24 replies to this topic

[spobster]

Hi there,

hope you can help! I get pop-ups every few minutes, but only when I am using IE. My WinPatrol also reports

(every minute) new IE add-Ons, but I did NOT approve them. Examples of these files are:

C:\WINDOWS\system32\ddcApqnM.dll
C:\WINDOWS\system32\pmnoOGYP.dll

My NOD32 virusscanner sometimes reports threats:

Win32/PrivacySet.A trojan
a variant of Win32/Adware.WinFixer application
Win32/PrcView application
Win32/Adware.AVSystemCare application
Win32/Adware.Virtumonde application

I always reacted with eather Delete or Connection Terminated.

So I came to Malwarebytes and ran Spybot, it found two important threats, but could only delete one

(Virtumonde.dll). Than I ran the Malwarebytes'Anti-Malware Tool, which found a number of infected files.

Meanwhile I ran the PandaScan. So I believe there are a number of double threats found. The scan took a while,

that's why I did not repeat this scan. The logs of both scans down here. Than the restart of the computer, at

startup Spybot ran again and could delete the Virtumonde.dll after all.

Malwarebytes' Anti-Malware 1.12
Database version: 752

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 94395
Time elapsed: 1 hour(s), 17 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pmnoOGYP.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{abcdece2-4b15-11d1-abed-709549c10000} (Trojan.FakeAlert) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnoogyp (Trojan.Vundo) ->

Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f9df827a-8fa7-48a3-b268

-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AntiSpywareMaster (Rogue.AntiSpywareMaster) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\system32 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\system32\drivers (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\system32\drivers\etc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ddcApqnM.dll_old (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\MnqpAcdd.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\MnqpAcdd.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\huggpmkt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tkmpgguh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipovawem.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mewavopi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rmmjgfsf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fsfgjmmr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulbqcpuf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fupcqblu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpywareMaster\asm.exe (Rogue.AntiSpyMaster) -> Quarantined and deleted successfully.
E:\Robberts documenten\mijn ontvangen bestanden\klaar\ACDSee.Pro.v8.1.99.Incl.Keymaker-CORE\CORE10k.EXE

(Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\system32\drivers\etc\hosts_Win_Original (Trojan.Agent) -> Quarantined and deleted

successfully.
C:\WINDOWS\17PHolmes572.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkLDVno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnoOGYP.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iifeEWoP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Spobstertje\Local Settings\Temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted

successfully.




;*******************************************************************************
********************************

********************************************************************
ANALYSIS: 2008-05-15 22:33:57
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 0
;*******************************************************************************
********************************

********************************************************************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================

====================================================================
ESET NOD32 antivirus system 2.70 2.70 Yes Yes
;===============================================================================
================================

====================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected

Location
;===============================================================================
================================

====================================================================
00055471 Application/ServUBased.A HackTools No 0 No No

E:\Robberts documenten\Backup\Bureaublad.rar[Serv-U\ServUDaemon.exe]
00139535 Application/Processor HackTools No 0 No No

C:\Documents and Settings\Spobstertje\Bureaublad\Programma's en shortcuts\myphotobook-Setup.exe[process.exe]
00139535 Application/Processor HackTools No 0 Yes No

C:\Program Files\myphotobook\xtras\process.exe
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No

C:\Documents and Settings\Spobstertje\Cookies\spobstertje@server.iad.liveperson[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No

C:\Documents and Settings\Spobstertje\Cookies\spobstertje@statse.webtrendslive[2].txt
00293079 Spyware/7r7t Spyware No 1 Yes No

C:\Documents and Settings\Spobstertje\Local Settings\Temp\snapsnet.exe
00505582 Application/ServUBased.DU HackTools No 0 No No

E:\Robberts documenten\Backup\Bureaublad.rar[Serv-U\ServUTray.exe]
01262593 Application/NirCmd.A HackTools No 0 Yes No

C:\WINDOWS\NirCmd.exe
02911014 Adware/AntiSpywareMaster Adware No 0 Yes No

C:\Program Files\AntiSpywareMaster\asm.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No

C:\System Volume Information\_restore{AC700A1F-ECB2-4C28-8D90-649C14F971F6}\RP385\A0030164.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No

C:\System Volume Information\_restore{AC700A1F-ECB2-4C28-8D90-649C14F971F6}\RP385\A0030162.exe
02947657 Trj/Agent.ITR Virus/Trojan No 0 Yes No

