4-8-2009 21:14:20 - Configured Microsoft Office Enterprise 2007
RP66: 4-8-2009 21:16:16 - Configured Microsoft Office Enterprise 2007
RP67: 4-8-2009 21:25:42 - Software Distribution Service 3.0
RP68: 4-8-2009 21:32:17 - Installed Windows XP KB915800-v4.
RP69: 4-8-2009 21:33:23 - Windows XP Windows Search 4.0 is geïnstalleerd.
RP70: 4-8-2009 21:55:37 - Software Distribution Service 3.0
RP71: 5-8-2009 21:22:48 - Installed Java™ 6 Update 15
RP72: 6-8-2009 8:57:12 - Het register is opgeschoond met Windows Live OneCare scanner
RP73: 6-8-2009 17:25:15 - Configured Microsoft Office Enterprise 2007
RP74: 6-8-2009 17:39:20 - Software Distribution Service 3.0
RP75: 7-8-2009 20:47:03 - Controlepunt van systeem
RP76: 8-8-2009 21:50:24 - Controlepunt van systeem

==== Installed Programs ======================

7-Zip 4.65
Aangifte inkomstenbelasting 2007
Aangifte inkomstenbelasting 2008
Acrobat.com
Adobe Acrobat 9 Pro - Italiano, Español, Nederlands, Português
Adobe Acrobat 9.1.3 - CPSID_49522
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS4
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Master Collection
Adobe CS4 American English Speech Analysis Models
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dynamiclink Support
Adobe Encore CS4
Adobe Encore CS4 Codecs
Adobe Encore CS4 Library
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Image Viewer Plugin 4.0
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop Album 2.0
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Premiere Pro CS4 Third Party Content
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Soundbooth CS4 Codecs
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows XP (KB941569)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB928090)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB929969)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB931768)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB933566)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB937143)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB938127)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB939653)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB942615)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB944533)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB950759)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB953838)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB956390)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB958215)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB960714)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB961260)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB963027)
Beveiligingsupdate voor Windows Internet Explorer 8 (KB969897)
Beveiligingsupdate voor Windows Internet Explorer 8 (KB972260)
Beveiligingsupdate voor Windows Media Player (KB952069)
Beveiligingsupdate voor Windows Media Player 11 (KB936782)
Beveiligingsupdate voor Windows Media Player 11 (KB954154)
Beveiligingsupdate voor Windows Media Player 6.4 (KB925398)
Beveiligingsupdate voor Windows XP (KB923561)
Beveiligingsupdate voor Windows XP (KB938464)
Beveiligingsupdate voor Windows XP (KB950760)
Beveiligingsupdate voor Windows XP (KB950762)
Beveiligingsupdate voor Windows XP (KB950974)
Beveiligingsupdate voor Windows XP (KB951066)
Beveiligingsupdate voor Windows XP (KB951376-v2)
Beveiligingsupdate voor Windows XP (KB951376)
Beveiligingsupdate voor Windows XP (KB951698)
Beveiligingsupdate voor Windows XP (KB951748)
Beveiligingsupdate voor Windows XP (KB952004)
Beveiligingsupdate voor Windows XP (KB952954)
Beveiligingsupdate voor Windows XP (KB953839)
Beveiligingsupdate voor Windows XP (KB954211)
Beveiligingsupdate voor Windows XP (KB954459)
Beveiligingsupdate voor Windows XP (KB954600)
Beveiligingsupdate voor Windows XP (KB955069)
Beveiligingsupdate voor Windows XP (KB956391)
Beveiligingsupdate voor Windows XP (KB956572)
Beveiligingsupdate voor Windows XP (KB956802)
Beveiligingsupdate voor Windows XP (KB956803)
Beveiligingsupdate voor Windows XP (KB956841)
Beveiligingsupdate voor Windows XP (KB957095)
Beveiligingsupdate voor Windows XP (KB957097)
Beveiligingsupdate voor Windows XP (KB958644)
Beveiligingsupdate voor Windows XP (KB958687)
Beveiligingsupdate voor Windows XP (KB958690)
Beveiligingsupdate voor Windows XP (KB959426)
Beveiligingsupdate voor Windows XP (KB960225)
Beveiligingsupdate voor Windows XP (KB960715)
Beveiligingsupdate voor Windows XP (KB960803)
Beveiligingsupdate voor Windows XP (KB961371)
Beveiligingsupdate voor Windows XP (KB961373)
Beveiligingsupdate voor Windows XP (KB961501)
Beveiligingsupdate voor Windows XP (KB968537)
Beveiligingsupdate voor Windows XP (KB969898)
Beveiligingsupdate voor Windows XP (KB970238)
Beveiligingsupdate voor Windows XP (KB971633)
Beveiligingsupdate voor Windows XP (KB973346)
CCleaner (remove only)
Choice Guard
Citrix Presentation Server Client
CmdHere Powertoy For Windows XP
Compatibiliteitspakket voor het 2007 Microsoft Office system
Confidence Online™ for Web Applications
Connect
ConvertXtoDVD 3.1.3.38d
DVD Shrink 3.2
DVDInfoPro
EasyCleaner
eMule Plus 1.2e
Error Messages for Windows
Essentiële update voor Windows Media Player 11 (KB959772)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
Hotfix voor Windows Internet Explorer 7 (KB947864)
Hotfix voor Windows Media Player 11 (KB939683)
Hotfix voor Windows XP (KB952287)
Hotfix voor Windows XP (KB961118)
InCD
Intel® 537EP Modem
Intel® Extreme Graphics 2 Driver
Java™ 6 Update 15
K-Lite Mega Codec Pack 5.0.0
KC Softwares VideoInspector
kuler
Logitech iTouch-software
Logitech QuickCam
Logitech® Camera-stuurprogramma
Malwarebytes' Anti-Malware
Malwarebytes' RogueRemover
McAfee AntiSpyware Enterprise Module
McAfee Desktop Firewall 8.5
McAfee VirusScan Enterprise
Media Library Management Wizard
Michelin Road Atlas Europe
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - NLD
Microsoft .NET Framework 3.0 Dutch Language Pack
Microsoft .NET Framework 3.0 Nederlands taalpakket
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - NLD
Microsoft .NET Framework 3.5 Language Pack SP1 - nld
Microsoft .NET Framework 3.5 SP1
Microsoft Baseline Security Analyzer 2.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (Dutch) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Dutch) 2007
Microsoft Office Groove MUI (Dutch) 2007
Microsoft Office InfoPath MUI (Dutch) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (Dutch) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (Dutch) 2007
Microsoft Office PowerPoint MUI (Dutch) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proofing (Dutch) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (Dutch) 2007
Microsoft Office Shared MUI (Dutch) 2007
Microsoft Office Word MUI (Dutch) 2007
Microsoft Rekenmachine Plus
Microsoft Silverlight
Microsoft Software Update for Web Folders (Dutch) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 2000
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Natural Color
Nero 6 Ultra Edition
Nero BurnRights
Nero Digital
Nero Media Player
NeroVision Express Content
OpticFilm 7200
PDF Settings CS4
PerfectDisk
Personal License Update Wizard for Windows Media Player
Photoshop Camera Raw
Pinnacle Instant DVD Recorder
Plus! MP3 Audio Converter LE
PowerDVD
Presto! ImageFolio 4
Presto! PageManager 7.10
Revo Uninstaller 1.83
SAGEM F@st 800-840
Secunia PSI
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Search 4 - KB963093
SilverFast UScan-SE 6.5.0r6
Skype™ 4.0
SmartSound Quicktracks Plugin
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
Suite Shared Configuration CS4
Taalpakket voor Microsoft .NET Framework 3.5 SP1 - NL
Terugwaartse compatibiliteit van Windows Rights Management Client SP2
Tweak UI
U3Launcher
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb971933)
Update voor Microsoft Office Excel 2007 Help (KB963678)
Update voor Microsoft Office Powerpoint 2007 Help (KB963669)
Update voor Microsoft Office Word 2007 Help (KB963665)
Update voor Windows Internet Explorer 8 (KB969497)
Update voor Windows Internet Explorer 8 (KB971180)
Update voor Windows Internet Explorer 8 (KB971930)
Update voor Windows Internet Explorer 8 (KB972636)
Update voor Windows XP (KB951072-v2)
Update voor Windows XP (KB951618-v2)
Update voor Windows XP (KB951978)
Update voor Windows XP (KB955839)
Update voor Windows XP (KB967715)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 0.9.8a
WD Diagnostics
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live - Hulpprogramma voor uploaden
Windows Live ID Sign-in Assistant
Windows Live OneCare safety scanner
Windows Media Bonus Pack for Windows XP
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 9 Series TweakMP PowerToy
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows Presentation Foundation
Windows Presentation Foundation Language Pack (NLD)
Windows Rights Management Client met Service Pack 2
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Language Pack 1.0
XML Paper Specification Shared Components Pack 1.0

