View Full Version : Help me get rid of Virtumonde
Ok So I got Virtumonde on my pc.
Please help me get rid of it.
I did a scan with Trend Micro HijackThis.
The log is in this message, can anyone tell me what to do?
Thanks already!!
Kat
---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:09:31, on 18-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Documents and Settings\All Users\Application Data\hsfqfmxu\belizktq.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Movie Maker\moviemk.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Margo Klijn\Mijn documenten\PROGRAMMAS\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kompaswerkendam.nl/index.php?option=com_easygb&Itemid=42
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=Roxio&LANG=NL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {275A6097-AF73-42A6-A0EE-5151F629B71D} - C:\WINDOWS\system32\iifCrRIY.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {C14E6230-757D-4246-81CE-B34E2940C722} - C:\WINDOWS\system32\urqOIcDs.dll
O2 - BHO: (no name) - {C6C6B153-3728-4CEA-9600-0C8E8633F4E6} - C:\WINDOWS\system32\khfDTMGa.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DeskLook] C:\Program Files\XemiComputers\DeskLook\DeskLook.exe
O4 - HKCU\..\Policies\Explorer\Run: [901kd0RYiJ] C:\Documents and Settings\All Users\Application Data\hsfqfmxu\belizktq.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.racoon.nl
O16 - DPF: {1FEC8B6F-250A-4293-B12C-67A7EF0B758A} (sIKN Speler) - http://www.kerkomroep.nl/ocx/sIKNPlayer.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: urqOIcDs - C:\WINDOWS\SYSTEM32\urqOIcDs.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10615 bytes
random/random
2008-04-19, 13:23
We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the combofix log and a new HijackThis log as a reply to this topic.
Ok Here's the combofix log
After the scan i've got a message on my desktop i've got several fatal errors and i need to click here. Does Combofix generate this message?
----------------------------------------------
ComboFix 08-04-18.3 - Margo Klijn 2008-04-19 18:29:57.1 - NTFSx86
Gestart vanuit: C:\Documents and Settings\Margo Klijn\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Margo Klijn\Bureaublad\WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Margo Klijn\Application Data\inst.exe
C:\microbyte.vbs
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\aGMTDfhk.ini
C:\WINDOWS\system32\aGMTDfhk.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\YIRrCfii.ini
C:\WINDOWS\system32\YIRrCfii.ini2
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-03-19 to 2008-04-19 ))))))))))))))))))))))))))))))
.
2008-04-19 18:34 . 2008-04-19 18:34 <DIR> d-------- C:\Documents and Settings\Margo Klijn\Bureaubladvirii
2008-04-19 18:34 . 2008-04-19 18:34 4,096 --a------ C:\Documents and Settings\Margo Klijn\BureaubladTrojan.Win32.BlackBird.exe
2008-04-19 18:33 . 2008-04-19 18:34 <DIR> d-------- C:\Program Files\Inet Delivery
2008-04-19 18:33 . 2008-04-19 18:33 <DIR> d-------- C:\Program Files\akl
2008-04-19 18:33 . 2008-04-19 18:33 98,304 --a------ C:\WINDOWS\system32\spmxsvmx.exe
2008-04-19 18:33 . 2008-04-19 18:33 4,096 --a------ C:\Documents and Settings\Margo Klijn\BureaubladFWebdEditor.exe
2008-04-19 18:33 . 2008-04-19 18:33 4,096 --a------ C:\Documents and Settings\Margo Klijn\Bureaubladfwebd.exe
2008-04-19 18:33 . 2008-04-19 18:33 4,096 --a------ C:\Documents and Settings\Margo Klijn\Bureaubladfkwp2.0.exe
2008-04-19 18:33 . 2008-04-19 18:33 4,096 --a------ C:\Documents and Settings\Margo Klijn\Bureaubladfkwp1.5.exe
2008-04-19 18:33 . 2008-04-19 18:33 4,096 --a------ C:\Documents and Settings\Margo Klijn\Bureaubladfilemanagerclient.exe
2008-04-19 18:33 . 2008-04-19 18:33 4,096 --a------ C:\Documents and Settings\Margo Klijn\BureaubladEditorFKWP2.0.exe
2008-04-19 18:33 . 2008-04-19 18:33 4,096 --a------ C:\Documents and Settings\Margo Klijn\BureaubladEditorFKWP1.5.exe
2008-04-18 20:20 . 2008-04-18 20:20 <DIR> d-------- C:\Program Files\Maxthon2
2008-04-17 19:53 . 2008-04-17 19:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 20:20 . 2008-04-14 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hsfqfmxu
2008-04-14 19:58 . 2008-04-14 20:10 <DIR> d-------- C:\Program Files\XemiComputers
2008-04-14 19:58 . 2008-04-14 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\XemiComputers