C:\System Volume Information\_restore{AC700A1F-ECB2-4C28-8D90-649C14F971F6}\RP385\A0030163.exe
02951531 Bck/Prorat.HT Virus/Trojan No 1 Yes No

E:\Robberts documenten\mijn ontvangen bestanden\klaar\314 Palm Games\__All PalmOS Games Released by AstraWare in

(2003) Crack\crack.exe
02951531 Bck/Prorat.HT Virus/Trojan No 1 Yes No

E:\Robberts documenten\mijn ontvangen bestanden\klaar\314 Palm Games\__All PalmOS Games Released by AstraWare in

(2003) Crack.zip[crack.exe]
02951532 Bck/Prorat.HT Virus/Trojan No 1 Yes No

E:\Robberts documenten\mijn ontvangen bestanden\klaar\314 Palm Games\__All PalmOS Games Released by AstraWare in

(2003) Crack.zip[setup.exe]
02951532 Bck/Prorat.HT Virus/Trojan No 1 Yes No

E:\Robberts documenten\mijn ontvangen bestanden\klaar\314 Palm Games\__All PalmOS Games Released by AstraWare in

(2003) Crack\setup.exe
02971602 Spyware/Virtumonde Spyware No 1 Yes No

C:\WINDOWS\system32\iifeEWoP.dll
02971602 Spyware/Virtumonde Spyware No 1 Yes No

C:\WINDOWS\system32\jkkLDVno.dll
02971602 Spyware/Virtumonde Spyware Yes 2 Yes No

C:\WINDOWS\SYSTEM32\PMNOOGYP.DLL
02972595 Spyware/Virtumonde Spyware No 1 Yes No

C:\WINDOWS\system32\pefxairs.dll
02972596 Spyware/Virtumonde Spyware No 1 Yes No

C:\WINDOWS\system32\wufclbhm.dll
02972601 Spyware/Virtumonde Spyware No 1 Yes No

C:\WINDOWS\system32\ulbqcpuf.dll
;===============================================================================
================================

====================================================================
SUSPECTS
Sent Location








;===============================================================================
================================

====================================================================
;===============================================================================
================================

====================================================================
VULNERABILITIES
Id Severity Description








;===============================================================================
================================

====================================================================
184380 MEDIUM MS08-002








184379 MEDIUM MS08-001








182048 HIGH MS07-069








182046 HIGH MS07-067








182043 HIGH MS07-064








179553 HIGH MS07-061








176382 HIGH MS07-057








176383 HIGH MS07-058








170911 HIGH MS07-050








170907 HIGH MS07-046








170906 HIGH MS07-045








170904 HIGH MS07-043








164915 HIGH MS07-035








164913 HIGH MS07-033








164911 HIGH MS07-031








160623 HIGH MS07-027








157262 HIGH MS07-022








157261 HIGH MS07-021








157260 HIGH MS07-020








157259 HIGH MS07-019








156477 HIGH MS07-017








150253 HIGH MS07-016








150249 HIGH MS07-013








150248 HIGH MS07-012








150247 HIGH MS07-011








150243 HIGH MS07-008








150242 HIGH MS07-007








150241 MEDIUM MS07-006








141034 HIGH MS06-076








141033 MEDIUM MS06-075








141030 HIGH MS06-072








137571 HIGH MS06-070








137568 HIGH MS06-067








133387 MEDIUM MS06-065








133386 MEDIUM MS06-064








133385 MEDIUM MS06-063








133379 HIGH MS06-057








131654 HIGH MS06-055








129977 MEDIUM MS06-053








129976 MEDIUM MS06-052








126093 HIGH MS06-051








126092 MEDIUM MS06-050








126087 HIGH MS06-046








126086 MEDIUM MS06-045








126083 HIGH MS06-042








126082 HIGH MS06-041








126081 HIGH MS06-040








123421 HIGH MS06-036








123420 HIGH MS06-035








120825 MEDIUM MS06-032








120823 MEDIUM MS06-030








120818 HIGH MS06-025








120815 HIGH MS06-022








120814 HIGH MS06-021








117384 MEDIUM MS06-018








114666 HIGH MS06-015








114664 HIGH MS06-013








108744 MEDIUM MS06-008








108743 MEDIUM MS06-007








108742 MEDIUM MS06-006








104567 HIGH MS06-002








104237 HIGH MS06-001








96574 HIGH MS05-053








93395 HIGH MS05-051








93394 HIGH MS05-050








93454 MEDIUM MS05-049








;===============================================================================
================================