==== End Of File ===========================

Attached Files


#5
AdvancedSetup
Posted 08 August 2009 - 08:28 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Yes you're still infected with something. Please disable your Anti-Virus and run the following.

[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#6
Ruud
Posted 08 August 2009 - 10:16 PM

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Holland
Thanks for helping. Here is the Combofix.log
ComboFix 09-08-07.09 - Eigenaar 08-08-2009 23:48.25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2031.1524 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\14fd51.msi
c:\windows\Installer\1a595c.msi
c:\windows\Installer\2f16df.msi
c:\windows\Installer\7568a.msp
c:\windows\Installer\8a2b89.msi
c:\windows\Installer\bc089c.msi
c:\windows\Installer\bc08a1.msi
c:\windows\Installer\bc08a6.msi
c:\windows\Installer\bc08ab.msi
c:\windows\Installer\bc08b0.msi
c:\windows\Installer\bc08b5.msi
c:\windows\Installer\bc08ba.msi
c:\windows\Installer\bc08bf.msi
c:\windows\Installer\bc08c4.msi
c:\windows\Installer\bc08c9.msi
c:\windows\Installer\bc08ce.msi
c:\windows\Installer\bc08d3.msi
c:\windows\Installer\bc08d8.msi
c:\windows\Installer\bc08dd.msi
c:\windows\Installer\bc08e3.msi
c:\windows\Installer\bc08e8.msi
c:\windows\Installer\bc08fb.msi
c:\windows\Installer\bc0900.msi
c:\windows\Installer\d77f3.msi
c:\windows\Installer\dbc8e8.msi
c:\windows\Installer\fafaf.msi
c:\windows\Installer\WinRMSrv.msi

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-07-08 to 2009-08-08 ))))))))))))))))))))))))))))))
.

