PDA

View Full Version : virumonde problems



masterwin
2008-11-08, 16:16
hi,

i have a lot of problems whit virumonde it is allways returning when i delet it whit S&D so i thought that maybey someone could help me if i posted hijackThis here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16:04, on 8-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: xskthn.dll cxfuwd.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5700 bytes

Bio-Hazard
2008-11-08, 17:30
Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:



I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Absence of symptoms does not mean that everything is clear.



NOTE: Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe

Bio-Hazard
2008-11-08, 17:36
Rename HijackThis

You need to rename HiJackThis to enable it to find malware programmed to detect and hide from it.



Right click Start - Click Explore
Navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on HiJackThis.exe - click Rename
Type into the name box: goodscanner.exe
Press Enter
Double click on goodscanner.exe to open it
Select Do a system scan and save a logfile
Post a new log




Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.



Alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
Alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)



Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:

Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware


Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the Perform Full Scan option is selected.
Then click on the Scan button.


If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.[/color]


Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.



NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.



Combofix should never take more that 20 minutes including the reboot if malware is detected.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:


ComboFix log (found at C:\Combofix.txt)
Malwarebytes' Anti-Malware Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

masterwin
2008-11-09, 18:52
i did goodscan renaming so i hope this is good.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:51:39, on 9-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\goodscanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {0F691526-D578-45AE-AD1C-CF08C9BF5198} - (no file)
O2 - BHO: (no name) - {13BB1D66-83A9-4F68-AF0A-D4B06AA35935} - (no file)
O2 - BHO: (no name) - {1BD1B669-9E3F-4999-9F94-B9D4E15C651D} - (no file)
O2 - BHO: (no name) - {1EB1DFAD-D3A0-4267-89EC-25A7AC075617} - C:\WINDOWS\system32\jkkHWPge.dll
O2 - BHO: (no name) - {210DAD5C-0B0F-42B6-ACE4-B03FECBD4BC9} - (no file)
O2 - BHO: (no name) - {26483E31-9269-4864-B8B2-9C924E660230} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {241052c2-3da0-083b-a774-275fd67979e5} - {5e97976d-f572-477a-b380-0ad32c250142} - C:\WINDOWS\system32\cxfuwd.dll
O2 - BHO: (no name) - {66394be3-b7ca-4d69-bec2-aa61a1da703c} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {75ABCF92-9764-4DFA-A83F-5142C3905052} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {d5b0fc3b-cb62-468a-8f88-395b90d0c93d} - (no file)
O2 - BHO: (no name) - {E8F640F5-30A5-41A0-A04C-F521E56646E2} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: xskthn.dll cxfuwd.dll
O20 - Winlogon Notify: mlJBSKed - C:\WINDOWS\
O20 - Winlogon Notify: winrge32 - C:\WINDOWS\SYSTEM32\winrge32.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7153 bytes

masterwin
2008-11-09, 19:52
hi i did malwarebytes and combofix and did all the things you said except that i couldn't remove 3 things or so whit malwarebytes and i did not saw two things i could choose about i just clicked on yes or something and the computer started again here are the two logs i thank you for your help.

Malwarebytes' Anti-Malware 1.30
Database versie: 1376
Windows 5.1.2600 Service Pack 3

9-11-2008 18:36:40
mbam-log-2008-11-09 (18-36-40).txt

Scan type: Volledige Scan (C:\|D:\|)
Objecten gescand: 85717
Verstreken tijd: 11 minute(s), 53 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 1
Registersleutels geïnfecteerd: 12
Registerwaarden geïnfecteerd: 1
Registerdata bestanden geïnfecteerd: 2
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 17

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
C:\WINDOWS\system32\jkkHWPge.dll (Trojan.Vundo.H) -> Delete on reboot.

Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1eb1dfad-d3a0-4267-89ec-25a7ac075617} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1eb1dfad-d3a0-4267-89ec-25a7ac075617} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1eb1dfad-d3a0-4267-89ec-25a7ac075617} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winrge32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registerdata bestanden geïnfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jkkhwpge -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkhwpge -> Delete on reboot.

