PDA

View Full Version : Bad download, a lot of crap on my pc


jurgen
2008-01-24, 10:33
Hi,
I downloaded a wrong file from the Internet :oops: and now my computer is trying to log to the Internet when I don't want to, making wornings something is wrong and Spybot, AVG free and AVG anti spyware are making warnings.
My logfile of HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 10:16:20, on 24-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jur\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1043&_lang=NL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtstt.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\winver.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvhug.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InternetCalls] "C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" -nosplash -minimized
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117w.bay117.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {BD324C84-E46E-11D3-83D0-00C04F4EB66B} (HTMLParser Class) - http://213.197.229.246/synergy/cab/ebcasp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

And my logfile from AVG anti spyware:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:09:41 24-1-2008

+ Scan result:



HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Ignored.
C:\Documents and Settings\Jur\Cookies\jur@3.adbrite[1].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Jur\Cookies\jur@adbrite[2].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Jur\Cookies\jur@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Jur\Cookies\jur@com[1].txt -> TrackingCookie.Com : Ignored.
C:\Documents and Settings\Jur\Cookies\jur@stat.onestat[2].txt -> TrackingCookie.Onestat : Ignored.
C:\WINDOWS\system32\wapicc.exe -> Trojan.Small : Ignored.


::Report end

Also I deleted 'Outerinfo' :devil:by add/remove programs and I denied to instal Service Pack 2 edition for Windows.

Can anyone help me, please:sad:?
Thanks, Jurgen
steamwiz
2008-01-24, 21:50
Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Please remember to post :-


1. SUPERAntiSpyware Scan Log
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)

steam
jurgen
2008-01-25, 10:28
Hi Steam,

Hereby my following logs: SUPERAntiSpyware, ComoFix and Hijackthis:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/25/2008 at 09:39 AM

Application Version : 3.9.1008

Core Rules Database Version : 3387
Trace Rules Database Version: 1381

Scan type : Complete Scan
Total Scan Time : 10:01:28

Memory items scanned : 333
Memory threats detected : 3
Registry items scanned : 6823
Registry threats detected : 42
File items scanned : 106127
File threats detected : 60

Trojan.Mezzia/Resident
C:\WINDOWS\SYSTEM32\WINUNS32.DLL
C:\WINDOWS\SYSTEM32\WINUNS32.DLL

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\URQPQRP.DLL
C:\WINDOWS\SYSTEM32\URQPQRP.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49D63E18-33B1-46F2-82C2-39431FB94794}
HKCR\CLSID\{49D63E18-33B1-46F2-82C2-39431FB94794}
HKCR\CLSID\{49D63E18-33B1-46F2-82C2-39431FB94794}\InprocServer32
HKCR\CLSID\{49D63E18-33B1-46F2-82C2-39431FB94794}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{49D63E18-33B1-46F2-82C2-39431FB94794}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\urqpqrp

Trojan.Smitfraud Variant-Gen/PushrDrv
C:\WINDOWS\SYSTEM32\DRVHUG.DLL
C:\WINDOWS\SYSTEM32\DRVHUG.DLL

Adware.ClickSpring/Outer Info Network
HKLM\Software\Classes\CLSID\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}
HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}
HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\InprocServer32
HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\InprocServer32#ThreadingModel
HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\Programmable
HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\TypeLib
C:\PROGRAM FILES\OUTERINFO\OUTERINFO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{B2B60A59-9A28-493E-9DD0-B044AF860E03}
HKCR\CLSID\{B2B60A59-9A28-493E-9DD0-B044AF860E03}
HKCR\CLSID\{B2B60A59-9A28-493E-9DD0-B044AF860E03}\InprocServer32
HKCR\CLSID\{B2B60A59-9A28-493E-9DD0-B044AF860E03}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSTT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2B60A59-9A28-493E-9DD0-B044AF860E03}