2009-08-08 21:19 . 2009-08-08 21:19 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend
2009-08-06 22:54 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll
2009-08-06 22:54 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-08-06 22:54 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-08-06 22:54 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-08-06 22:54 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-08-06 22:54 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2009-08-06 22:54 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll
2009-08-06 22:54 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-08-06 22:54 . 2009-01-07 18:14 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-08-06 22:50 . 2009-08-06 22:50 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Media Player Classic
2009-08-05 19:21 . 2009-08-05 19:21 152576 ----a-w- c:\documents and settings\Eigenaar\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-04 19:59 . 2009-08-04 20:44 -------- d-----w- C:\_AcroTemp
2009-08-04 19:39 . 2009-08-04 19:39 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Windows Desktop Search
2009-08-04 19:31 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-08-04 19:31 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-08-04 19:31 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-08-04 17:35 . 2009-08-04 17:35 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-08-04 17:21 . 2009-08-04 17:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-04 16:53 . 2009-08-04 17:21 -------- d-----w- c:\program files\Microsoft
2009-08-04 15:33 . 2009-08-04 15:33 -------- d-----w- c:\program files\Microsoft.NET
2009-08-04 15:19 . 2009-08-04 15:19 -------- d--h--r- C:\MSOCache
2009-07-31 13:29 . 2009-07-31 13:29 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\program files\NOS
2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Eigenaar\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 18:07 . 2004-06-13 09:32 79248 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 14:54 . 2008-05-27 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-06 22:25 . 2005-09-09 14:12 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-06 15:43 . 2007-01-06 18:26 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12
2009-08-05 19:47 . 2006-03-04 19:06 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-05 19:23 . 2009-03-26 18:33 -------- d-----w- c:\program files\Java
2009-08-04 20:07 . 2008-05-27 17:02 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-04 19:34 . 2003-04-08 12:00 536884 ----a-w- c:\windows\system32\perfh013.dat
2009-08-04 19:34 . 2003-04-08 12:00 101106 ----a-w- c:\windows\system32\perfc013.dat
2009-08-04 18:57 . 2007-03-28 19:03 -------- d-----w- c:\program files\MSBuild
2009-08-04 16:22 . 2005-05-07 17:14 -------- d-----w- c:\program files\Microsoft Works
2009-08-03 19:30 . 2008-12-27 14:19 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-03 11:36 . 2008-12-27 14:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 11:36 . 2008-12-27 14:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 20:40 . 2004-08-21 17:23 -------- d-----w- c:\program files\Common Files\Elecard
2009-08-01 13:45 . 2008-03-04 11:05 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Vso
2009-07-31 13:58 . 2008-01-27 08:13 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 13:23 . 2009-02-20 18:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-25 03:23 . 2008-12-03 17:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 10:29 . 2008-02-28 21:20 264704 ------w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12\oudetect.dll
2009-07-10 12:58 . 2008-12-10 14:47 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Lasersoft Imaging
2009-07-07 15:37 . 2009-07-07 15:37 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Uniblue
2009-07-06 20:52 . 2007-10-09 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-06 19:16 . 2009-05-20 18:37 -------- d-----w- c:\program files\Lavasoft
2009-07-06 17:04 . 2008-10-02 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-06 15:24 . 2008-09-14 15:14 -------- d-----w- c:\program files\McAfee
2009-07-06 15:24 . 2008-09-29 20:58 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-06 15:24 . 2008-09-14 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-06 14:44 . 2008-09-15 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-03 17:00 . 2004-02-06 16:09 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-27 19:54 . 2009-06-13 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-06-24 18:04 . 2004-06-08 12:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 12:32 . 2004-10-04 18:36 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Skype
2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-06-16 14:40 . 2003-04-08 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:40 . 2003-04-08 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:11 . 2004-08-21 16:00 1295360 ----a-w- c:\windows\system32\quartz.dll
2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-12 13:12 . 2004-10-09 18:50 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2002-07-26 15:02 . 2008-10-12 18:52 153088 ----a-w- c:\program files\UNWISE.EXE
2009-01-22 10:48 . 2009-01-22 10:48 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechGalleryRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-25 454656]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeFireTray"="c:\progra~1\McAfee\MCAFEE~1\Firetray.exe" [2006-07-20 655427]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]

c:\documents and settings\Eigenaar\Menu Start\Programma's\Opstarten\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Agenda-herinneringen.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-8-6 53317]
QuickScan (OpticFilm 7200).lnk - c:\program files\Plustek\OpticFilm 7200\QuickScan.exe [2008-12-10 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^Microsoft Office Werkbalk.lnk]
backup=c:\windows\pss\Microsoft Office Werkbalk.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^NaturalColorLoad.lnk]
backup=c:\windows\pss\NaturalColorLoad.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"NProtectService"=2 (0x2)
"CAISafe"=2 (0x2)
"SoundMAX Agent Service (default)"=2 (0x2)
"gusvc"=3 (0x3)
"InCDsrv"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"LJRV"=3 (0x3)
"FXKQYLEM"=3 (0x3)
"0008701238501265mcinstcleanup"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zBrowser Launcher"=c:\program files\Logitech\iTouch\iTouch.exe
"DU Meter"=c:\data\Programmas\Tools\DU Meter 3.0.7+keygen\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\DATA\\Programmas\\eMule\\eMule.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\DATA\\Programmas\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 19:19 13592]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [30-3-2009 16:28 1533808]
S3 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [29-11-2005 12:16 241731]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17-6-2009 14:20 12648]
S4 adiusbae;USB ADSL LAN Adapter;c:\windows\system32\DRIVERS\adiusbae.sys --> c:\windows\system32\DRIVERS\adiusbae.sys [?]
S4 cpuz130;cpuz130;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S4 esihdrv;esihdrv;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys [?]
S4 FXKQYLEM;FXKQYLEM;c:\docume~1\Eigenaar\LOCALS~1\Temp\FXKQYLEM.exe --> c:\docume~1\Eigenaar\LOCALS~1\Temp\FXKQYLEM.exe [?]
S4 HZFKBMV;HZFKBMV;c:\docume~1\Eigenaar\LOCALS~1\Temp\HZFKBMV.exe --> c:\docume~1\Eigenaar\LOCALS~1\Temp\HZFKBMV.exe [?]
S4 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S4 LJRV;LJRV;c:\docume~1\Eigenaar\LOCALS~1\Temp\LJRV.exe --> c:\docume~1\Eigenaar\LOCALS~1\Temp\LJRV.exe [?]
S4 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S4 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys --> c:\windows\system32\DRIVERS\savonaccesscontrol.sys [?]
S4 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys --> c:\windows\system32\DRIVERS\savonaccessfilter.sys [?]
S4 ZNK;ZNK;c:\docume~1\Eigenaar\LOCALS~1\Temp\ZNK.exe --> c:\docume~1\Eigenaar\LOCALS~1\Temp\ZNK.exe [?]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhoud van de 'Gedeelde Taken' map

