netlog.exe being written to usb-stick [Archive]

View Full Version : netlog.exe being written to usb-stick

jeennijhof

2007-07-19, 19:43

Hi everyone,

Every time a usb stick is mounted in my laptop the files netlog.exe and autorun.inf are wtitten to the stick.

I googled for "netlog.exe usb" whitch pointed me to a forum threat on this site, where netlog.exe was part of another problem. After looking closer to my "netlog.exe-problem" i also found the file "C:\Program Files\Common Files\microsoft shared\MSInfo\netlog.exe" on my hard disk.
I'm afraid my laptop is infected....

I ran Hijackthis and here's the log:

==================
===== start log =====
==================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:28:48, on 19-7-2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Acer\OrbiCam10\OrbiCam.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jeen\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [AcerOrbicamRibbon] "C:\Program Files\Acer\OrbiCam10\OrbiCam.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Windows Network Log (Windows Network Log Manage) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Netlog.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

--
End of file - 9225 bytes
=======================
====== end log ==========
=======================

I also did a scan on www.virustotal.com for e:\netlog.exe on the usb stick:
(The original file on the c: drive seem to give the same results)

=======================
======= start log ========
=======================
Antivirus Version Last Update Result
AhnLab-V3 2007.7.20.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 TR/Crypt.CFI.Gen
Authentium 4.93.8 2007.07.19 W32/Trojan.AWYP
Avast 4.7.997.0 2007.07.19 no virus found
AVG 7.5.0.476 2007.07.18 Worm/Delf.CTB
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.19 (Suspicious) - DNAScan
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 Suspicious Trojan/Worm
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.19 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 W32/Trojan.AWYP
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 not-a-virus:Monitor.Win32.007SpySoft.308
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5078 2007.07.19 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2407 2007.07.19 no virus found
Norman 5.80.02 2007.07.19 no virus found
Panda 9.0.0.4 2007.07.19 Suspicious file
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 VIPRE.Suspicious
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 Trojan.Crypt.CFI.Gen
Aditional information
File size: 487424 bytes
MD5: 821a4e515410478059b647b21bd2ffdb
SHA1: 35274344ea6e33ebe0dfa97e9a0aa3d72c6bf2ba
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
==================
===== end log ======
==================

and last the log for e:/autorun.inf on www.virustotal.com:

===================
===== start log =======
===================
Antivirus Version Last Update Result
AhnLab-V3 2007.7.20.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 no virus found
Authentium 4.93.8 2007.07.19 no virus found
Avast 4.7.997.0 2007.07.19 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.19 no virus found
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.19 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 no virus found
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 no virus found
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5078 2007.07.19 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2407 2007.07.19 no virus found
Norman 5.80.02 2007.07.19 no virus found
Panda 9.0.0.4 2007.07.19 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 no virus found
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 no virus found
Aditional information
File size: 28 bytes
MD5: f5ec8d89bbcce6f5479355825cba5dea
SHA1: 6b329cd02ebcb5c23fd2353fefeabb035672ee61
===================
===== end log =======
===================

Any advice is greatly appreciated...

Regards Jeen

shelf life

2007-07-20, 17:45

hi jeennijhof,

those online results of the scan arent very conclusive. i see you have spyware doctor also. does it flag anything? you could do a online scan for another opinion also.

i would like to get a copy of the .exe
if you would please download suspicious file packer (SFP.exe) from link:

http://www.safer-networking.org/en/tools/index.html

download, double click the icon
under step1 copy/paste this:

C:\Program Files\Common Files\microsoft shared\MSInfo\netlog.exe

click continue button
it will produce a .cab file on your desktop. please email me the .cab file as a attachment to:

echoreply(at)hotmail.com
-----------------------------------
online scan using Internet explorer:

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet,Click Full System Scan
Once the download completes (may take awhile),the scan will begin automatically.
The scan will take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply along with a current HijackThis log.

shelf life

jeennijhof

2007-07-20, 22:56

Hello Shelflife,

First off all, thanks for loking into this.