Adware.Tracking Cookie
C:\Documents and Settings\Jur\Cookies\jur@media.intelia[1].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[10].txt
C:\Documents and Settings\Jur\Cookies\jur@CAXY5CYR.txt
C:\Documents and Settings\Jur\Cookies\jur@clicksor[2].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[4].txt
C:\Documents and Settings\Jur\Cookies\jur@adserver.adremedy[2].txt
C:\Documents and Settings\Jur\Cookies\jur@www.googleadservices[2].txt
C:\Documents and Settings\Jur\Cookies\jur@adbrite[2].txt
C:\Documents and Settings\Jur\Cookies\jur@ads.ookla[1].txt
C:\Documents and Settings\Jur\Cookies\jur@CA7LROXK.txt
C:\Documents and Settings\Jur\Cookies\jur@CAJPTDTP.txt
C:\Documents and Settings\Jur\Cookies\jur@www.comprabanner[2].txt
C:\Documents and Settings\Jur\Cookies\jur@ads.adbrite[1].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[8].txt
C:\Documents and Settings\Jur\Cookies\jur@partypoker[2].txt
C:\Documents and Settings\Jur\Cookies\jur@CAU1YVVS.txt
C:\Documents and Settings\Jur\Cookies\jur@usenext[2].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[3].txt
C:\Documents and Settings\Jur\Cookies\jur@traffic4u[2].txt
C:\Documents and Settings\Jur\Cookies\jur@www8.addfreestats[1].txt
C:\Documents and Settings\Jur\Cookies\jur@www.googleadservices[1].txt
C:\Documents and Settings\Jur\Cookies\jur@stat.onestat[2].txt
C:\Documents and Settings\Jur\Cookies\jur@s3.shinystat[2].txt
C:\Documents and Settings\Jur\Cookies\jur@test.searchtrack[1].txt
C:\Documents and Settings\Jur\Cookies\jur@3.adbrite[1].txt
C:\Documents and Settings\Jur\Cookies\jur@shinystat[2].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[6].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[11].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[9].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[5].txt
C:\Documents and Settings\Jur\Cookies\jur@www.googleadservices[3].txt
C:\Documents and Settings\Jur\Cookies\jur@malwarecrush[1].txt
C:\Documents and Settings\Jur\Cookies\jur@www.traffic4u[1].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[1].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[2].txt
C:\Documents and Settings\Jur\Cookies\jur@CA71RDI1.txt
C:\Documents and Settings\Jur\Cookies\jur@findology[1].txt
C:\Documents and Settings\Jur\Cookies\jur@precisionclick[1].txt
C:\Documents and Settings\Jur\Cookies\jur@adserver.adremedy[1].txt
C:\Documents and Settings\Jur\Cookies\jur@CA53IQO9.txt
C:\Documents and Settings\Jur\Cookies\jur@scan.malwarecrush[2].txt
C:\Documents and Settings\Jur\Cookies\jur@indextools[1].txt
C:\Documents and Settings\Jur\Cookies\jur@scan.malwarecrush[1].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[7].txt
C:\Documents and Settings\Jur\Cookies\jur@ecnext.advertserve[1].txt
C:\Documents and Settings\Jur\Cookies\jur@adserver.easyad[1].txt
C:\Documents and Settings\Jur\Cookies\jur@adecn[1].txt

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PID
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid

Trojan.DollarRevenue
C:\WINDOWS\keyboard1.dat

Trojan.Downloader-ClickSpring/NDrv
C:\SYSTEM VOLUME INFORMATION\_RESTORE{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP333\A0028159.DLL

Malware.WinAntiSpyware-Installer
C:\WINDOWS\SYSTEM32\DRVHUGR.DLL

Adware.ClickSpring/PuritySCAN
C:\WINDOWS\SYSTEM32\WAPICC.EXE

Adware.OuterInfo-Installer
C:\WINDOWS\TEMP\WINA3.EXE
C:\WINDOWS\TEMP\WINF.EXE
C:\WINDOWS\Prefetch\WINA3.EXE-17E4C3F2.pf
C:\WINDOWS\Prefetch\WINF.EXE-174ECE0C.pf


Combofix.txt:
ComboFix 08-01-23.1B - Jur 2008-01-25 10:10:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.542 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Jur\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.