====================================================================

Than I reran the Malwarebytes' Anti-Malware program. During this, WinPatrol alerted that regedit.exe %1 was

changed to regedit.exe%1%*, I said the change was NOT ok. Than WinPatrol alerted %1 /S to be exchanged by %1 %*

(.scr files), I also refused. The alerts reappear every now and than (what should I do?!). The final log of the

Malwarebytes' Anti-Malware program:

Malwarebytes' Anti-Malware 1.12
Database version: 752

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 94082
Time elapsed: 34 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Than HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:57:55, on 15-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

/autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -

http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) -

http://as.photoprintit.de/ips-opdata/74914...PSUploader4.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)

--
End of file - 5828 bytes

Thanks already for all the help!

[AdvancedSetup]

Hello spobster

Sorry for the delay. I was busy as heck at work and had spent an all nighter fixing some database issues. Some other the other helpers here are busy as well.

Let me take a look at your information and get back to you soon.

[AdvancedSetup]

First - disable the Spybot Search & Destroy Tea Timer if it's running as it will interfere with some fixes.
Either disable Winpatrol or allow it to make the changes we're going to make below.

Go into your Control Panel - Add/Remove and uninstall the following applications - you can get updates later on.
All Java versions, All Flash versions, All Shockwave versions, All QuickTime versions
Many of these programs have been recently updated to correct holes that have been found in the programs which help
facilitate Malware being installed onto your system. Updating to the most recent versions will help to eleviate this method of entry.

[indent]Software Updates
Here are links to get the latest versions of the software that you removed once we're all done scanning your system.
Don't reinstall them just yet.

• Java Runtime Environment (JRE) 6 Update 6
  
• Since you're using the FULL version of Adobe Acrobat 7 you may not want to update the reader depending on how you use Acrobat - at times having two different versions can cause conflicts
  
• Adobe Acrobat Reader 8.12 Full Download English
  
• Adobe Reader 8.12 Full Download Dutch
  
• Adobe Flash Player version 9.0.124.0 uncheck the Free Google Toolbar
  
• Shockwave Player 11
  
• QuickTime 7.4.5 for Windows XP or Vista uncheck the sign ups

[/indent]

[indent]Instructions on how to disable the Spybot Search & Destroy Tea Timer
Disable Spybot Search & Destroys' TEA TIMER:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Please run the following tasks.[/indent]
[indent]Follow these instructions carefully.

• Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.
  
• You can also download it from Majorgeeks.com
  
• When you run ATF-Cleaner, check the items as shown below for Main.
  
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  
• NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  
• Then click on "Empty Selected".

[/indent]
[indent] . [/indent]

[indent]Start HiJackThis and do a Scan Only and place a check mark in the following items

• R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
  
• O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
  Then click on Fix selected

The following items are up to you if you want to remove or not

• O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
  
• Intializes the clock and memory settings on nVidia based graphics cards. Enable if you overclock your card
  
• O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
  
• System Tray icon used to manage settings for nVidia based graphics cards. May be required for some 3D applications to recognize your card correctly - such as the game "Everquest". Otherwise, settings can be changed manually via Display Properties
  
• O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
  
• It provides extra functionality for Logitech multimedia webcam devices. It is non-essential to the running of the system, but should not be terminated unless suspected to be causing problems.
  
• O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
  
• Realtek HD Audio Sound Effect Manager
  
• CTFMON.EXE - see the information here to determine if you want to leave it or remove it Frequently asked questions about Ctfmon.exe

This next item is a service that needs to be removed. Let's try it this way first.
Click on Start - Run and type in CMD then press the Enter key to start a DOS prompt.
Then type in the following exactly as it is. Report back any errors if it's not successful.

sc delete alertic.exe

If it says it can not find it then try this

sc delete "Windows Alert Service"

Don't forget the quotes.

Then try this

sc delete wscntfy.exe

Then try this

sc delete nvsvc32.exe

If this gives an error as well then try to remove it from the list in a HJT scan only.
O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)
Then click on "Fix selected"
Finding and using the correct Service name to remove can be difficult at times

Update and Scan with Malwarebytes

• Launch MB and go to the Update Tab and update the definitions
  
  
• Click on the Quick Scan and click Next.
  