2008-04-12 22:30 . 2008-04-14 22:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 22:30 . 2008-04-12 22:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 21:44 . 2008-04-12 22:43 <DIR> d-------- C:\MyDownloads
2008-04-08 21:24 . 2008-04-08 21:24 <DIR> d-------- C:\WINDOWS\DA15D5355E1D4076B5208571346D6238.TMP
2008-03-31 20:34 . 2008-03-31 20:34 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-31 20:26 . 2008-03-31 20:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 18:35 . 2008-04-19 18:09 <DIR> d-------- C:\Documents and Settings\Margo Klijn\Application Data\MxBoost
2008-03-30 14:17 . 2008-03-30 14:16 27,757,113 --a------ C:\MiSa_1.mp4
2008-03-29 14:38 . 2008-03-29 14:38 <DIR> d-------- C:\WINDOWS\system32\quicktime
2008-03-29 14:38 . 2008-03-29 14:38 <DIR> d-------- C:\Program Files\AVI Codec Pack
2008-03-20 23:12 . 2008-03-20 23:12 34 --ah----- C:\WINDOWS\system32\DVDRippper_sysquict.dat
2008-03-20 23:11 . 2008-03-20 23:13 <DIR> d-------- C:\Program Files\Abcc Free AVI MPEG WMV MOV Converter
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 18:28 --------- d-----w C:\Documents and Settings\Margo Klijn\Application Data\AVG7
2008-04-14 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-30 20:51 --------- d-----w C:\Documents and Settings\Margo Klijn\Application Data\SWiSHvideo
2008-03-24 13:03 --------- d-----w C:\Program Files\QuickTime
2008-03-24 13:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-17 21:48 --------- d-----w C:\Documents and Settings\Margo Klijn\Application Data\uTorrent
2008-03-14 17:40 --------- d-----w C:\Program Files\Java
2008-03-12 13:41 --------- d-----w C:\Program Files\Common Files\Real
2008-03-02 09:11 41,360 ----a-w C:\Documents and Settings\Margo Klijn\Application Data\GDIPFONTCACHEV1.DAT
2008-02-25 18:10 --------- d-----w C:\Program Files\Belastingdienst
2008-02-23 14:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-23 11:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-03 11:07 87,608 ----a-w C:\Documents and Settings\Margo Klijn\Application Data\ezpinst.exe
2007-11-03 11:07 47,360 ----a-w C:\Documents and Settings\Margo Klijn\Application Data\pcouffin.sys
2007-05-24 17:57 104 --sh--r C:\WINDOWS\system32\7B6080401F.sys
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{275A6097-AF73-42A6-A0EE-5151F629B71D}]
C:\WINDOWS\system32\iifCrRIY.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6C6B153-3728-4CEA-9600-0C8E8633F4E6}]
C:\WINDOWS\system32\khfDTMGa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"DeskLook"="C:\Program Files\XemiComputers\DeskLook\DeskLook.exe" [ ]
"tdcouqcx"="C:\WINDOWS\system32\spmxsvmx.exe" [2008-04-19 18:33 98304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 08:13 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 05:12 94208]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 19:24 684032]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-31 10:22 579072]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 23:41 69632]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 21:36 290816]
"Device Detector"="DevDetect.exe" []
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2002-09-17 19:31 53248]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [ ]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [ ]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [ ]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 16:52 3770024]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-08-26 05:33 122941]
"DetectorApp"="C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe" [2005-08-31 06:15 102400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-28 10:21 219136]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"901kd0RYiJ"= C:\Documents and Settings\All Users\Application Data\hsfqfmxu\belizktq.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"901kd0RYiJ"= C:\Documents and Settings\All Users\Application Data\hsfqfmxu\belizktq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqOIcDs]
urqOIcDs.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
Inhoud van de 'Gedeelde Taken' map
"2007-12-21 15:26:05 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-04-18 16:30:00 C:\WINDOWS\Tasks\Scannen op virussen via McAfee.com - Mijn computer (MARGO-Margo Klijn).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 18:33:31
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
C:\WINDOWS\iTunesMusic.exe 4096 bytes
Scan succesvol afgerond
verborgen bestanden: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
.