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
C:\WINDOWS\system32\jkkHWPge.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\egPWHkkj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\egPWHkkj.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bareilsu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uslierab.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ewnadnvc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cvndanwe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gnbpefqf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fqfepbng.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{873CDB3F-CA5C-47D1-BB9C-DA5B1A465C51}\RP40\A0007272.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{873CDB3F-CA5C-47D1-BB9C-DA5B1A465C51}\RP42\A0007393.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blcbvv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\igfyywnj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{873CDB3F-CA5C-47D1-BB9C-DA5B1A465C51}\RP39\A0007204.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{873CDB3F-CA5C-47D1-BB9C-DA5B1A465C51}\RP39\A0007205.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winrge32.dll (Dialer) -> Delete on reboot.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

ComboFix 08-11-07.01 - Erwin 2008-11-09 18:44:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.579 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Erwin\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Erwin\LOCALS~1\Temp\tmp1.tmp
c:\windows\system32\bimdna.dll
c:\windows\system32\bzftlp.dll
c:\windows\system32\cxfuwd.dll
c:\windows\system32\dsbmhxtx.dll
c:\windows\system32\kupkpmpq.dll
c:\windows\system32\oegxtngr.dll
c:\windows\system32\plorsnoo.dll
c:\windows\system32\pqiwsbif.dll
c:\windows\system32\rqjblhfy.dll
c:\windows\system32\vnsshu.dll
c:\windows\system32\vzntnm.dll
c:\windows\system32\xpptppry.dll
c:\windows\system32\xskthn.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-10-09 to 2008-11-09 ))))))))))))))))))))))))))))))
.