2008-09-19 c:\windows\Tasks\Hotmail.job
- c:\progra~1\INTERN~1\iexplore.exe [2004-06-08 12:09]

2009-08-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-08-08 c:\windows\Tasks\Update McAfee.job
- c:\program files\McAfee\VirusScan Enterprise\mcupdate.exe [2006-11-30 06:50]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{DD39BDB4-132C-4682-8166-8AB6CB2956B9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

2009-07-31 c:\windows\Tasks\Windows Defender.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2008-09-30 c:\windows\Tasks\Windows Defrag.job
- c:\documents and settings\Eigenaar\Mijn documenten\defrag.bat [2008-09-29 19:25]
.
.
------- Bijkomende Scan -------
.
IE: Converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: airfrance.com\w3
Trusted Zone: belastingdienst.nl\mijn
Trusted Zone: cocensus.nl\webmail
Trusted Zone: duesseldorf.de\www
Trusted Zone: ing.nl\mijn
Trusted Zone: klm.com\secure
Trusted Zone: live.com\login
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: nuon.nl\www
Trusted Zone: postbank.nl\mijn
Trusted Zone: postbank.nl\rentepunten
Trusted Zone: trendmicro.com\housecall65
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 23:58
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:04,8d,55,e6,54,b8,6d,22,bb,a6,1a,3d,09,4a,51,60,84,fd,5b,41,01,
8c,25,05,59,bd,9e,3f,68,70,81,06,0d,da,8e,0d,50,9b,b8,1c,f9,67,32,85,48,ea,\
.
Voltooingstijd: 2009-08-08 0:03
ComboFix-quarantined-files.txt 2009-08-08 22:03

Pre-Run: 87.619.952.640 bytes beschikbaar
Post-Run: 87.538.450.432 bytes beschikbaar

274 --- E O F --- 2009-08-06 15:39

and here the HJT.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:16:20, on 9-8-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MCAFEE~1\FireTray.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\DATA\Programmas\VeiligEnAnderen\6.HyackThisVersie2.02\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Aanmeldhulp voor Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeFireTray] "C:\PROGRA~1\McAfee\MCAFEE~1\Firetray.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Agenda-herinneringen.lnk = ?
O4 - Global Startup: QuickScan (OpticFilm 7200).lnk = C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Doel van koppeling converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Doel van koppeling toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://www.duesseldorf.de
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://housecall65.trendmicro.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1249415505734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1249413699843
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

--
End of file - 7047 bytes

Attached Files


#7
AdvancedSetup
Posted 09 August 2009 - 07:09 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
The logs show that you have McAfee AV and Sophos AV running, you need to chose one and FULLY remove the other one.


STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
KILLALL::
Driver::
FXKQYLEM
HZFKBMV
MEMSWEEP2
LJRV
ZNK
File::
c:\docume~1\Eigenaar\LOCALS~1\Temp\FXKQYLEM.exe
c:\docume~1\Eigenaar\LOCALS~1\Temp\HZFKBMV.exe
c:\docume~1\Eigenaar\LOCALS~1\Temp\LJRV.exe
c:\windows\system32\6.tmp
c:\docume~1\Eigenaar\LOCALS~1\Temp\ZNK.exe
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
Posted Image
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
Update and Scan with Malwarebytes' Anti-Malware
  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then post back the MBAM log and a new Hijackthis log.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#8
Ruud
Posted 09 August 2009 - 08:22 AM

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Holland
Thanks again for the help.
I only have McAfee and I don't use Sophos. Within the Add/Remove programs or with Revo uninstaller, I cannot see Sophos. How can I remove it anyway?
Here is the log of Combofix:
ComboFix 09-08-08.04 - Eigenaar 09-08-2009 9:25.29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2031.1493 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Eigenaar\Bureaublad\CFscript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\docume~1\Eigenaar\LOCALS~1\Temp\FXKQYLEM.exe"
"c:\docume~1\Eigenaar\LOCALS~1\Temp\HZFKBMV.exe"
"c:\docume~1\Eigenaar\LOCALS~1\Temp\LJRV.exe"
"c:\docume~1\Eigenaar\LOCALS~1\Temp\ZNK.exe"
"c:\windows\system32\6.tmp"
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FXKQYLEM
-------\Legacy_HZFKBMV
-------\Legacy_LJRV
-------\Legacy_MEMSWEEP2
-------\Legacy_ZNK
-------\Service_FXKQYLEM
-------\Service_HZFKBMV
-------\Service_LJRV
-------\Service_MEMSWEEP2
-------\Service_ZNK


(((((((((((((((((((( Bestanden Gemaakt van 2009-07-09 to 2009-08-09 ))))))))))))))))))))))))))))))
.