  
• If any items are found allow it to clean them and then Reboot your computer.

Run HiJackThis again and do a Scan and save log and post back that log and the Malwarebytes log.[/indent]

.

[AdvancedSetup]

[indent]It looks like we might need to get more details. Please run the following.

Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

[/indent]

[spobster]

I also have to work, just came back home and are now busy doing your advices. I'll be back with logs in a sec.

[AdvancedSetup]

Okay - just an FYI the Deckard's System Scanner (DSS) will run the HJT for you.

[spobster]

I have removed all software/applications you mentioned.

I have fixed all HiJackThis points mentioned. I also removed the microsoft office xp from my computer as I have also microsoft office 2003 running, which I always use. The link you gave for ctfmon.exe is only for office xp, so I guess what I did should be good enough.

Than I tried to use the quotes in the command screen. For all codes I received the following:
[SC] OpenService FAILED 1060:

De opgegeven service is geen geïnstalleerde service. (which is dutch for "The entered service is no installed service.")

Than I tried to fix it in HiJackThis, but that didn't work either. After restart I saw that the ctfmon.exe was still there.

No items were found with MB.

Than DSS:

Deckard's System Scanner v20071014.68
Run by Spobstertje on 2008-05-16 21:52:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-05-16 19:52:37 UTC - RP389 - Deckard's System Scanner Restore Point
8: 2008-05-16 19:21:08 UTC - RP388 - Verwijderd: Microsoft Office XP Professional
7: 2008-05-16 17:18:23 UTC - RP387 - Verwijderd: QuickTime
6: 2008-05-16 17:16:20 UTC - RP386 - Removed Java™ 6 Update 2
5: 2008-05-14 20:21:15 UTC - RP385 - Controlepunt van systeem


-- First Restore Point --
1: 2008-05-09 13:39:58 UTC - RP381 - Controlepunt van systeem


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Spobstertje.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:53:07, on 16-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Spobstertje\Bureaublad\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Spobstertje.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914...PSUploader4.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)

--
End of file - 5095 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070930-161138-287 O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
backup-20070930-161138-507 O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
backup-20070930-161138-590 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
backup-20070930-161138-621 O4 - Global Startup: autorun.exe
backup-20070930-161138-682 O4 - Startup: system.exe
backup-20070930-162742-178 O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
backup-20070930-162742-199 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
backup-20070930-162743-159 O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
backup-20070930-162743-494 O4 - Global Startup: autorun.exe
backup-20070930-162743-555 O4 - Startup: system.exe
backup-20071001-002436-974 O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
backup-20071001-012033-255 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
backup-20071001-012033-374 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
backup-20071006-210042-219 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
backup-20071006-210042-509 O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
backup-20071006-210042-729 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
backup-20071011-202407-115 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
backup-20071011-202407-260 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
backup-20071011-202407-895 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)
backup-20071011-202429-199 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)
backup-20071011-215354-198 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)
backup-20071011-220327-837 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)
backup-20071015-175322-216 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)
backup-20071015-175322-821 O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
backup-20071015-214437-857 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)
backup-20080516-211131-209 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
backup-20080516-211131-658 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
backup-20080516-212304-154 O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
backup-20080516-212304-759 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080516-212304-791 O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
backup-20080516-212304-969 O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
backup-20080516-213642-873 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)
backup-20080516-213747-904 O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AsIO - c:\windows\system32\drivers\asio.sys
R1 asuskbnt (Enhanced Display Driver Helper Service) - c:\windows\system32\drivers\atkkbnt.sys <Not Verified; ASUSTeK COMPUTER INC.; ASUS Help driver For Keyboard Service.>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S1 bdpredir - c:\program files\softwin\bitdefender10\bdpredir.sys (file missing)
S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S2 EIO - c:\windows\system32\drivers\eio.sys (file missing)
S3 bdfdll - c:\program files\softwin\bitdefender10\bdfdll.sys (file missing)
S3 catchme - c:\docume~1\spobst~1\locals~1\temp\catchme.sys (file missing)
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ATKKeyboardService (ATK Keyboard Service) - c:\windows\atkkbservice.exe <Not Verified; ASUSTeK COMPUTER INC.; ASUS Keyboard Service>