2008-11-09 17:53 . 2008-11-09 17:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-09 17:53 . 2008-11-09 17:53 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Malwarebytes
2008-11-09 17:53 . 2008-11-09 17:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-09 17:53 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 17:53 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-09 16:50 . 2008-11-09 16:50 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-09 16:50 . 2008-11-09 16:50 1,409 --a------ c:\windows\QTFont.for
2008-11-07 15:21 . 2008-11-07 15:21 120 ---hs---- c:\windows\system32\jempimcp.ini
2008-11-04 21:32 . 2008-11-04 21:32 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 21:25 . 2008-11-04 21:25 120 ---hs---- c:\windows\system32\fbiufgqu.ini
2008-11-03 21:57 . 2008-11-03 21:57 <DIR> dr-h----- c:\documents and settings\Erwin\Application Data\SecuROM
2008-11-03 21:57 . 2008-11-03 21:57 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-11-03 21:23 . 2008-11-03 21:23 120 ---hs---- c:\windows\system32\etmhxpwo.ini
2008-11-03 21:19 . 2008-11-07 23:46 211 --a------ c:\windows\wininit.ini
2008-11-03 20:52 . 2008-11-08 14:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-03 20:52 . 2008-11-04 14:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-03 20:48 . 2008-11-03 20:48 <DIR> d-------- c:\program files\THQ
2008-11-03 20:45 . 2008-11-03 20:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-03 20:25 . 2008-11-03 20:25 <DIR> d-------- c:\documents and settings\Erwin\Application Data\teamspeak2
2008-11-03 20:25 . 2008-11-03 20:25 34,064 --a------ c:\windows\system32\lhacm.acm
2008-11-03 20:24 . 2008-11-03 20:25 <DIR> d-------- c:\program files\Teamspeak2_RC2
2008-11-03 20:13 . 2008-11-03 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-03 17:14 . 2008-11-03 17:24 <DIR> d-------- c:\program files\GameSpy Arcade
2008-11-02 15:13 . 2008-11-02 15:13 <DIR> d-------- c:\program files\Microsoft Games
2008-11-01 21:20 . 2008-11-01 21:20 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Sonic Solutions
2008-10-28 16:10 . 2008-10-28 16:10 <DIR> d-------- c:\program files\Microsoft Works
2008-10-28 16:10 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-10-28 16:09 . 2008-10-28 16:09 <DIR> d-------- c:\program files\MSBuild
2008-10-28 16:06 . 2008-10-28 16:09 <DIR> d-------- c:\windows\SHELLNEW
2008-10-28 16:06 . 2008-11-09 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-28 16:05 . 2008-10-28 16:05 <DIR> dr-h----- C:\MSOCache
2008-10-25 19:16 . 2008-10-25 19:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-10-25 13:21 . 2008-10-25 13:21 <DIR> d-------- c:\windows\system32\AGEIA
2008-10-25 13:21 . 2008-10-25 19:16 <DIR> d-------- c:\windows\NV39763980.TMP
2008-10-25 13:21 . 2008-10-25 13:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-25 13:21 . 2008-10-25 13:21 <DIR> d-------- c:\program files\AGEIA Technologies
2008-10-25 13:21 . 2008-10-07 12:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-10-25 13:20 . 2008-10-25 13:20 <DIR> d-------- C:\NVIDIA
2008-10-24 21:25 . 2008-10-24 21:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-10-24 20:44 . 2008-10-30 21:44 <DIR> d-------- c:\program files\SoundSpectrum
2008-10-24 20:44 . 2008-10-30 21:43 <DIR> d-------- c:\documents and settings\Erwin\Application Data\SoundSpectrum
2008-10-24 17:37 . 2008-10-24 17:37 <DIR> d-------- c:\program files\SystemRequirementsLab
2008-10-24 13:37 . 2008-10-15 17:37 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 14:31 . 2008-10-22 18:30 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Mount&Blade
2008-10-21 20:56 . 2008-10-21 20:56 <DIR> d-------- c:\program files\MSXML 4.0
2008-10-20 16:02 . 2008-11-09 18:47 <DIR> d-------- c:\documents and settings\Erwin\Tracing
2008-10-20 16:01 . 2008-10-20 16:01 <DIR> d-------- c:\program files\Microsoft
2008-10-20 16:00 . 2008-10-20 16:01 <DIR> d-------- c:\program files\Windows Live
2008-10-20 15:59 . 2008-10-20 15:59 <DIR> d-------- c:\program files\Common Files\Windows Live
2008-10-20 15:30 . 2008-10-20 15:30 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Apple Computer
2008-10-20 15:25 . 2008-10-20 15:25 <DIR> d-------- c:\documents and settings\Erwin\Application Data\InterVideo
2008-10-20 15:21 . 2008-10-20 15:21 <DIR> d-------- c:\program files\QuickTime
2008-10-20 15:21 . 2008-10-20 15:21 <DIR> d-------- c:\program files\Apple Software Update
2008-10-20 15:21 . 2008-10-20 15:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-20 15:20 . 2008-10-20 15:20 <DIR> d-------- c:\program files\InterVideo Information Service
2008-10-20 15:20 . 2008-10-20 15:20 <DIR> d-------- c:\program files\Common Files\Ulead
2008-10-20 15:20 . 2006-05-11 17:41 654 --------- c:\windows\remove.iss
2008-10-20 15:18 . 2008-10-20 15:18 <DIR> d-------- c:\program files\Common Files\InterVideo
2008-10-20 15:18 . 2008-10-20 15:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-10-20 15:17 . 2008-10-20 15:18 <DIR> d-------- c:\program files\InterVideo
2008-10-19 17:50 . 2008-10-19 17:50 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-10-19 17:49 . 2008-10-19 17:49 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-19 17:49 . 2008-10-19 17:50 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-10-19 17:48 . 2008-10-19 17:48 19,456 --a------ c:\windows\system32\sdarddlg.dll
2008-10-19 16:35 . 2008-04-13 20:17 83,072 --a------ c:\windows\system32\drivers\wdmaud.sys
2008-10-19 16:35 . 2008-04-13 20:17 83,072 --a--c--- c:\windows\system32\dllcache\wdmaud.sys
2008-10-19 16:20 . 2008-10-19 16:40 23 --a------ c:\windows\BlendSettings.ini
2008-10-19 16:08 . 2008-04-14 18:02 21,504 --a------ c:\windows\system32\hidserv.dll
2008-10-19 16:08 . 2008-04-14 18:02 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-10-19 16:08 . 2008-04-14 17:39 14,720 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-10-19 16:08 . 2008-04-14 17:39 14,720 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-10-19 16:08 . 2001-09-06 18:04 12,288 --a------ c:\windows\system32\drivers\mouhid.sys
2008-10-19 16:08 . 2001-09-06 18:04 12,288 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-10-19 16:08 . 2008-04-13 19:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-10-19 16:08 . 2008-04-13 19:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-10-19 16:07 . 2008-04-13 19:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-10-19 16:07 . 2008-04-13 19:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-10-16 19:56 . 2008-10-16 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\espionServerData
2008-10-16 19:56 . 2008-11-08 21:11 116 --a------ c:\windows\NeroDigital.ini
2008-10-16 19:53 . 2008-10-16 19:53 <DIR> d-------- c:\documents and settings\Erwin\Application Data\DivX
2008-10-16 19:17 . 2008-11-01 18:33 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Ahead
2008-10-16 19:16 . 2008-10-16 19:16 <DIR> d-------- c:\program files\Nero
2008-10-16 19:16 . 2008-10-16 19:16 <DIR> d-------- c:\program files\Common Files\Ahead
2008-10-16 17:43 . 2008-10-16 17:43 <DIR> d--hs---- c:\documents and settings\Erwin\UserData