2009-08-08 21:19 . 2009-08-08 21:19 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend
2009-08-06 22:54 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll
2009-08-06 22:54 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-08-06 22:54 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-08-06 22:54 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-08-06 22:54 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-08-06 22:54 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2009-08-06 22:54 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll
2009-08-06 22:54 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-08-06 22:54 . 2009-01-07 18:14 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-08-06 22:50 . 2009-08-06 22:50 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Media Player Classic
2009-08-05 19:21 . 2009-08-05 19:21 152576 ----a-w- c:\documents and settings\Eigenaar\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-04 19:59 . 2009-08-04 20:44 -------- d-----w- C:\_AcroTemp
2009-08-04 19:39 . 2009-08-04 19:39 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Windows Desktop Search
2009-08-04 19:31 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-08-04 19:31 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-08-04 19:31 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-08-04 17:35 . 2009-08-04 17:35 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-08-04 17:21 . 2009-08-04 17:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-04 16:53 . 2009-08-04 17:21 -------- d-----w- c:\program files\Microsoft
2009-08-04 15:33 . 2009-08-04 15:33 -------- d-----w- c:\program files\Microsoft.NET
2009-08-04 15:19 . 2009-08-04 15:19 -------- d--h--r- C:\MSOCache
2009-07-31 13:29 . 2009-07-31 13:29 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\program files\NOS
2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Eigenaar\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 18:07 . 2004-06-13 09:32 79248 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 14:54 . 2008-05-27 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-06 22:25 . 2005-09-09 14:12 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-06 15:43 . 2007-01-06 18:26 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12
2009-08-05 19:47 . 2006-03-04 19:06 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-05 19:23 . 2009-03-26 18:33 -------- d-----w- c:\program files\Java
2009-08-04 20:07 . 2008-05-27 17:02 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-04 19:34 . 2003-04-08 12:00 536884 ----a-w- c:\windows\system32\perfh013.dat
2009-08-04 19:34 . 2003-04-08 12:00 101106 ----a-w- c:\windows\system32\perfc013.dat
2009-08-04 18:57 . 2007-03-28 19:03 -------- d-----w- c:\program files\MSBuild
2009-08-04 16:22 . 2005-05-07 17:14 -------- d-----w- c:\program files\Microsoft Works
2009-08-03 19:30 . 2008-12-27 14:19 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-03 11:36 . 2008-12-27 14:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 11:36 . 2008-12-27 14:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 20:40 . 2004-08-21 17:23 -------- d-----w- c:\program files\Common Files\Elecard
2009-08-01 13:45 . 2008-03-04 11:05 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Vso
2009-07-31 13:58 . 2008-01-27 08:13 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 13:23 . 2009-02-20 18:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-25 03:23 . 2008-12-03 17:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 10:29 . 2008-02-28 21:20 264704 ------w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12\oudetect.dll
2009-07-10 12:58 . 2008-12-10 14:47 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Lasersoft Imaging
2009-07-07 15:37 . 2009-07-07 15:37 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Uniblue
2009-07-06 20:52 . 2007-10-09 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-06 19:16 . 2009-05-20 18:37 -------- d-----w- c:\program files\Lavasoft
2009-07-06 17:04 . 2008-10-02 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-06 15:24 . 2008-09-14 15:14 -------- d-----w- c:\program files\McAfee
2009-07-06 15:24 . 2008-09-29 20:58 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-06 15:24 . 2008-09-14 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-06 14:44 . 2008-09-15 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-03 17:00 . 2004-02-06 16:09 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-27 19:54 . 2009-06-13 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-06-24 18:04 . 2004-06-08 12:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 12:32 . 2004-10-04 18:36 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Skype
2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-06-16 14:40 . 2003-04-08 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:40 . 2003-04-08 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:11 . 2004-08-21 16:00 1295360 ----a-w- c:\windows\system32\quartz.dll
2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-12 13:12 . 2004-10-09 18:50 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2002-07-26 15:02 . 2008-10-12 18:52 153088 ----a-w- c:\program files\UNWISE.EXE
2009-01-22 10:48 . 2009-01-22 10:48 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-08_21.59.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-09 07:39 . 2009-08-09 07:39 16384 c:\windows\temp\Perflib_Perfdata_7c4.dat
+ 2009-08-09 07:33 . 2009-08-09 07:33 8192 c:\windows\erdnt\subs\Users\00000004\UsrClass.dat
+ 2009-08-09 07:33 . 2009-08-09 07:33 8192 c:\windows\erdnt\subs\Users\00000002\UsrClass.dat
+ 2009-08-09 07:33 . 2009-08-09 07:33 237568 c:\windows\erdnt\subs\Users\00000006\UsrClass.dat
+ 2009-08-09 07:33 . 2009-08-09 07:33 1609728 c:\windows\erdnt\subs\Users\00000003\NTUSER.DAT
+ 2009-08-09 07:33 . 2009-08-09 07:33 1605632 c:\windows\erdnt\subs\Users\00000001\NTUSER.DAT
+ 2009-08-09 07:33 . 2009-08-09 07:33 16891904 c:\windows\erdnt\subs\Users\00000005\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechGalleryRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-25 454656]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeFireTray"="c:\progra~1\McAfee\MCAFEE~1\Firetray.exe" [2006-07-20 655427]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Agenda-herinneringen.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-8-6 53317]
QuickScan (OpticFilm 7200).lnk - c:\program files\Plustek\OpticFilm 7200\QuickScan.exe [2008-12-10 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^Microsoft Office Werkbalk.lnk]
backup=c:\windows\pss\Microsoft Office Werkbalk.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^NaturalColorLoad.lnk]
backup=c:\windows\pss\NaturalColorLoad.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"NProtectService"=2 (0x2)
"CAISafe"=2 (0x2)
"SoundMAX Agent Service (default)"=2 (0x2)
"gusvc"=3 (0x3)
"InCDsrv"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"LJRV"=3 (0x3)
"FXKQYLEM"=3 (0x3)
"0008701238501265mcinstcleanup"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zBrowser Launcher"=c:\program files\Logitech\iTouch\iTouch.exe
"DU Meter"=c:\data\Programmas\Tools\DU Meter 3.0.7+keygen\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\DATA\\Programmas\\eMule\\eMule.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\DATA\\Programmas\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 19:19 13592]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [30-3-2009 16:28 1533808]
S3 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [29-11-2005 12:16 241731]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17-6-2009 14:20 12648]
S4 adiusbae;USB ADSL LAN Adapter;c:\windows\system32\DRIVERS\adiusbae.sys --> c:\windows\system32\DRIVERS\adiusbae.sys [?]
S4 cpuz130;cpuz130;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S4 esihdrv;esihdrv;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys [?]
S4 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S4 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys --> c:\windows\system32\DRIVERS\savonaccesscontrol.sys [?]
S4 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys --> c:\windows\system32\DRIVERS\savonaccessfilter.sys [?]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhoud van de 'Gedeelde Taken' map