**************************************************************************
.
Voltooingstijd: 2008-04-19 18:37:31 - machine was rebooted [Margo Klijn]
ComboFix-quarantined-files.txt 2008-04-19 16:37:25
Pre-Run: 11,436,412,928 bytes beschikbaar
Post-Run: 21,121,183,744 bytes beschikbaar
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
180 --- E O F --- 2008-04-15 20:13:06
---------------------------------------------
and the hijack this log
---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45:01, on 19-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Documents and Settings\All Users\Application Data\hsfqfmxu\belizktq.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\spmxsvmx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\Documents and Settings\Margo Klijn\Mijn documenten\PROGRAMMAS\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kompaswerkendam.nl/index.php?option=com_easygb&Itemid=42
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=Roxio&LANG=NL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {275A6097-AF73-42A6-A0EE-5151F629B71D} - C:\WINDOWS\system32\iifCrRIY.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {C6C6B153-3728-4CEA-9600-0C8E8633F4E6} - C:\WINDOWS\system32\khfDTMGa.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DeskLook] C:\Program Files\XemiComputers\DeskLook\DeskLook.exe
O4 - HKCU\..\Run: [tdcouqcx] C:\WINDOWS\system32\spmxsvmx.exe
O4 - HKLM\..\Policies\Explorer\Run: [901kd0RYiJ] C:\Documents and Settings\All Users\Application Data\hsfqfmxu\belizktq.exe
O4 - HKCU\..\Policies\Explorer\Run: [901kd0RYiJ] C:\Documents and Settings\All Users\Application Data\hsfqfmxu\belizktq.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.racoon.nl
O16 - DPF: {1FEC8B6F-250A-4293-B12C-67A7EF0B758A} (sIKN Speler) - http://www.kerkomroep.nl/ocx/sIKNPlayer.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: urqOIcDs - urqOIcDs.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10563 bytes
Ok I also ran another spybot s&d. Now i've got a big load of all kinds of rubbish like smitfraud, etc. before running combofix spybot told me i had no immediate threaths, which i didn't trust because everytime i started up windows i got a message from avg that there was a trojan horse. Well anyway i let spybot fix my threaths, i hope that was ok. Since you're trying to help me out, i don't wanna mess up things:oops: but I guess i already did mess up my system or let it get messed up.
random/random
2008-04-19, 22:55
After the scan i've got a message on my desktop i've got several fatal errors and i need to click here. Does Combofix generate this message?
No, combofix dos not generate this message. I suspect it is being generated by the malware present
Well anyway i let spybot fix my threaths, i hope that was ok.
That's OK
From the presence of this folder: C:\Program Files\akl you appear to have Absolute Keylogger installed(http://www.spywareguide.com/spydet_2220_absolute_key_logger.html). Did you install it yourself?
You have signs of a Keylogger on your computer.
You are strongly advised to do the following immediately:
1. Call all of your banks, credit card companies, and financial institutions. Inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer, because the attacker will get the new passwords and transaction information.