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-03 19:13 --------- d-----w c:\program files\ESET
2008-11-01 14:03 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 20:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-20 14:20 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-16 17:24 96,384 ----a-w c:\windows\system32\drivers\sptd5789.sys
2008-10-16 16:41 223,128 ----a-w c:\windows\system32\drivers\dtscsi.sys
2008-10-16 16:41 --------- d-----w c:\program files\DAEMON Tools
2008-10-16 16:40 643,072 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-16 16:36 --------- d-----w c:\program files\XviD
2008-10-16 16:19 --------- d-----w c:\program files\DivX
2008-10-16 16:04 315,392 ----a-w c:\windows\HideWin.exe
2008-10-16 16:04 --------- d-----w c:\program files\Realtek
2008-10-16 15:59 --------- d-----w c:\documents and settings\Erwin\Application Data\InstallShield
2008-10-16 15:54 --------- d-----w c:\program files\microsoft frontpage
2008-10-02 08:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-16 00:14 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-09-16 00:14 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:14 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 15:28 1,846,528 ----a-w c:\windows\system32\win32k.sys
2008-09-08 22:03 51,712 ----a-w c:\windows\system32\sirenacm.dll
2008-09-04 07:31 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-08-29 06:57 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-08-26 08:27 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 13:27 2,149,888 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 13:27 2,028,544 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-08 3513344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xskthn.dll cxfuwd.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Standalone.exe"=
"d:\\Downloads\\Halo Custom Edition\\Halo Custom Edition\\Halo Custom Edition\\haloce.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-08-18 34312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b627a6b0-a5d2-11dd-a19f-001d92618be0}]
\Shell\AutoRun\command - k:\wd_windows_tools\WDSetup.exe
.
Inhoud van de 'Gedeelde Taken' map

2008-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 13:21]
.
- - - - ORPHANS VERWIJDERD - - - -

BHO-{0F691526-D578-45AE-AD1C-CF08C9BF5198} - (no file)
BHO-{13BB1D66-83A9-4F68-AF0A-D4B06AA35935} - (no file)
BHO-{1BD1B669-9E3F-4999-9F94-B9D4E15C651D} - (no file)
BHO-{210DAD5C-0B0F-42B6-ACE4-B03FECBD4BC9} - (no file)
BHO-{26483E31-9269-4864-B8B2-9C924E660230} - (no file)
BHO-{5e97976d-f572-477a-b380-0ad32c250142} - c:\windows\system32\cxfuwd.dll
BHO-{66394be3-b7ca-4d69-bec2-aa61a1da703c} - (no file)
BHO-{d5b0fc3b-cb62-468a-8f88-395b90d0c93d} - (no file)
BHO-{E8F640F5-30A5-41A0-A04C-F521E56646E2} - (no file)
HKLM-Run-NWEReboot - (no file)
Notify-mlJBSKed - (no file)