Hijackthis logfile:
Logfile of HijackThis v1.99.1
Scan saved at 10:17, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jur\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1043&_lang=NL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\winver.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvhug.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InternetCalls] "C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" -nosplash -minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117w.bay117.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {BD324C84-E46E-11D3-83D0-00C04F4EB66B} (HTMLParser Class) - http://213.197.229.246/synergy/cab/ebcasp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe


I had a few problems after using SUPERAntiSpyware:
Several errors when I started Windows again. Also I can not start AVG Antivirus program anymore because it can not find avgcc.exe file.

Thanks for your help so far!
Jurgen
steamwiz
2008-01-26, 02:07
Hi

I guess the errors on startup were windows couldn't find certain modules ?

RE: AVG ... I need to see the Combofix log to see if Combofix accidentally deleted the avgcc.exe file ...

All you posted was :-

Combofix.txt:
ComboFix 08-01-23.1B - Jur 2008-01-25 10:10:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.542 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Jur\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

steam
jurgen
2008-01-26, 09:40
Hi,
I can't find the C:\Combofix.txt. When I open my hard disk (C:) the txt file is not there. I can find a map of Combofix. When I open this I found the txt file I posted (called ComboFix.txt).
Do you know where I can find the logfile of Combofix?

I still have the problem that when I start my computer AVG will not start.
Also when I started my computer I get the following errors:
- Installation offer of Windows Service Pack 2 (I denied)
- Run dll: can not load C:\WINDOWS\system32\drvhug.dll

Do you know what this means?

Tnx for your help!
Jurgen
steamwiz
2008-01-26, 20:15
Hi

This looks like the top of the log you are looking for :-

ComboFix 08-01-23.1B - Jur 2008-01-25 10:10:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.542 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Jur\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

--
Was there no more to it ?

The version of ComboFix 08-01-23.1B ... which you have, had a small bug in it regards producing logs on a few machines ...

Please delete your Combofix.exe file & download a new version from the same link as before (it has been updated) & try again with it.

-

Quote ...
Also when I started my computer I get the following errors:
- Installation offer of Windows Service Pack 2 (I denied) < this is not an error, it's information.
- Run dll: can not load C:\WINDOWS\system32\drvhug.dll < this we can easily fix, it's not a problem, it's comfirming you don't have the file (which is good)

I need to see a Combofix log before commenting on AVG ... you may have to reinstall it.

steam
jurgen
2008-01-26, 20:43
Hi,

I installed ComboFix again, with succes!
Hereby my logfile:

ComboFix 08-01-23.1C - Jur 2008-01-26 20:26:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.508 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Jur\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-26 to 2008-01-26 ))))))))))))))))))))))))))))))
.

2008-01-25 10:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 23:32 . 2008-01-25 11:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 23:31 . 2008-01-24 23:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 10:04 . 2008-01-24 10:04 338,432 --a------ C:\WINDOWS\system32\vtstt.exe
2008-01-23 23:07 . 2008-01-25 11:29 <DIR> d-------- C:\Program Files\Shareaza
2008-01-23 22:14 . 2008-01-23 22:14 145 --a------ C:\WINDOWS\system32\winver.bat
2007-12-30 17:45 . 2007-12-30 17:45 193 --a------ C:\WINDOWS\hppsapp.INI

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 19:01 --------- d-----w C:\Program Files\Trojan Remover
2006-11-07 21:24 463 ----a-w C:\Program Files\CONFIG.DAT
2002-01-04 15:16 3,306,069 ----a-w C:\Program Files\cap2.exe
2001-11-15 14:07 66 ----a-w C:\Program Files\cap2home.url
.