S2 Winalert (Windows Alert Service) - c:\windows\system32\alertic.exe -srv (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standaardtoetsenbord (101/102 toetsen) of Microsoft Natural PS/2-toetsenbord
Device ID: ACPI\PNP0303\4&1D8E1589&0
Manufacturer: (standaardtoetsenbord)
Name: Standaardtoetsenbord (101/102 toetsen) of Microsoft Natural PS/2-toetsenbord
PNP Device ID: ACPI\PNP0303\4&1D8E1589&0
Service: i8042prt


-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-15 20:46:55 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Malwarebytes
2008-05-15 20:46:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 20:46:42 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-15 20:26:25 0 d-------- C:\Program Files\Panda Security
2008-05-15 17:55:52 133632 --a------ C:\WINDOWS\system32\kadtmtmc.dll
2008-05-15 17:47:42 126464 --a------ C:\WINDOWS\system32\qjqiaocm.dll
2008-05-14 21:18:59 133120 --a------ C:\WINDOWS\system32\rywixfqp.dll
2008-05-14 21:15:54 125952 --a------ C:\WINDOWS\system32\qiddjpkj.dll
2008-05-12 19:56:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-12 19:48:17 132608 --a------ C:\WINDOWS\system32\pefxairs.dll
2008-05-12 19:45:44 124416 --a------ C:\WINDOWS\system32\wufclbhm.dll
2008-05-09 15:42:48 133632 --a------ C:\WINDOWS\system32\druxasmv.dll
2008-05-09 15:40:50 125440 --a------ C:\WINDOWS\system32\najfgbcp.dll
2008-05-05 13:27:03 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Sun
2008-05-04 16:56:18 0 dr-h----- C:\Documents and Settings\Spobstertje\Onlangs geopend
2008-05-04 16:52:55 0 d-------- C:\Program Files\CCleaner
2008-04-30 18:15:55 0 d-------- C:\Program Files\SSC Service Utility


-- Find3M Report ---------------------------------------------------------------

2008-05-16 21:21:22 0 d-------- C:\Program Files\Microsoft Office2
2008-05-16 19:18:44 0 d-------- C:\Program Files\QuickTime
2008-05-16 19:16:37 0 d-------- C:\Program Files\Java
2008-05-16 19:16:36 0 d-------- C:\Program Files\Common Files
2008-05-09 16:31:19 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-09 15:42:29 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Azureus
2008-04-30 20:35:59 0 d-------- C:\Program Files\epson
2008-04-30 20:29:44 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Adobe
2008-04-18 23:27:54 0 d-------- C:\Program Files\Palm
2008-04-16 23:21:32 0 d-------- C:\Program Files\Azureus
2008-04-12 17:00:42 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\Leadertech
2008-04-12 15:39:02 0 d-------- C:\Documents and Settings\Spobstertje\Application Data\HotSync
2008-03-30 22:06:56 361018 --a----c- C:\WINDOWS\system32\perfh013.dat
2008-03-30 22:06:56 51668 --a----c- C:\WINDOWS\system32\perfc013.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [01-10-2007 20:01]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11-06-2007 11:25]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [23-09-2007 19:30]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01-06-2006 11:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 03:03]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20-12-2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcApqnM

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

6775 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-16 21:53:28 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Dutch

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 4200+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 4200+
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 1023.23 MiB / 670.97 MiB
Pagefile Memory (total/avail): 2460.48 MiB / 2193.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.7 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.53 GiB total, 3 GiB free.
D: is Fixed (NTFS) - 17.73 GiB total, 0.09 GiB free.
E: is Fixed (NTFS) - 149.04 GiB total, 0.23 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - Maxtor 6G160P0 - 149.05 GiB - 1 partition
\PARTITION0 - Extended w/Extended Int 13 - 149.04 GiB - E:

\\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 19.53 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 17.73 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Spobstertje\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SPOBSTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Spobstertje
LOGONSERVER=\\SPOBSTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4b02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SPOBST~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SPOBST~1\LOCALS~1\Temp
USERDOMAIN=SPOBSTER
USERNAME=Spobstertje
USERPROFILE=C:\Documents and Settings\Spobstertje
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Spobstertje (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3ivx D4 4.5.1 Decoder (remove only) --> "C:\Program Files\3ivx\3ivx D4 4.5.1 Decoder\uninstall.exe"
Aangifte inkomstenbelasting 2007 --> C:\Program Files\Belastingdienst\Aangifte inkomstenbelasting\2007\ib2007u.exe
ACDSee Pro --> MsiExec.exe /I{F99F74B4-972B-4B06-B893-6B3B0DB0128B}
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 7.0 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Apple Mobile Device Support --> MsiExec.exe /I{8FC46258-0843-4D79-B7F0-F2B82FE6173B}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
ASUS Enhanced Display Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}\setup.exe" -l0x9 -removeonly
ASUS Utilities --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{43C67D92-F56E-4729-8673-9A2D5A6036F8} /l1043
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x13
Attansic Giga Ethernet Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F698102-5739-441E-96F0-74F4EA540F06}\setup.exe" -l0x9
Attansic L1 Gigabit Ethernet Driver --> rundll32.exe C:\WINDOWS\system32\Attansic\L1\atcInst.dll,AtcUninst C:\WINDOWS\system32\Attansic\L1 x86 1969 1048 L1
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Campingselect 2007 --> "C:\Program Files\ANWB\Campingselect 2007\Uninstall.exe" "C:\Program Files\ANWB\Campingselect 2007\install.log"
Canon Utilities PhotoStitch 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{03CDDD00-BD57-4326-9480-4C74449AF597}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Cole2k Media - Codec Pack (Advanced) --> C:\WINDOWS\system32\C2MP\Uninst.exe
Cool & Quiet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}\setup.exe" -l0x9
DC++ 0.699 --> "E:\DC++\uninstall.exe"
EPSON-printersoftware --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
Euroglot Professional 4.5 (remove only) --> "C:\Program Files\Linguistic Systems\Euroglot Professional 4.5\uninstall.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
GraphPad Prism 4 --> "C:\Program Files\GraphPad\Prism 4\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Huur- en zorgtoeslag 2008 --> E:\Robberts documenten\Belastingdienst\2008\hz2008u.exe
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
ISI ResearchSoft - Export Helper --> C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
IsoBuster 1.6 --> "C:\Program Files\IsoBuster\Uninst\unins000.exe"
iTunes --> MsiExec.exe /I{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}
K-Lite Codec Pack 2.83 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Logitech® Camera-stuurprogramma --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Malwarebytes' RogueRemover PRO 1.16 --> "C:\Program Files\RogueRemover PRO\unins000.exe"
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0413-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Editie 2003 --> MsiExec.exe /I{90110413-6000-11D3-8CFE-0150048383C9}
myphotobook 3.5 --> C:\Program Files\myphotobook\uninst.exe
MyPhotoFun Editor --> MsiExec.exe /I{73967004-0BCE-4E33-8C2A-0F3C6CCF1F04}
Nero 7 Ultra Edition --> MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
Nikon Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Palm --> MsiExec.exe /X{0030188A-533E-42EE-9837-E044F10E4369}
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Probe II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
PictureProject --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
Project64 1.6 --> MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Reference Manager 11 --> MsiExec.exe /I{C0B0893D-6DA2-4F14-B1D0-3C0F1272B398}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SSC Service Utility v4.30 --> "C:\Program Files\SSC Service Utility\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tennis Toernooi Planner --> MsiExec.exe /I{BBC8E172-6EFE-415B-BA9A-A378C8699052}
TMPGEnc Plus 2.5 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{190BF7E6-59C5-45E2-B9CE-E8E7245A5B4D}
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{9816B8B8-4B53-4D3D-9235-AD931252001D}
WinPatrol 2007 --> C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinRAR --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4103 / Error
Event Submitted/Written: 05/16/2008 09:53:16 PM
Event ID/Source: 11 / crypt32
Event Description:
Het uitpakken van een basislijst uit de cab voor automatische updates is mislukt op <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> met de fout: Een vereist certificaat valt niet binnen de geldigheidsperiode als gekeken wordt naar de huidige systeemklok of de tijdstempel in het ondertekende bestand.

Event Record #/Type4102 / Error
Event Submitted/Written: 05/16/2008 09:53:16 PM
Event ID/Source: 11 / crypt32
Event Description:
Het uitpakken van een basislijst uit de cab voor automatische updates is mislukt op <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> met de fout: Een vereist certificaat valt niet binnen de geldigheidsperiode als gekeken wordt naar de huidige systeemklok of de tijdstempel in het ondertekende bestand.