.
------- Bijkomende Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.nl/
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd
c:\windows\Downloaded Program Files\sysreqlab_srl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 18:47:33
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...


c:\windows\TEMP\5llxi87b.TMP

Scan succesvol afgerond
verborgen bestanden: 1

**************************************************************************
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Voltooingstijd: 2008-11-09 18:48:43 - machine werd herstart
ComboFix-quarantined-files.txt 2008-11-09 17:48:40

Pre-Run: 62.468.509.696 bytes beschikbaar
Post-Run: 62,516,301,824 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

260 --- E O F --- 2008-10-29 06:29:51

Bio-Hazard
2008-11-10, 00:40
Hello!

Could you please post a new HijackThis log for me to see.

Bio-Hazard
2008-11-12, 23:21
Hello!

Do you still need help?

masterwin
2008-11-13, 13:58
sorry was a week not online but jeh i still need help,

whit spybot S&D i did not scanned virumonde again so it is gone but in place of that there are other things like microsoft firewall passings. everything is further alright whit my computer and my automatic updates are allright.

here is the hijack.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:34, on 13-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: xskthn.dll cxfuwd.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5752 bytes

Bio-Hazard
2008-11-13, 16:31
Run CFScript



Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:




File::
c:\windows\system32\jempimcp.ini
c:\windows\system32\fbiufgqu.ini
c:\windows\system32\etmhxpwo.ini
c:\windows\remove.iss
c:\windows\QTFont.qfn
c:\windows\QTFont.for

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)


http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:


ComboFix log (found at C:\Combofix.txt)
New HijackThis log

masterwin
2008-11-14, 17:13
ComboFix 08-11-12.02 - Erwin 2008-11-14 16:11:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.574 [GMT 1:00]
Gestart vanuit: d:\downloads\ComboFix.exe
gebruikte Opdracht switches :: c:\combofix\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((( Bestanden Gemaakt van 2008-10-14 to 2008-11-14 ))))))))))))))))))))))))))))))
.