I did ran spywaredoctor a few days ago, as part of HitmanPro. And yes, it found "Backdoor.Hupigon!sd5"
Find the Hitmanpro log below:

================================
========== start log ===========
================================
Hitman Pro 2.7.0.5 - Rapport
18-07-2007 21:28

--------------------------------------------------------------------------------
Installatiebestanden externe beschermings- en inspectiecomponenten
STATUS OMSCHRIJVING VERSIE GROOTTE
Actueel Archive Extraction Utility 0.0.0.0 307276 bytes
Actueel RAR decompression library 3.41.0.306 158720 bytes
Actueel Archive Compression Utility 0.0.0.0 276044 bytes
Actueel File Encryption/Decryption Utility 0.0.0.0 69708 bytes
Actueel SpywareBlaster 3.5.1.0 2566736 bytes
Actueel Ad-Aware SE 1.0.6.0 2855080 bytes
Actueel Spybot - Search & Destroy 0.0.0.0 5037072 bytes
Actueel Ewido AntiSpyware Micro 4.0.0.1 153144 bytes
Bijgewerkt Spyware Doctor 5.0.1.205 27383448 bytes

--------------------------------------------------------------------------------
Updates
Actueel Hitman Pro Updater 2.6.0.0 489960 bytes
STATUS OMSCHRIJVING GROOTTE
Actueel Hitman Pro uninstaller 554832 bytes
Bijgewerkt Lavasoft Ad-Aware SE Definitions 0.0.0.0 1339941 bytes

--------------------------------------------------------------------------------
Beschermingsmiddelen
Beveiligingsniveau van zone Internet is ingesteld op Normaal (huidige gebruiker)
Beveiligingsniveau van zone Internet is ingesteld op Normaal (alle gebruikers)
Het beveiligingsniveau van de Internet-zone hoort ten minste op Normaal ingesteld te staan. Voor het downloaden van mogelijk onveilige inhoud wordt

dan eerst toestemming gevraagd en niet ondertekende ActiveX-besturingselementen worden niet gedownload.
SpywareBlaster-bescherming aangebracht
Deze bescherming verhindert de installatie van op ActiveX-gebaseerde spyware, adware, browserkapers, dialers, en ander potentieel ongewenste

inhoud. Verder blokkeert het spyware/traceercookies in Internet Explorer en Mozilla/Firefox en beperkt het de acties van mogelijk gevaarlijke

websites in Internet Explorer.
SpywareBlaster is freeware voor persoonlijk en onderwijsgebruik. Voor meer informatie zie http://www.javacoolsoftware.com/spywareblaster.html

--------------------------------------------------------------------------------
Spybot - Search & Destroy 00:09:32
Versie 1.4 (Build 23-05-2005) Laatste detectie update: 18-07-2007
Spybot Search & Destroy inspecteert (net als Ad-Aware en Spy Sweeper) het geheugen, register en uw bestanden op advertentiesoftware, dialers,

browser hijackers en traceercomponenten. Daarnaast heeft Spybot S&D een immuniseer functie (een aanvulling op SpywareBlaster) als preventieve

maatregel tegen spyware.
MediaPlex
SexTracker
HitBox
BlueStreak
DoubleClick
Advertising.com
WebTrends live

--------------------------------------------------------------------------------
Ewido Micro 03:01:35
ewido anti-malware offers you realtime protection against Hijackers and Spyware, Worms, Dialers, Trojans and Keyloggers. Click here for more

information.
TrackingCookie.2o7
TrackingCookie.Falkag
TrackingCookie.Atdmt
TrackingCookie.Serving-sys
TrackingCookie.Weborama
TrackingCookie.Adbrite
TrackingCookie.Yieldmanager
TrackingCookie.Clickhype
TrackingCookie.Euroclick
TrackingCookie.Specificclick
TrackingCookie.Adrevolver
TrackingCookie.Co
TrackingCookie.Adtech
TrackingCookie.Advertising
TrackingCookie.Bfast
TrackingCookie.Bluestreak
TrackingCookie.Burstnet
TrackingCookie.Zedo
TrackingCookie.Casalemedia
TrackingCookie.Com
TrackingCookie.Hitslink
TrackingCookie.Sextracker
TrackingCookie.Cpvfeed
TrackingCookie.Doubleclick
TrackingCookie.Esomniture
TrackingCookie.Hitbox
TrackingCookie.Fastclick
TrackingCookie.Hotlog
TrackingCookie.Ivwbox
TrackingCookie.Tracking101
TrackingCookie.Webtrends
TrackingCookie.Mediaplex
TrackingCookie.Oewabox
TrackingCookie.Overture
TrackingCookie.Questionmarket
TrackingCookie.Realmedia
TrackingCookie.Revsci
TrackingCookie.Adjuggler
TrackingCookie.Live
TrackingCookie.Liveperson
TrackingCookie.Netflame
TrackingCookie.Onestat
TrackingCookie.Statcounter
TrackingCookie.Webtrendslive
TrackingCookie.Tacoda
TrackingCookie.Tradedoubler
TrackingCookie.Trafficmp
TrackingCookie.Trafic
TrackingCookie.Tribalfusion
TrackingCookie.Smartadserver
TrackingCookie.Yadro
Trojan.PePatch.ca
TrackingCookie.Planetactive
TrackingCookie.Revenue
TrackingCookie.Information
TrackingCookie.Realtracker
TrackingCookie.Etracker