<pre>
----a-w 45,056 2008-01-24 10:55:50 C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JPEG]
@={40DAD1B9-DDCF-4A31-A5D3-A03BC8881370}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"InternetCalls"="C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-24 10:03 415232]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 12:34 544768 C:\WINDOWS\sm56hlpr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-24 10:03 385536]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-24 10:03 1115136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2008-01-24 10:03 418304]
"RTHDCPL"="RTHDCPL.EXE" []
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 09:03 1115728]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2008-01-24 10:03 1255936]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-01-24 10:04 827904]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2008-01-24 10:04 561152]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-24 10:04 822272]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-01-24 10:04 557056]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-24 10:04 495104]
"avp"="C:\WINDOWS\system32\winver.exe" [2004-08-04 13:00 5632]
"MSDrive"="C:\WINDOWS\system32\drvhug.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 11:19 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32]
winuns32.dll

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys [2005-01-11 16:58]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-04-08 10:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2325a216-9b69-11dc-833e-00c0a8be5a87}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{875ebb13-2607-11dc-82e5-00c0a8be5a87}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 20:32:35
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-01-26 20:35:11 - machine was rebooted [Jur]
ComboFix-quarantined-files.txt 2008-01-26 19:35:09
.
2007-12-14 08:58:10 --- E O F ---


Tnx! :)
Jurgen
steamwiz
2008-01-26, 23:08
Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


File::
C:\WINDOWS\system32\vtstt.exe


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avp"=-
"MSDrive"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{875ebb13-2607-11dc-82e5-00c0a8be5a87}]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/english/kavwebscan.html)

Click on Kaspersky Online Scanner

Click Accept

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:


Extended (if available otherwise Standard)


Scan Options:


Scan Archives Scan Mail Bases

Click OK
Now under select a target to scan:

Select My Computer

The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Once finished, save the log to your Desktop as filename KAV.txt


steam
jurgen
2008-01-27, 11:41
Hi,

hereby the following logs:
- New ComboFix logfile
- New HijackThis logfile
- Logfile from Kaspersky (next thread, to much words)

ComboFix 08-01-23.1C - Jur 2008-01-27 9:36:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.546 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Jur\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jur\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE
C:\WINDOWS\system32\vtstt.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vtstt.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))
.

2008-01-25 10:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 23:32 . 2008-01-25 11:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 23:31 . 2008-01-24 23:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 23:07 . 2008-01-25 11:29 <DIR> d-------- C:\Program Files\Shareaza
2008-01-23 22:14 . 2008-01-23 22:14 145 --a------ C:\WINDOWS\system32\winver.bat
2007-12-30 17:45 . 2007-12-30 17:45 193 --a------ C:\WINDOWS\hppsapp.INI

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 09:04 561,152 ----a-w C:\WINDOWS\system32\LVCOMSX.EXE
2008-01-23 19:01 --------- d-----w C:\Program Files\Trojan Remover
2007-10-29 22:45 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2006-11-07 21:24 463 ----a-w C:\Program Files\CONFIG.DAT
2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2002-01-04 15:16 3,306,069 ----a-w C:\Program Files\cap2.exe
2001-11-15 14:07 66 ----a-w C:\Program Files\cap2home.url
.

<pre>
----a-w 45,056 2008-01-24 10:55:50 C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-26_20.34.57.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 19:25:59 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 08:35:46 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 19:25:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 08:35:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 19:25:59 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 08:35:46 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-26 19:25:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 08:35:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 19:25:59 6,221,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 08:35:47 6,221,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-26 19:26:00 122,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 08:35:47 122,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-26 08:15:29 65,034 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-27 08:19:56 65,034 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-26 08:15:29 84,342 ----a-w C:\WINDOWS\system32\perfc013.dat
+ 2008-01-27 08:19:56 84,342 ----a-w C:\WINDOWS\system32\perfc013.dat
- 2008-01-26 08:15:29 407,078 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-27 08:19:56 407,078 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-01-26 08:15:29 472,104 ----a-w C:\WINDOWS\system32\perfh013.dat
+ 2008-01-27 08:19:56 472,104 ----a-w C:\WINDOWS\system32\perfh013.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JPEG]
@={40DAD1B9-DDCF-4A31-A5D3-A03BC8881370}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"InternetCalls"="C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-24 10:03 415232]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 12:34 544768 C:\WINDOWS\sm56hlpr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-24 10:03 385536]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-24 10:03 1115136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2008-01-24 10:03 418304]
"RTHDCPL"="RTHDCPL.EXE" []
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 09:03 1115728]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2008-01-24 10:03 1255936]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-01-24 10:04 827904]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2008-01-24 10:04 561152]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-24 10:04 822272]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-01-24 10:04 557056]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-24 10:04 495104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 11:19 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys [2005-01-11 16:58]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-04-08 10:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2325a216-9b69-11dc-833e-00c0a8be5a87}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 09:40:05
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-01-27 9:40:31
ComboFix-quarantined-files.txt 2008-01-27 08:40:29
ComboFix2.txt 2008-01-26 19:35:12
.
2007-12-14 08:58:10 --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 9:43:44, on 27-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Jur\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1043&_lang=NL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InternetCalls] "C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" -nosplash -minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117w.bay117.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {BD324C84-E46E-11D3-83D0-00C04F4EB66B} (HTMLParser Class) - http://213.197.229.246/synergy/cab/ebcasp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe


When I restarted the computer, I had no errors enymore! :)
Shall I reinstal AVG free antivirus? AVG antivirus is still not working... Do you have the link for me?

Tnx!
Jurgen
jurgen
2008-01-27, 11:42
Hereby logfile from Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 27, 2008 11:30:04 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/01/2008
Kaspersky Anti-Virus database records: 533916
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 107727
Number of viruses found: 10
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 01:20:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5BD67191.dll Infected: not-a-virus:AdWare.Win32.Mostofate.r skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5CC81487.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EB55868.htm Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6FBD4BAB.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6FD04795.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6FE76D7C.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7015394A.exe Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\735261B9.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Jur\Application Data\Microsoft\Sjablonen\Normal.dot Object is locked skipped
C:\Documents and Settings\Jur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Jur\Bureaublad\Steam advise 2.doc Object is locked skipped
C:\Documents and Settings\Jur\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\MSHist012008012720080128\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF3951.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF79BC.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DFCAF2.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DFF223.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\DQWDU9UA\css4[1] Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\DQWDU9UA\ROUTE_66_Mobile7_1.4[1].rar/keygen.exe Infected: Trojan.Win32.BHO.atk skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\DQWDU9UA\ROUTE_66_Mobile7_1.4[1].rar/crack.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\DQWDU9UA\ROUTE_66_Mobile7_1.4[1].rar RAR: infected - 2 skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\NX0XI3E8\css4[1] Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\NX0XI3E8\css4[2] Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\NX0XI3E8\css4[3] Object is locked skipped
C:\Documents and Settings\Jur\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jur\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe Object is locked skipped
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe Object is locked skipped
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe Object is locked skipped
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe Object is locked skipped
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe Object is locked skipped
C:\Program Files\Grisoft\AVG Free\avgcc.exe Object is locked skipped
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Object is locked skipped
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe Object is locked skipped
C:\Program Files\Logitech\Video\ISStart.exe Object is locked skipped
C:\Program Files\Logitech\Video\LogiTray.exe Object is locked skipped
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtstt.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP333\A0028175.dll Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP333\A0028176.dll Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP335\A0028244.dll Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP335\A0028248.dll Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP335\A0028250.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP339\A0028495.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP339\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LVCOMSX.EXE Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Jurgen
steamwiz
2008-01-27, 20:03
Hi

It appears you have part of your last anti-virus still ... Norton ...

1. Empty this Quarantine folder C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

2. you have an Infected file in your Temporary Internet Files, I want you to run Ccleaner to remove it and a lot more uneccessary temp files ... instructions further down in this post.

3. Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

http://img.photobucket.com/albums/v624/29wood/Clipboard01-1.gif

4.
This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

---
Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

-
Now run a new KASPERSKY ONLINE SCAN please & post the report

steam
jurgen
2008-01-29, 17:00
Hi,

hereby the following logfile:
- ComboFix
- Kaspersky
- HaijackThis

ComboFix 08-01-23.1C - Jur 2008-01-27 9:36:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.546 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Jur\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jur\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE
C:\WINDOWS\system32\vtstt.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vtstt.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))
.