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
Folder::
C:\Documents and Settings\Margo Klijn\Bureaubladvirii
C:\Program Files\Inet Delivery
C:\Documents and Settings\All Users\Application Data\hsfqfmxu
C:\WINDOWS\DA15D5355E1D4076B5208571346D6238.TMP
File::
C:\Documents and Settings\Margo Klijn\BureaubladTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Margo Klijn\BureaubladFWebdEditor.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfwebd.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfkwp2.0.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfkwp1.5.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfilemanagerclient.exe
C:\Documents and Settings\Margo Klijn\BureaubladEditorFKWP2.0.exe
C:\Documents and Settings\Margo Klijn\BureaubladEditorFKWP1.5.exe
C:\WINDOWS\system32\spmxsvmx.exe
Rootkit::
C:\WINDOWS\iTunesMusic.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{275A6097-AF73-42A6-A0EE-5151F629B71D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6C6B153-3728-4CEA-9600-0C8E8633F4E6}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tdcouqcx"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqOIcDs]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
I did what you told me,here's the log
------------------
ComboFix 08-04-18.3 - Margo Klijn 2008-04-19 22:44:59.2 - NTFSx86
Gestart vanuit: C:\Documents and Settings\Margo Klijn\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Margo Klijn\Bureaublad\CFscript.txt
* Nieuw herstelpunt werd aangemaakt
FILE ::
C:\Documents and Settings\Margo Klijn\BureaubladEditorFKWP1.5.exe
C:\Documents and Settings\Margo Klijn\BureaubladEditorFKWP2.0.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfilemanagerclient.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfkwp1.5.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfkwp2.0.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfwebd.exe
C:\Documents and Settings\Margo Klijn\BureaubladFWebdEditor.exe
C:\Documents and Settings\Margo Klijn\BureaubladTrojan.Win32.BlackBird.exe
C:\WINDOWS\system32\spmxsvmx.exe
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\hsfqfmxu
C:\Documents and Settings\All Users\Application Data\hsfqfmxu\belizktq.exe
C:\Documents and Settings\Margo Klijn\Bureaubladblackbird.jpg
C:\Documents and Settings\Margo Klijn\BureaubladEditorFKWP1.5.exe
C:\Documents and Settings\Margo Klijn\BureaubladEditorFKWP2.0.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfilemanagerclient.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfkwp1.5.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfkwp2.0.exe
C:\Documents and Settings\Margo Klijn\Bureaubladfwebd.exe
C:\Documents and Settings\Margo Klijn\BureaubladFWebdEditor.exe
C:\Documents and Settings\Margo Klijn\BureaubladTrojan.Win32.BlackBird.exe
C:\WINDOWS\DA15D5355E1D4076B5208571346D6238.TMP
C:\WINDOWS\DA15D5355E1D4076B5208571346D6238.TMP\WiseCustomCalla.dll
C:\WINDOWS\DA15D5355E1D4076B5208571346D6238.TMP\WiseCustomCalla1.dll
C:\WINDOWS\DA15D5355E1D4076B5208571346D6238.TMP\WiseData.ini
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32VBIEWER.OCX
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-03-19 to 2008-04-19 ))))))))))))))))))))))))))))))
.
2008-04-18 20:20 . 2008-04-18 20:20 <DIR> d-------- C:\Program Files\Maxthon2
2008-04-17 19:53 . 2008-04-17 19:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 19:58 . 2008-04-14 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\XemiComputers
2008-04-12 22:30 . 2008-04-14 22:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 22:30 . 2008-04-12 22:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 21:44 . 2008-04-12 22:43 <DIR> d-------- C:\MyDownloads
2008-03-31 20:34 . 2008-03-31 20:34 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-31 20:26 . 2008-03-31 20:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 18:35 . 2008-04-19 22:44 <DIR> d-------- C:\Documents and Settings\Margo Klijn\Application Data\MxBoost
2008-03-30 14:17 . 2008-03-30 14:16 27,757,113 --a------ C:\MiSa_1.mp4
2008-03-29 14:38 . 2008-03-29 14:38 <DIR> d-------- C:\WINDOWS\system32\quicktime
2008-03-29 14:38 . 2008-03-29 14:38 <DIR> d-------- C:\Program Files\AVI Codec Pack
2008-03-20 23:12 . 2008-03-20 23:12 34 --ah----- C:\WINDOWS\system32\DVDRippper_sysquict.dat
2008-03-20 23:11 . 2008-03-20 23:13 <DIR> d-------- C:\Program Files\Abcc Free AVI MPEG WMV MOV Converter
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 17:28 --------- d-----w C:\Documents and Settings\Margo Klijn\Application Data\AVG7
2008-04-17 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-30 20:51 --------- d-----w C:\Documents and Settings\Margo Klijn\Application Data\SWiSHvideo
2008-03-24 13:03 --------- d-----w C:\Program Files\QuickTime