--------------------------------------------------------------------------------
PC Tools Spyware Doctor 00:52:24
Spyware Doctor is niet alleen één van de meest populaire anti-spyware tools, maar ook een van de best gewaardeerde in de markt. Het detecteert en

verwijdert duizenden spyware, adware, trojans, keyloggers, spybots en zgn. tracking threats van uw PC. Voor meer informatie zie

http://www.pctools.com/spyware-doctor/

Backdoor.Hupigon!sd5
Spyware Doctor heeft 1 gevaren gevonden sinds 18-7-2007

--------------------------------------------------------------------------------
Schijfopruiming
Opgeruimd C:\Windows\Temp
Opgeruimd C:\Windows\Temp\sophos_autoupdate1.dir
Opgeruimd C:\Windows\Temp\sophos_autoupdate1.dir\1183157859
Opgeruimd C:\Windows\Temp\sophos_autoupdate1.dir\1183165057
Opgeruimd C:\Windows\Temp\sophos_autoupdate1.dir\1183168656
Opgeruimd C:\Windows\Temp\sophos_autoupdate1.dir\1183175857
Opgeruimd C:\Windows\Temp\sophos_autoupdate1.dir\1183179456
Vrijgemaakt 26 MB
Schijfopruiming ruimt voor u de mappen met tijdelijke Windows- en Internet-bestanden op. De inhoud van deze mappen zal na verloop van tijd veel

beschikbare ruimte op de vaste schijf verbruiken. Deze ruimte zou anders beschikbaar zijn voor documenten en programma's. Het verwijderen van de

tijdelijke bestanden heeft voor Hitman Pro als voordeel dat de inspectietijd van Ad-aware, Spy Sweeper en Spybot S&D wordt verkort. De

inspectieonderdelen zullen overigens minder sporen van spyware vinden omdat eventuele spyware-installatiebestanden reeds door Schijfopruiming zijn

verwijderd.

--------------------------------------------------------------------------------
Dit rapport is samengesteld door Hitman Pro, gemaakt door Mark Loman
Steun het verzet tegen spyware en doe een donatie;
===================================
============ end log ==============
===================================

I already emailed you a copy of the netlog.exe

Here's the F-secure online scanner report:

===================================
============ start log ============
===================================
Scanning Report
Friday, July 20, 2007 21:33:02 - 22:30:35
Computer name: LAPTOP-JEEN
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\

--------------------------------------------------------------------------------

Result: 2 malware found
Delf.ACML (virus)
D:\MIJN DOCUMENTEN\JEEN\DOWNLOAD\TORRENT\1CLICK DVD COPY V5.0.3.5 [SND]\1CLICKDVDCOPYSETUP.EXE (Submitted)
Tracking Cookie (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 52743
System: 4181
Not scanned: 13
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 1
Submitted: 1
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\MARIANNE\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{568D8423-5DE4-4EC3-A0FC-7B88FB01A167}
C:\USERS\JEEN\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{5043637C-F9DA-4016-9D63-AE7C7B45361D}
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\23DBEACBD110B59A4D3DD3A126B018B8_B46FA04A-30A5-4AE1-829C-8E27CA87C1CD
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D3C86AF7A852E2820B9857255CE2DA09_B46FA04A-30A5-4AE1-829C-8E27CA87C1CD
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\23DBEACBD110B59A4D3DD3A126B018B8_B46FA04A-30A5-4AE1-829C-8E27CA87C1CD
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D3C86AF7A852E2820B9857255CE2DA09_B46FA04A-30A5-4AE1-829C-8E27CA87C1CD

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-07-20
F-Secure AVP: 7.0.171, 2007-07-20
F-Secure Orion: 1.2.37, 2007-07-20
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0260-23-12
F-Secure Pegasus: 1.19.0, 2007-06-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC

DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML

ZIP XXXANI AVB BAT CMD LSP MAP MHT MIF PHP POT WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you

have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that

the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web

site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This

information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have

clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure

products/publications without liability.
======================================
============ end log =================
======================================

continued in next post....

jeennijhof

2007-07-20, 23:00

continued from previous post.....