2008-01-25 10:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 23:32 . 2008-01-25 11:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 23:31 . 2008-01-24 23:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 23:07 . 2008-01-25 11:29 <DIR> d-------- C:\Program Files\Shareaza
2008-01-23 22:14 . 2008-01-23 22:14 145 --a------ C:\WINDOWS\system32\winver.bat
2007-12-30 17:45 . 2007-12-30 17:45 193 --a------ C:\WINDOWS\hppsapp.INI

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 09:04 561,152 ----a-w C:\WINDOWS\system32\LVCOMSX.EXE
2008-01-23 19:01 --------- d-----w C:\Program Files\Trojan Remover
2007-10-29 22:45 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2006-11-07 21:24 463 ----a-w C:\Program Files\CONFIG.DAT
2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2002-01-04 15:16 3,306,069 ----a-w C:\Program Files\cap2.exe
2001-11-15 14:07 66 ----a-w C:\Program Files\cap2home.url
.

<pre>
----a-w 45,056 2008-01-24 10:55:50 C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-26_20.34.57.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 19:25:59 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 08:35:46 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 19:25:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 08:35:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 19:25:59 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 08:35:46 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-26 19:25:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 08:35:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 19:25:59 6,221,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 08:35:47 6,221,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-26 19:26:00 122,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 08:35:47 122,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-26 08:15:29 65,034 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-27 08:19:56 65,034 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-26 08:15:29 84,342 ----a-w C:\WINDOWS\system32\perfc013.dat
+ 2008-01-27 08:19:56 84,342 ----a-w C:\WINDOWS\system32\perfc013.dat
- 2008-01-26 08:15:29 407,078 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-27 08:19:56 407,078 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-01-26 08:15:29 472,104 ----a-w C:\WINDOWS\system32\perfh013.dat
+ 2008-01-27 08:19:56 472,104 ----a-w C:\WINDOWS\system32\perfh013.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JPEG]
@={40DAD1B9-DDCF-4A31-A5D3-A03BC8881370}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"InternetCalls"="C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-24 10:03 415232]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 12:34 544768 C:\WINDOWS\sm56hlpr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-24 10:03 385536]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-24 10:03 1115136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2008-01-24 10:03 418304]
"RTHDCPL"="RTHDCPL.EXE" []
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 09:03 1115728]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2008-01-24 10:03 1255936]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-01-24 10:04 827904]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2008-01-24 10:04 561152]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-24 10:04 822272]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-01-24 10:04 557056]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-24 10:04 495104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 11:19 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys [2005-01-11 16:58]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-04-08 10:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2325a216-9b69-11dc-833e-00c0a8be5a87}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 09:40:05
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-01-27 9:40:31
ComboFix-quarantined-files.txt 2008-01-27 08:40:29
ComboFix2.txt 2008-01-26 19:35:12
.
2007-12-14 08:58:10 --- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 29, 2008 4:38:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/01/2008
Kaspersky Anti-Virus database records: 535777
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 86671
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:09:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jur\Application Data\Microsoft\Sjablonen\Normal.dot Object is locked skipped
C:\Documents and Settings\Jur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Jur\Bureaublad\Steam advise 2.doc Object is locked skipped
C:\Documents and Settings\Jur\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\MSHist012008012920080130\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF123.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF37C5.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF504E.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DFD1C5.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jur\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe Object is locked skipped
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Object is locked skipped
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000348.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000349.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000350.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000351.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000352.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000353.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000354.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000355.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000356.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000357.EXE Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
jurgen
2008-01-29, 17:01
And HaijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 16:39:51, on 29-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jur\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=1043&_lang=NL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InternetCalls] "C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" -nosplash -minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117w.bay117.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {BD324C84-E46E-11D3-83D0-00C04F4EB66B} (HTMLParser Class) - http://213.197.229.246/synergy/cab/ebcasp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

Maybe there is still something on my pc, sometimes different programs are trying to acces the Internet but my firewall is preventing this. (Catalyst control centre, MSN Messenger when it was not open)

Thanks for so far! :)
Jurgen
jurgen
2008-02-01, 12:59
Hi,

at this moment I have still an unwanted request to access the internet by the following program:
swHelper_1020023.exe

What does this mean? Is this bad?