2008-09-19 c:\windows\Tasks\Hotmail.job
- c:\progra~1\INTERN~1\iexplore.exe [2004-06-08 12:09]

2009-08-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-08-08 c:\windows\Tasks\Update McAfee.job
- c:\program files\McAfee\VirusScan Enterprise\mcupdate.exe [2006-11-30 06:50]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{DD39BDB4-132C-4682-8166-8AB6CB2956B9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

2009-07-31 c:\windows\Tasks\Windows Defender.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2008-09-30 c:\windows\Tasks\Windows Defrag.job
- c:\documents and settings\Eigenaar\Mijn documenten\defrag.bat [2008-09-29 19:25]
.
.
------- Bijkomende Scan -------
.
IE: Converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: airfrance.com\w3
Trusted Zone: belastingdienst.nl\mijn
Trusted Zone: cocensus.nl\webmail
Trusted Zone: duesseldorf.de\www
Trusted Zone: ing.nl\mijn
Trusted Zone: klm.com\secure
Trusted Zone: live.com\login
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: nuon.nl\www
Trusted Zone: postbank.nl\mijn
Trusted Zone: postbank.nl\rentepunten
Trusted Zone: trendmicro.com\housecall65
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 09:42
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...


c:\windows\TEMP\TMP00000015F649214A84BE6D2B 524288 bytes executable

Scan succesvol afgerond
verborgen bestanden: 1

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:04,8d,55,e6,54,b8,6d,22,bb,a6,1a,3d,09,4a,51,60,84,fd,5b,41,01,
8c,25,05,59,bd,9e,3f,68,70,81,06,0d,da,8e,0d,50,9b,b8,1c,f9,67,32,85,48,ea,\
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(3476)
c:\windows\system32\webcheck.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\progra~1\McAfee\MCAFEE~1\FireSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\searchindexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
c:\windows\system32\searchprotocolhost.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Voltooingstijd: 2009-08-09 9:51 - machine werd herstart
ComboFix-quarantined-files.txt 2009-08-09 07:51
ComboFix2.txt 2009-08-09 07:03
ComboFix3.txt 2009-08-09 06:37
ComboFix4.txt 2009-08-08 23:27

Pre-Run: 87.479.775.232 bytes beschikbaar
Post-Run: 87.236.927.488 bytes beschikbaar

276 --- E O F --- 2009-08-06 15:39

Here is the log of Mbam:
Malwarebytes' Anti-Malware 1.40
Database versie: 2583
Windows 5.1.2600 Service Pack 3

9-8-2009 10:14:44
mbam-log-2009-08-09 (10-14-44).txt

Scan type: Snelle Scan
Objecten gescand: 97253
Verstreken tijd: 15 minute(s), 3 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:06, on 9-8-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\PROGRA~1\McAfee\MCAFEE~1\Firetray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\DATA\Programmas\VeiligEnAnderen\6.HyackThisVersie2.02\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Aanmeldhulp voor Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LogitechGalleryRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeFireTray] "C:\PROGRA~1\McAfee\MCAFEE~1\Firetray.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Agenda-herinneringen.lnk = ?
O4 - Global Startup: QuickScan (OpticFilm 7200).lnk = C:\Program Files\Plustek\OpticFilm 7200\QuickScan.exe
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Doel van koppeling converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Doel van koppeling toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://www.duesseldorf.de
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://housecall65.trendmicro.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1249415505734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1249413699843
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MCAFEE~1\FireSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

--
End of file - 7063 bytes

Attached Files


#9
Ruud
Posted 09 August 2009 - 07:36 PM

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Holland
Are there still problems with my computer?

#10
AdvancedSetup
Posted 09 August 2009 - 10:20 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Hi Ruud,

I'll try to read your logs and get back to you later tonight.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#11
Ruud
Posted 10 August 2009 - 03:36 AM

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Holland
Thanks, know (6.00 o clock) I'm going to my work and I will be back in about 12 hours.

#12
AdvancedSetup
Posted 10 August 2009 - 05:47 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
STEP 01
Please click on START - RUN and type in MSCONFIG
Go to the SERVICES tab and click on the ENABLE ALL button and restart the computer.

STEP 02
When it restarts again click on START - RUN and type in MSCONFIG and set it to NORMAL STARTUP and restart the computer again if necessary
If it already on NORMAL STARTUP just quit it.

STEP 03
This will remove the driver portions of the Sophos AV for you as well.

Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
KILLALL::
Driver::
esihdrv
SAVOnAccessControl
SAVOnAccessFilter
File::
c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys
c:\windows\system32\DRIVERS\savonaccesscontrol.sys
c:\windows\system32\DRIVERS\savonaccessfilter.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
Posted Image
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 04
Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.
    VArestorepolicies.INF
  • Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  • Unzip or open the file VArestorepolicies.zip
  • Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install
    FixPolicies.exe
  • Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that will open
  • The program will create a new Folder called FixPolicies
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close
  • These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

STEP 05
Temporarily disable your current Anti-Virus and run the following Online AV scanner please.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#13
Ruud
Posted 10 August 2009 - 07:20 PM

    New Member

  • Members
  • Pip
  • 11 posts
  • Gender:Male
  • Location:Holland
Hello again and thanks again.

I followed all the advices and here are the results.

Step 01: after applying the changes in MSCONFIG, the message came that access was denied because I have not the right privileges.
After the restart, I saw that the changes were made. The same occured at step 2.

Step 03: Combofix started to run and after a while the message came that combofix must make a restart. The shutdown started, all my desktop icons disapperead and I only saw my "wallpaper". And that last for about 90 minutes and there was no processor activity. Therefor I restarted my computer myself and combofix continued with scanning.
In the Combofix log I saw that there are registry keys containing something about Symantec. A few years ago I had indeed Symantec and are these keys a problem?