2008-03-24 13:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-17 21:48 --------- d-----w C:\Documents and Settings\Margo Klijn\Application Data\uTorrent
2008-03-14 17:40 --------- d-----w C:\Program Files\Java
2008-03-12 13:41 --------- d-----w C:\Program Files\Common Files\Real
2008-03-02 09:11 41,360 ----a-w C:\Documents and Settings\Margo Klijn\Application Data\GDIPFONTCACHEV1.DAT
2008-02-25 18:10 --------- d-----w C:\Program Files\Belastingdienst
2008-02-23 14:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-23 11:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-03 11:07 87,608 ----a-w C:\Documents and Settings\Margo Klijn\Application Data\ezpinst.exe
2007-11-03 11:07 47,360 ----a-w C:\Documents and Settings\Margo Klijn\Application Data\pcouffin.sys
2007-05-24 17:57 104 --sh--r C:\WINDOWS\system32\7B6080401F.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-19_18.37.11.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 16:33:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 20:48:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"DeskLook"="C:\Program Files\XemiComputers\DeskLook\DeskLook.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 08:13 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 05:12 94208]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 19:24 684032]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-31 10:22 579072]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 23:41 69632]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 21:36 290816]
"Device Detector"="DevDetect.exe" []
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2002-09-17 19:31 53248]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [ ]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [ ]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [ ]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 16:52 3770024]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-08-26 05:33 122941]
"DetectorApp"="C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe" [2005-08-31 06:15 102400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-28 10:21 219136]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
Inhoud van de 'Gedeelde Taken' map
"2007-12-21 15:26:05 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-04-18 16:30:00 C:\WINDOWS\Tasks\Scannen op virussen via McAfee.com - Mijn computer (MARGO-Margo Klijn).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 22:49:06
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
.
**************************************************************************
.
Voltooingstijd: 2008-04-19 22:53:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 20:53:31
ComboFix2.txt 2008-04-19 16:37:32
Pre-Run: 21,360,132,096 bytes beschikbaar
Post-Run: 21,353,299,968 bytes beschikbaar
172 --- E O F --- 2008-04-15 20:13:06
-------------------------
And from hijack this
--------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:54:37, on 19-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Margo Klijn\Mijn documenten\PROGRAMMAS\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kompaswerkendam.nl/index.php?option=com_easygb&Itemid=42
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=Roxio&LANG=NL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DeskLook] C:\Program Files\XemiComputers\DeskLook\DeskLook.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.racoon.nl
O16 - DPF: {1FEC8B6F-250A-4293-B12C-67A7EF0B758A} (sIKN Speler) - http://www.kerkomroep.nl/ocx/sIKNPlayer.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9909 bytes
random/random
2008-04-20, 00:11
Are you aware of the Absolute Keylogger software present on your computer?
i understand what you told me,
I don't recall installing anything like that on my pc.
How come i can't see that akl folder with explorer? I can 'view hidden files'. Is it already gone or just very hidden?
random/random
2008-04-20, 00:45
I suspect that it may be hidden from windows explorer, or possibly it was removed when you ran Spybot.
We'll remove it now
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
Folder::
C:\Program Files\akl
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
I reinstalled the newest version of java and ran combofix with the script. Here's the log and the log of hijack this.
I'm so glad you're helping me with this!!
------------------------------
ComboFix 08-04-18.3 - Margo Klijn 2008-04-20 9:18:32.3 - NTFSx86
Gestart vanuit: C:\Documents and Settings\Margo Klijn\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Margo Klijn\Bureaublad\CFscript.txt
* Nieuw herstelpunt werd aangemaakt
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-03-20 to 2008-04-20 ))))))))))))))))))))))))))))))
.