And is my computer clean or are there still unwanted programs on my computer (see the last logfiles I posted)

Tnx!
Jurgen
Metallica
2008-02-06, 10:23
Hi Jurgen,

steamwiz seems to be unavailable at the moment.
Can you give me a short recap of the problems you are still facing?

In the meantime I'll read up on what you have done sofar.

Regards,
jurgen
2008-02-06, 12:46
Hi Pieter,

tanks for looking into my file! :)

I have still the problem of SwHelper that is trying to access the Internet, but my firewall is blocking this and than Internet Explorer doesn't work anymore after my firewall has blocked SwHelper.

Also I did new virus scans by AVG free and SuperAntispyware and I get still hits of Trojanhorse virusses and hostile cookies...

Besides this, I think my computer is fine.

Greet, Jurgen
Metallica
2008-02-06, 18:00
Hi jurgen,

swhelper reportedly belongs to Shockwave, so if you installed that program you can allow it access in your firewall.
That should stop the IE crashes on sites that require it.

Can you post the logs from AVG or SAS where trojans are listed?

I'd like to see what and where they are found.
jurgen
2008-02-09, 10:13
Hi Pieter,

I could not find a proper AVG scanning logfile, so I can not post a logfile of this. There were three threats of: Adobe/ photo album starter/ apdproxy.exe and HP software update/ HPWuSched2.exe and Nokia software launcher/NS Launcher.exe

And this is the logfile of SAS:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/02/2008 at 01:29 PM

Application Version : 3.9.1008

Core Rules Database Version : 3387
Trace Rules Database Version: 1381

Scan type : Complete Scan
Total Scan Time : 01:45:15

Memory items scanned : 436
Memory threats detected : 0
Registry items scanned : 6791
Registry threats detected : 0
File items scanned : 89310
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Jur\Cookies\jur@adbrite[2].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[5].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[4].txt
C:\Documents and Settings\Jur\Cookies\jur@ads.adbrite[1].txt
C:\Documents and Settings\Jur\Cookies\jur@www.googleadservices[2].txt
C:\Documents and Settings\Jur\Cookies\jur@doubleclick.hertz[2].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[1].txt
C:\Documents and Settings\Jur\Cookies\jur@www.googleadservices[1].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[6].txt
C:\Documents and Settings\Jur\Cookies\jur@www.fullreleases[1].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[2].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[3].txt

Tnx for your help! :)
greetings, Jurgen
Metallica
2008-02-09, 11:07
Tracking cookies are a pest but easy to cure and they don't do any harm except provide information about you.
You should read:
http://privacy.getnetwise.org/browsing/tips/cookies

You may also want to have a look a t my (Dutch) site
http://www.pieter-arntz.info/Spywareinfonl.html#voorkomen about how to prevent spyware.

To see if we can find some trojans:
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
jurgen
2008-02-14, 20:55
Hi Pieter,

sorry for this late reply, I just moved to Italie so I was a bit busy last few days.
Is het toeval dat je ook Nederlands bent of had je al gezien aan mijn logfiles dat ik Nederlands bent?
Hier is mijn logfile, het lijkt erop dat ik niets meer heb, of wel?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 8:51:18 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 565623
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 88628
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:13:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Jur\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\MSHist012008021420080215\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF18AB.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jur\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000348.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000349.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000350.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000351.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000352.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000353.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000354.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000355.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000356.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000357.EXE Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP5\A0000679.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP5\A0000680.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP5\A0000681.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Tnx!:)
greetings, Jurjen
Metallica
2008-02-14, 20:57
Sure looks like it. :bigthumb:

I picked your log because I saw you were Dutch too. :)

Makes it easier to post my prevention speech:
Please read:
http://www.pieter-arntz.info/Spywareinfonl.html#voorkomen

Groetjes &