Step 04 and 05 also started.

This is the combofix log:
ComboFix 09-08-09.04 - Eigenaar 10-08-2009 17:50.30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2031.1382 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Eigenaar\Bureaublad\CFscript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\docume~1\Eigenaar\LOCALS~1\Temp\esihdrv.sys"
"c:\windows\system32\DRIVERS\savonaccesscontrol.sys"
"c:\windows\system32\DRIVERS\savonaccessfilter.sys"
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ESIHDRV
-------\Legacy_SAVONACCESSCONTROL
-------\Legacy_SAVONACCESSFILTER
-------\Service_esihdrv
-------\Service_SAVOnAccessControl
-------\Service_SAVOnAccessFilter


(((((((((((((((((((( Bestanden Gemaakt van 2009-07-10 to 2009-08-10 ))))))))))))))))))))))))))))))
.

2009-08-09 09:14 . 2009-08-09 09:14 -------- d--h--r- c:\documents and settings\Eigenaar\Onlangs geopend
2009-08-06 22:54 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll
2009-08-06 22:54 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-08-06 22:54 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-08-06 22:54 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-08-06 22:54 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-08-06 22:54 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2009-08-06 22:54 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\divx.dll
2009-08-06 22:54 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-08-06 22:54 . 2009-01-07 18:14 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-08-06 22:50 . 2009-08-06 22:50 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Media Player Classic
2009-08-05 19:21 . 2009-08-05 19:21 152576 ----a-w- c:\documents and settings\Eigenaar\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-04 19:59 . 2009-08-04 20:44 -------- d-----w- C:\_AcroTemp
2009-08-04 19:39 . 2009-08-04 19:39 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Windows Desktop Search
2009-08-04 19:31 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-08-04 19:31 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-08-04 19:31 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-08-04 17:35 . 2009-08-04 17:35 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-08-04 17:21 . 2009-08-04 17:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-04 16:53 . 2009-08-04 17:21 -------- d-----w- c:\program files\Microsoft
2009-08-04 15:33 . 2009-08-04 15:33 -------- d-----w- c:\program files\Microsoft.NET
2009-08-04 15:19 . 2009-08-04 15:19 -------- d--h--r- C:\MSOCache
2009-07-31 13:29 . 2009-07-31 13:29 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-31 13:25 . 2009-07-31 13:59 -------- d-----w- c:\program files\NOS
2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Eigenaar\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-31 13:23 . 2009-07-31 13:23 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 15:43 . 2004-10-04 18:36 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Skype
2009-08-07 18:07 . 2004-06-13 09:32 79248 ----a-w- c:\documents and settings\Eigenaar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 14:54 . 2008-05-27 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-06 22:25 . 2005-09-09 14:12 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-06 15:43 . 2007-01-06 18:26 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12
2009-08-05 19:47 . 2006-03-04 19:06 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-05 19:23 . 2009-03-26 18:33 -------- d-----w- c:\program files\Java
2009-08-04 20:07 . 2008-05-27 17:02 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-04 19:34 . 2003-04-08 12:00 536884 ----a-w- c:\windows\system32\perfh013.dat
2009-08-04 19:34 . 2003-04-08 12:00 101106 ----a-w- c:\windows\system32\perfc013.dat
2009-08-04 18:57 . 2007-03-28 19:03 -------- d-----w- c:\program files\MSBuild
2009-08-04 16:22 . 2005-05-07 17:14 -------- d-----w- c:\program files\Microsoft Works
2009-08-03 19:30 . 2008-12-27 14:19 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-03 11:36 . 2008-12-27 14:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 11:36 . 2008-12-27 14:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 20:40 . 2004-08-21 17:23 -------- d-----w- c:\program files\Common Files\Elecard
2009-08-01 13:45 . 2008-03-04 11:05 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Vso
2009-07-31 13:58 . 2008-01-27 08:13 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 13:23 . 2009-02-20 18:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-25 03:23 . 2008-12-03 17:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 10:29 . 2008-02-28 21:20 264704 ------w- c:\documents and settings\Eigenaar\Application Data\OfficeUpdate12\oudetect.dll
2009-07-10 12:58 . 2008-12-10 14:47 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Lasersoft Imaging
2009-07-07 15:37 . 2009-07-07 15:37 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Uniblue
2009-07-06 20:52 . 2007-10-09 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-06 19:16 . 2009-05-20 18:37 -------- d-----w- c:\program files\Lavasoft
2009-07-06 17:04 . 2008-10-02 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-06 15:24 . 2008-09-14 15:14 -------- d-----w- c:\program files\McAfee
2009-07-06 15:24 . 2008-09-29 20:58 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-06 15:24 . 2008-09-14 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-06 14:44 . 2008-09-15 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-07-03 17:00 . 2004-02-06 16:09 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-27 19:54 . 2009-06-13 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-06-24 18:04 . 2004-06-08 12:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-06-16 14:40 . 2003-04-08 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:40 . 2003-04-08 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:11 . 2004-08-21 16:00 1295360 ----a-w- c:\windows\system32\quartz.dll
2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll
2002-07-26 15:02 . 2008-10-12 18:52 153088 ----a-w- c:\program files\UNWISE.EXE
2009-01-22 10:48 . 2009-01-22 10:48 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-08_21.59.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 17:08 . 2009-08-10 17:08 16384 c:\windows\temp\Perflib_Perfdata_88.dat
+ 2009-08-10 15:59 . 2009-08-10 15:59 8192 c:\windows\erdnt\subs\Users\00000004\UsrClass.dat
+ 2009-08-10 15:59 . 2009-08-10 15:59 8192 c:\windows\erdnt\subs\Users\00000002\UsrClass.dat
+ 2009-08-10 15:59 . 2009-08-10 15:59 237568 c:\windows\erdnt\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 15:59 . 2009-08-10 15:59 1609728 c:\windows\erdnt\subs\Users\00000003\NTUSER.DAT
+ 2009-08-10 15:59 . 2009-08-10 15:59 1605632 c:\windows\erdnt\subs\Users\00000001\NTUSER.DAT
+ 2009-08-10 15:59 . 2009-08-10 15:59 16891904 c:\windows\erdnt\subs\Users\00000005\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\data\Programmas\Phone\Skype.exe" [2009-04-16 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechGalleryRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-25 454656]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeFireTray"="c:\progra~1\McAfee\MCAFEE~1\Firetray.exe" [2006-07-20 655427]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2004-02-19 147514]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Agenda-herinneringen.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-8-6 53317]
QuickScan (OpticFilm 7200).lnk - c:\program files\Plustek\OpticFilm 7200\QuickScan.exe [2008-12-10 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^Microsoft Office Werkbalk.lnk]
backup=c:\windows\pss\Microsoft Office Werkbalk.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eigenaar^Menu Start^Programma's^Opstarten^NaturalColorLoad.lnk]
backup=c:\windows\pss\NaturalColorLoad.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"NProtectService"=2 (0x2)
"CAISafe"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"LJRV"=3 (0x3)
"FXKQYLEM"=3 (0x3)
"0008701238501265mcinstcleanup"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zBrowser Launcher"=c:\program files\Logitech\iTouch\iTouch.exe
"DU Meter"=c:\data\Programmas\Tools\DU Meter 3.0.7+keygen\DU Meter\DUMeter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\DATA\\Programmas\\eMule\\eMule.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\DATA\\Programmas\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3-11-2006 19:19 13592]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [30-3-2009 16:28 1533808]
S3 PDSched;PDScheduler;c:\program files\Raxco\PerfectDisk\PDSched.exe [29-11-2005 12:16 241731]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17-6-2009 14:20 12648]
S4 adiusbae;USB ADSL LAN Adapter;c:\windows\system32\DRIVERS\adiusbae.sys --> c:\windows\system32\DRIVERS\adiusbae.sys [?]
S4 cpuz130;cpuz130;\??\c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Eigenaar\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S4 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhoud van de 'Gedeelde Taken' map