Event Record #/Type4084 / Success
Event Submitted/Written: 05/15/2008 07:19:49 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type4079 / Error
Event Submitted/Written: 05/14/2008 09:56:25 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Vastgelopen toepassing: IEXPLORE.EXE, versie: 6.0.2900.2180, vastgelopen module: hungapp, versie: 0.0.0.0, vastgelopen op: 0x00000000.

Event Record #/Type4078 / Error
Event Submitted/Written: 05/14/2008 09:18:57 PM
Event ID/Source: 1000 / Application Error
Event Description:
Vastgelopen toepassing: iexplore.exe, versie: 6.0.2900.2180, vastgelopen module: unknown, versie: 0.0.0.0, vastgelopen op: 0x04a91569.
Verwerken van mediaspecifieke gebeurtenis voor [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type16344 / Error
Event Submitted/Written: 05/16/2008 09:39:13 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
De volgende opstartstuurprogramma's zijn niet geladen:
bdpredir

Event Record #/Type16343 / Error
Event Submitted/Written: 05/16/2008 09:39:13 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
De Windows Alert Service-service kan vanwege de volgende fout niet worden gestart:
%%2

Event Record #/Type16342 / Error
Event Submitted/Written: 05/16/2008 09:39:13 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
De EIO-service kan vanwege de volgende fout niet worden gestart:
%%2

Event Record #/Type16320 / Error
Event Submitted/Written: 05/16/2008 08:13:58 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
De volgende opstartstuurprogramma's zijn niet geladen:
bdpredir

Event Record #/Type16319 / Error
Event Submitted/Written: 05/16/2008 08:13:58 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
De Windows Alert Service-service kan vanwege de volgende fout niet worden gestart:
%%2



-- End of Deckard's System Scanner: finished at 2008-05-16 21:53:28 ------------

[spobster]

And I have to say two more things. Since I ran MB for the first time, most problems seemed to be solved. At this moment the popups from WinPatrol are only about the "regedit.exe %1 change to regedit.exe%1%*" and "%1 /S to be exchanged by %1 %*".

The other thing is that I have had JeanInMontana's help earlier: this link. At the end of page one we also worried about the "O23 - Service: Windows Alert Service (Winalert) - Unknown owner - C:\WINDOWS\System32\alertic.exe (file missing)", I believe we did everything we could to solve this, but nothing worked, even not the killbox program. actually the file alertic.exe does not exist on my computer (I guess that's why the file is missing).

Hope this helps, and I don't know for sure, but I think I got an infection with another worm/spyware than that time, although, some things look similar. I am really careful for clicking around on the internet and normally use only trusted sites, except for last week when I was in a hurry. Sorry about that! (for myself too )

[AdvancedSetup]

[indent]Okay first let's try to see if these files still exist on your system and try to upload them so we can review them to see what they really are.

Upload Malware


C:\WINDOWS\system32\kadtmtmc.dll
C:\WINDOWS\system32\qjqiaocm.dll
C:\WINDOWS\system32\rywixfqp.dll
C:\WINDOWS\system32\qiddjpkj.dll
C:\WINDOWS\system32\pefxairs.dll
C:\WINDOWS\system32\wufclbhm.dll
C:\WINDOWS\system32\druxasmv.dll
C:\WINDOWS\system32\najfgbcp.dll
C:\WINDOWS\system32\ddcApqnM


Then we need to fix a couple other items.
Follow these instructions carefully as it can prevent your system from starting if done wrong.

You need to run a couple of Registry updates. Copy the following entries into Notepad - then save the file
and on the drop down selection for Save as type: choose All Files and save the file to your desktop
as Repair01.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

There should be no space before REGEDIT4 and there should be a single blank line after the last line.
Once saved double-click it and allow it to run and if any program attempts to stop it say it's okay to update it.

Then same thing for this one - copy and save as Repair02.reg

REGEDIT4

[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"

Once saved double-click it and allow it to run and if any program attempts to stop it say it's okay to update it.

Then click on START - RUN and type in REGEDIT and press the Enter Key.
Then clicking on the + signs to expand the folders in the Registry and walk down the tree until you get to
an entry that should be something like this.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Alert Service
If you find it and it has the alertic.exe entry then delete the alertic.exe entry.
If you don't find it there then go to the top of the Registry tree and do a search for alertic.exe
and remove all the entries for it. Not the PATH AND TREES - ONLY THE alertic.exe
[/indent]

Then restart your computer. Hopefully you can upload those files above and we'll check them out and if needed update Malwarebytes to remove them if they're bad items.