2008-04-20 09:16 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-20 09:15 . 2008-04-20 09:15 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-18 20:20 . 2008-04-18 20:20 <DIR> d-------- C:\Program Files\Maxthon2
2008-04-17 19:53 . 2008-04-17 19:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 19:58 . 2008-04-14 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\XemiComputers
2008-04-12 22:30 . 2008-04-14 22:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 22:30 . 2008-04-12 22:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 21:44 . 2008-04-12 22:43 <DIR> d-------- C:\MyDownloads
2008-03-31 20:34 . 2008-03-31 20:34 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-31 20:26 . 2008-03-31 20:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 18:35 . 2008-04-20 08:48 <DIR> d-------- C:\Documents and Settings\Margo Klijn\Application Data\MxBoost
2008-03-30 14:17 . 2008-03-30 14:16 27,757,113 --a------ C:\MiSa_1.mp4
2008-03-29 14:38 . 2008-03-29 14:38 <DIR> d-------- C:\WINDOWS\system32\quicktime
2008-03-29 14:38 . 2008-03-29 14:38 <DIR> d-------- C:\Program Files\AVI Codec Pack
2008-03-20 23:12 . 2008-03-20 23:12 34 --ah----- C:\WINDOWS\system32\DVDRippper_sysquict.dat
2008-03-20 23:11 . 2008-03-20 23:13 <DIR> d-------- C:\Program Files\Abcc Free AVI MPEG WMV MOV Converter
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 07:16 --------- d-----w C:\Program Files\Java
2008-04-19 17:28 --------- d-----w C:\Documents and Settings\Margo Klijn\Application Data\AVG7
2008-04-17 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-30 20:51 --------- d-----w C:\Documents and Settings\Margo Klijn\Application Data\SWiSHvideo
2008-03-24 13:03 --------- d-----w C:\Program Files\QuickTime
2008-03-24 13:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-20 08:10 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:10 1,845,376 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-17 21:48 --------- d-----w C:\Documents and Settings\Margo Klijn\Application Data\uTorrent
2008-03-12 13:41 --------- d-----w C:\Program Files\Common Files\Real
2008-03-02 09:11 41,360 ----a-w C:\Documents and Settings\Margo Klijn\Application Data\GDIPFONTCACHEV1.DAT
2008-03-01 16:35 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:58 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:58 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-25 18:10 --------- d-----w C:\Program Files\Belastingdienst
2008-02-23 14:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-23 11:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-21 18:30 6,320 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:39 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:39 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-11-03 11:07 87,608 ----a-w C:\Documents and Settings\Margo Klijn\Application Data\ezpinst.exe
2007-11-03 11:07 47,360 ----a-w C:\Documents and Settings\Margo Klijn\Application Data\pcouffin.sys
2007-05-24 17:57 104 --sh--r C:\WINDOWS\system32\7B6080401F.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-19_18.37.11.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 16:33:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 07:14:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-22 00:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-24 23:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 00:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-24 23:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 00:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"DeskLook"="C:\Program Files\XemiComputers\DeskLook\DeskLook.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 08:13 176128]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 23:05 344064]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 16:59 385024]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 05:12 94208]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 19:24 684032]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-31 10:22 579072]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 23:41 69632]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 21:36 290816]
"Device Detector"="DevDetect.exe" []
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2002-09-17 19:31 53248]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [ ]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [ ]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [ ]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 16:52 3770024]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-08-26 05:33 122941]
"DetectorApp"="C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe" [2005-08-31 06:15 102400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-28 10:21 219136]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
Inhoud van de 'Gedeelde Taken' map
"2007-12-21 15:26:05 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-04-18 16:30:00 C:\WINDOWS\Tasks\Scannen op virussen via McAfee.com - Mijn computer (MARGO-Margo Klijn).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 09:20:34
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
Voltooingstijd: 2008-04-20 9:21:57
ComboFix-quarantined-files.txt 2008-04-20 07:21:30
ComboFix2.txt 2008-04-19 20:53:36
ComboFix3.txt 2008-04-19 16:37:32
Pre-Run: 21,478,883,328 bytes beschikbaar
Post-Run: 21,469,048,832 bytes beschikbaar
135 --- E O F --- 2008-04-15 20:13:06
---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:09, on 20-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Margo Klijn\Mijn documenten\PROGRAMMAS\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kompaswerkendam.nl/index.php?option=com_easygb&Itemid=42
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=Roxio&LANG=NL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DeskLook] C:\Program Files\XemiComputers\DeskLook\DeskLook.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.racoon.nl
O16 - DPF: {1FEC8B6F-250A-4293-B12C-67A7EF0B758A} (sIKN Speler) - http://www.kerkomroep.nl/ocx/sIKNPlayer.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9762 bytes
random/random
2008-04-20, 13:00
It appears that you have some remnants of Mcafee and Norton products that you previously had installed. I suggest that you download and run the Norton Removal Tool (http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html) and the McAfee Consumer Product Removal tool (http://www.majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html).