2008-09-19 c:\windows\Tasks\Hotmail.job
- c:\progra~1\INTERN~1\iexplore.exe [2004-06-08 12:09]

2009-08-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-08-10 c:\windows\Tasks\Update McAfee.job
- c:\program files\McAfee\VirusScan Enterprise\mcupdate.exe [2006-11-30 06:50]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{DD39BDB4-132C-4682-8166-8AB6CB2956B9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

2009-07-31 c:\windows\Tasks\Windows Defender.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2008-09-30 c:\windows\Tasks\Windows Defrag.job
- c:\documents and settings\Eigenaar\Mijn documenten\defrag.bat [2008-09-29 19:25]
.
.
------- Bijkomende Scan -------
.
IE: Converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: airfrance.com\w3
Trusted Zone: belastingdienst.nl\mijn
Trusted Zone: cocensus.nl\webmail
Trusted Zone: duesseldorf.de\www
Trusted Zone: ing.nl\mijn
Trusted Zone: klm.com\secure
Trusted Zone: live.com\login
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\office
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
Trusted Zone: nuon.nl\www
Trusted Zone: postbank.nl\mijn
Trusted Zone: postbank.nl\rentepunten
Trusted Zone: trendmicro.com\housecall65
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 19:09
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...


c:\docume~1\Eigenaar\LOCALS~1\Temp\Acrobat Distiller 9\00000AB4
c:\docume~1\Eigenaar\LOCALS~1\Temp\Acrobat Distiller 9\00000AB4\dirlock.tmp 0 bytes
c:\docume~1\Eigenaar\LOCALS~1\Temp\Acrobat Distiller 9\00000AB4\Temp.msg 259 bytes
c:\windows\TEMP\TMP0000001A6D1D023761C5F7A4 524288 bytes

Scan succesvol afgerond
verborgen bestanden: 4

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:04,8d,55,e6,54,b8,6d,22,bb,a6,1a,3d,09,4a,51,60,84,fd,5b,41,01,
8c,25,05,59,bd,9e,3f,68,70,81,06,0d,da,8e,0d,50,9b,b8,1c,f9,67,32,85,48,ea,\
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(2852)
c:\windows\system32\webcheck.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\progra~1\McAfee\MCAFEE~1\FireSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\searchindexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Voltooingstijd: 2009-08-10 19:18 - machine werd herstart
ComboFix-quarantined-files.txt 2009-08-10 17:18
ComboFix2.txt 2009-08-09 07:51
ComboFix3.txt 2009-08-09 07:03
ComboFix4.txt 2009-08-09 06:37
ComboFix5.txt 2009-08-10 15:49

Pre-Run: 83.610.578.944 bytes beschikbaar
Post-Run: 83.439.570.944 bytes beschikbaar

275 --- E O F --- 2009-08-06 15:39

And this is the ESET log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=fd889bb8fa918e42b66a0da0e7d9bd83
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-10 07:11:33
# local_time=2009-08-10 09:11:33 (+0100, West-Europa (zomertijd))
# country="Netherlands"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5889 61 66 100 744124272343750
# scanned=104712
# found=0
# cleaned=0
# scan_time=5783

Attached Files


#14
AdvancedSetup
Posted 10 August 2009 - 11:16 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Well luckily for your sake the logs show that you appear to be relatively clean now. Could probably use a little more cleaning but due to evidence of pirated software on the system I'm forced to have to close your post now.

You should do another scan of your system with at least one more AV product.


HiJack This! Forum Policy
[indent]

Quote

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.
[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us