.

[spobster]

I'm sorry, don't know whether upload worked fine, so I was doing it a second time (same file) and now already a third time because of an error (third time, I do not upload them as a zip, but seperately and indeed that works). The only file I couldn't find was the one that was C:\WINDOWS\system32\ddcApqnM. The najfgbcp.dll and druxasmv.dll files are created at the time-point where the problems started. The others are created later on apparantly.

I updated the registry.

The search in the registry for alertic.exe gave me one entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winalert and I deleted that one, there are some entries left in this path, I did not touch them. Furthermore I got an entry in HKEY_USERS\S-1-5-21-329068152-1383384898-682003330-1003\Software\Microsoft\Search Assistant\ACMru\5603 but not the .exe file, only alertic, but I believe this is not harmful, because of my search in my windows-folders yesterday, is it? I can of course delete it, I didn't delete it yet.

Thanks for all your help!

[AdvancedSetup]

Great - thanks for the submissions. They should get checked out tonight some time.

Tomorrow please update your MB application and do a new Quick Scan and clean anything it finds.
Then reboot and run a new HJT scan and post back both of those logs.

[spobster]

Malwarebytes' Anti-Malware 1.12
Database version: 760

Scan type: Quick Scan
Objects scanned: 36445
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1dc21177-f099-4369-ba8e-eda8c1573723} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c97007e2-bc21-4d9d-9bf8-b37d08b3d6e7} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{85013b75-2320-4ec9-ab3d-141ea3dd1bac} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b7b6375a-4828-408b-a86a-bf75e2ca9394} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winalert (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\druxasmv.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kadtmtmc.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\najfgbcp.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pefxairs.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qiddjpkj.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qjqiaocm.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rywixfqp.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wufclbhm.dll (Trojan.Vundo) -> No action taken.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:15, on 18-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914...PSUploader4.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5080 bytes

[AdvancedSetup]

Well the log you posted shows you did not allow or have Malwarebytes remove the infected items.
You need to scan and then choose to fix the infected items.

[spobster]

sorry, posted wrong log in my hurry this morning.

Malwarebytes' Anti-Malware 1.12
Database version: 760

Scan type: Quick Scan
Objects scanned: 36445
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1dc21177-f099-4369-ba8e-eda8c1573723} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c97007e2-bc21-4d9d-9bf8-b37d08b3d6e7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85013b75-2320-4ec9-ab3d-141ea3dd1bac} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b7b6375a-4828-408b-a86a-bf75e2ca9394} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winalert (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\druxasmv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kadtmtmc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\najfgbcp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pefxairs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qiddjpkj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qjqiaocm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rywixfqp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wufclbhm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

[spobster]

I think most problems are solved, but still I get the WinPatrol Alerts, to which I have answered no till now. I have attached a picture of the alerts, wondering what I should do with this.

Thanks!

Attached Files

•  winpatrol_1.PNG   121.03K   5 downloads
•  winpatrol_2.PNG   91.89K   4 downloads

[AdvancedSetup]

No, do not allow the change. They are already using a default setting.

Once you tell it no and reboot your computer does it still alert to the change?

[spobster]

yes it does, every ten minutes or so I get the alert. also after rebooting the computer.

[AdvancedSetup]

If you click on INFO does it say what application is attempting to make this change?

[spobster]

I believe it is regedit.exe, when I click on INFO, I get a page with a lot of advertising to buy the WinPatrol Plus Version. In between it says "Upgrade to WinPatrol PLUS for more info on regedit.exe"

[AdvancedSetup]

It isn't telling what program is trying to make the change it's only telling you that if you bought the program it would tell you more about Regedit which is not what we're looking for.
Let's do this for now. Disable or uninstall WinPatrol - then let's look at the registry entries after a reboot.
Then I'd like you to run a log from Deckard's System Scanner that will give us more information about what is running on your system.

You should already have the DSS.EXE program for Deckard's System Scanner but if not here is the information again below.

[indent]
Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post in your reply

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
  
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Notes: The first time that the Deckard scanner is run, the extra.txt is generated in a minimized window. The second time you will not obtain the extra.txt. You must go to Start=>Run and copy the following "%userprofile%\desktop\dss.exe" /config in the line and click OK You will receive a pop-up box with options to check for the Main log and Extra Log and Options.
[/indent]

.