Here's the HijackThis log after the F-secure actions:

========================
========= start log ========
========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:37:19, on 20-7-2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acer\OrbiCam10\OrbiCam.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\notepad.exe
C:\Users\Jeen\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [AcerOrbicamRibbon] "C:\Program Files\Acer\OrbiCam10\OrbiCam.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3916912440-676963738-1737197353-1001\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Marianne')
O4 - HKUS\S-1-5-21-3916912440-676963738-1737197353-501\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Gast')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth

Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols/beta/fscax.cab
O16 - DPF: {CDA71007-85DF-4E3C-8DE8-C2C31705504A} (F-Secure Online Scanner Launcher 1.0) - http://support.f-secure.com/ols/beta/olslauncher.cab
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk

Director\oss_reinstall_svc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Windows Network Log (Windows Network Log Manage) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Netlog.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

--
End of file - 9783 bytes
====================
======= end log =======
====================

I noticed the netlog.exe still present so i tryed the usb stick... netlog.exe and autorun.inf are still being written to the stick when mounted.

regards,
Jeen

shelf life

2007-07-21, 00:59

hi jeennijhof,

thanks for the info. i got the file you sent. it looks to be a malicious file.
it uses IE to send queries to this ip address which resolves to Australia.

iexplore.exe OUT REFUSED TCP 221.208.97.191 6800 Block activity for application IEXPLORE.EXE
-----------------------------------------
the process hasnt done anything on my computer other than query the server at that ip

do this:
go to start>run and type in--> services.msc,<--in the list of services that comes up look for>>windows network log

right click on it and select properties.
under the general tab:

the path to the .exe should be:C:\Program Files\Common Files\Microsoft Shared\MSINFO\Netlog.exe

make sure that the service status is: Stopped, if not click the Stop button
and the Startup type is: disabled, if not change it to disable
click apply, then ok

next:
go to: C:\Program Files\Common Files\Microsoft Shared\MSINFO and delete the Netlog.exe file
-------------------
rescan and post a new hjt log
shelf life

jeennijhof

2007-07-21, 01:08

I cannot delete the file. the error says: the file is opend in another program. please close it and try again.

how do i determine what program this is?

regards,
Jeen

shelf life

2007-07-21, 02:27

hi jeennijhof

you can try deleting it in safe mode. to reach safe mode you would tap the f8 key during a computer reboot. chose the first option safe mode.
while in safe mode using explorer have a look in:

C;\users\your profile\appData\roaming\microsoft\windows\start menu\programs\startup

you will be looking for a svchost.exe running out of there.
if you find it, delete it

might have to do this first-- to show all files:
# Click Start.
# Open Computer.
# Press the ALT key.
# Select the Tools menu and click Folder Options.
# Select the View Tab.
# Under the Hidden files and folders heading select Show hidden files and folders.
# Uncheck the Hide protected operating system files (recommended) option.
# Click Yes to confirm.
# Click OK.

shelf life

jeennijhof

2007-07-21, 10:24

Hi Shelf Life,

Thanks for helping out.

I managed to delete the "netlog.exe" in safe mode.
I could nog find the "svchost.exe" file in the location you mentioned. There was just a "desktop.ini" there so i didn't bother, i just deleted the "netlog.exe"

When mounting an usb stick, no files are written to it.
So my problem seems to be solved.
Just to be sure i 'll post a fresh HijackThis log:

=========================
======== start log ==========
=========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:29, on 21-7-2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Acer\OrbiCam10\OrbiCam.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Jeen\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ig?hl=nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [AcerOrbicamRibbon] "C:\Program Files\Acer\OrbiCam10\OrbiCam.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols/beta/fscax.cab
O16 - DPF: {CDA71007-85DF-4E3C-8DE8-C2C31705504A} (F-Secure Online Scanner Launcher 1.0) - http://support.f-secure.com/ols/beta/olslauncher.cab
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

--
End of file - 9241 bytes
==========================
======== end log ===========
==========================

So thanks.... i'm glad i'm "clean" again

regards,
Jeen

shelf life

2007-07-21, 22:04

hi Jeen,

I managed to delete the "netlog.exe" in safe mode.
good.

I could nog find the "svchost.exe" file in the location you mentioned.
good. i aksed you to look there because on my computer which runs XP it put a svchost.exe in the startup folder to launch IE automatically at start up.

your hjt log looks ok.

shelf life