You are running a P2P filesharing programme.
Many of these programmes come with unwanted components bundled with them.
If you wish to find out whether the one you're using does click here (http://p2p.malwareremoval.com/).
Please note: Even if you are using a "safe" P2P programme, it is only the programme that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.
Here is some information that looks at the rates of infection:
http://www.benedelman.org/spyware/p2p/
My recommendation is you uninstall all P2P programs
Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems.
I used utorrent a while ago. I deleted it yesterday, did a nice cleanup of everything i don't use anymore. Norton and mcafee are gone too. I thought i removed them before with Control panel / software, but it wasnt fully removed apparently (it was a trail that came with te pc).
The log from eset is downhere with the log of hijack this. The avi codec pack plus 2 eset found I downloaded myself to watch hdtv with windows mediaplayer. Maybe i can do without it, don't know if it's a big threath. there are other codec packs that can do the same.
I have no other issues with my pc at the moment, other than having more free space on my hard drive than before, and that's just fine with me!
A question; what programs do you recommend for keeping this malicious stuff off my computer in the future? I've got AVG and Spybot. I regularly run adaware too. What more can i do too keep it clean??
----------------------------------------------
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3041 (20080419)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=296d1d1bf7352748ba2af11e6bc9a989
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-04-20 11:56:47
# local_time=2008-04-20 01:56:47 (+0100, West-Europa (standaardtijd))
# country="Netherlands"
# osver=5.1.2600 NT Service Pack 2
# scanned=214393
# found=3
# scan_time=1982
C:\Documents and Settings\Margo Klijn\Mijn documenten\PROGRAMMAS\AVICodecPackPlus2.exe Win32/Adware.Webdir application 57DD3EAC8F5BC33A0027D6928F230693
C:\Documents and Settings\Margo Klijn\Mijn documenten\PROGRAMMAS\AVICodecPackPlus2.exe »NSIS »pxwma.dll Win32/Adware.Webdir application 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\hsfqfmxu\belizktq.exe.vir probably a variant of Win32/TrojanDownloader.FakeAlert.BP trojan E8242A9E62E02F8B9EB8BDB291E4D7E9
---------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:58:33, on 20-4-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Margo Klijn\Mijn documenten\PROGRAMMAS\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kompaswerkendam.nl/index.php?option=com_easygb&Itemid=42
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/sonic/cgi/switch.cgi?REFR=Roxio&LANG=NL
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Roxio\MyDVD\MyDVD\DetectorApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DeskLook] C:\Program Files\XemiComputers\DeskLook\DeskLook.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.racoon.nl
O16 - DPF: {1FEC8B6F-250A-4293-B12C-67A7EF0B758A} (sIKN Speler) - http://www.kerkomroep.nl/ocx/sIKNPlayer.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Roxio\MyDVD\MyDVD\USBDeviceService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9535 bytes
random/random
2008-04-21, 22:55
I suggest you delete the file C:\Documents and Settings\Margo Klijn\Mijn documenten\PROGRAMMAS\AVICodecPackPlus2.exe and the folder C:\Program Files\AVI Codec Pack
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You now appear to be clean. Congratulations!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.
Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (http://www.personalfirewall.comodo.com/)or Online armor (http://www.tallemu.com/online_armor_free.html)
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Install a-squared Free & update and scan with it regularly
a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here (http://www.emsisoft.com/en/software/free/)
Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer (http://www.emsisoft.com/en/software/antidialer/) which provides some real time protection against premium rate dialers
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
I wil definately post a complaint and keep my security up to date. Thank you for all the advice on good security programs. I will need it to make internet as much fun again as it was before. Malware is a definate spioler and a waste of everybody's time...
Last but not least; Thank you very much for your time and help!!
You deserve; (As we would say in Holland;) een tien met een griffel en een zoen van de juffrouw! :bigthumb:
Loosely translated; an A+ and a kiss from the teacher!:D:
random/random
2008-04-22, 20:06
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me a private message (pm). A valid, working link to the closed topic is required.