2008-11-14 14:48 . 2008-11-14 14:48 <DIR> d-------- c:\program files\Smart PSP Converter
2008-11-13 20:32 . 2008-11-13 21:16 <DIR> d-------- c:\program files\PC Satellite TV
2008-11-12 18:47 . 2008-09-04 18:17 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 18:47 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 14:48 . 2008-11-11 14:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-09 22:01 . 2008-11-09 22:17 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-09 22:01 . 2008-11-09 22:17 1,409 --a------ c:\windows\QTFont.for
2008-11-09 17:53 . 2008-11-09 17:53 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Malwarebytes
2008-11-09 17:53 . 2008-11-09 17:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 15:21 . 2008-11-07 15:21 120 ---hs---- c:\windows\system32\jempimcp.ini
2008-11-04 21:32 . 2008-11-04 21:32 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 21:25 . 2008-11-04 21:25 120 ---hs---- c:\windows\system32\fbiufgqu.ini
2008-11-03 21:57 . 2008-11-03 21:57 <DIR> dr-h----- c:\documents and settings\Erwin\Application Data\SecuROM
2008-11-03 21:57 . 2008-11-03 21:57 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-11-03 21:23 . 2008-11-03 21:23 120 ---hs---- c:\windows\system32\etmhxpwo.ini
2008-11-03 21:19 . 2008-11-07 23:46 211 --a------ c:\windows\wininit.ini
2008-11-03 20:52 . 2008-11-08 14:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-03 20:52 . 2008-11-04 14:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-03 20:48 . 2008-11-03 20:48 <DIR> d-------- c:\program files\THQ
2008-11-03 20:45 . 2008-11-03 20:45 <DIR> d--hs---- c:\windows\ftpcache
2008-11-03 20:25 . 2008-11-03 20:25 <DIR> d-------- c:\documents and settings\Erwin\Application Data\teamspeak2
2008-11-03 20:25 . 2008-11-03 20:25 34,064 --a------ c:\windows\system32\lhacm.acm
2008-11-03 20:24 . 2008-11-03 20:25 <DIR> d-------- c:\program files\Teamspeak2_RC2
2008-11-03 20:13 . 2008-11-03 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-03 17:14 . 2008-11-13 13:53 <DIR> d-------- c:\program files\GameSpy Arcade
2008-11-02 15:13 . 2008-11-02 15:13 <DIR> d-------- c:\program files\Microsoft Games
2008-11-01 21:20 . 2008-11-01 21:20 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Sonic Solutions
2008-10-28 16:10 . 2008-10-28 16:10 <DIR> d-------- c:\program files\Microsoft Works
2008-10-28 16:10 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-10-28 16:09 . 2008-10-28 16:09 <DIR> d-------- c:\program files\MSBuild
2008-10-28 16:06 . 2008-10-28 16:09 <DIR> d-------- c:\windows\SHELLNEW
2008-10-28 16:06 . 2008-11-09 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-28 16:05 . 2008-10-28 16:05 <DIR> dr-h----- C:\MSOCache
2008-10-25 19:16 . 2008-10-25 19:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-10-25 13:21 . 2008-10-25 13:21 <DIR> d-------- c:\windows\system32\AGEIA
2008-10-25 13:21 . 2008-10-25 19:16 <DIR> d-------- c:\windows\NV39763980.TMP
2008-10-25 13:21 . 2008-10-25 13:21 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-25 13:21 . 2008-10-25 13:21 <DIR> d-------- c:\program files\AGEIA Technologies
2008-10-25 13:21 . 2008-10-07 12:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-10-25 13:20 . 2008-10-25 13:20 <DIR> d-------- C:\NVIDIA
2008-10-24 21:25 . 2008-10-24 21:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-10-24 20:44 . 2008-10-30 21:44 <DIR> d-------- c:\program files\SoundSpectrum
2008-10-24 20:44 . 2008-10-30 21:43 <DIR> d-------- c:\documents and settings\Erwin\Application Data\SoundSpectrum
2008-10-24 17:37 . 2008-10-24 17:37 <DIR> d-------- c:\program files\SystemRequirementsLab
2008-10-24 13:37 . 2008-10-15 17:37 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-22 14:31 . 2008-10-22 18:30 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Mount&Blade
2008-10-21 20:56 . 2008-10-21 20:56 <DIR> d-------- c:\program files\MSXML 4.0
2008-10-20 16:02 . 2008-11-14 14:30 <DIR> d-------- c:\documents and settings\Erwin\Tracing
2008-10-20 16:01 . 2008-10-20 16:01 <DIR> d-------- c:\program files\Microsoft
2008-10-20 16:00 . 2008-10-20 16:01 <DIR> d-------- c:\program files\Windows Live
2008-10-20 15:59 . 2008-10-20 15:59 <DIR> d-------- c:\program files\Common Files\Windows Live
2008-10-20 15:30 . 2008-10-20 15:30 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Apple Computer
2008-10-20 15:25 . 2008-10-20 15:25 <DIR> d-------- c:\documents and settings\Erwin\Application Data\InterVideo
2008-10-20 15:21 . 2008-11-09 22:35 <DIR> d-------- c:\program files\QuickTime
2008-10-20 15:21 . 2008-11-09 22:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-20 15:20 . 2008-10-20 15:20 <DIR> d-------- c:\program files\InterVideo Information Service
2008-10-20 15:20 . 2008-10-20 15:20 <DIR> d-------- c:\program files\Common Files\Ulead
2008-10-20 15:20 . 2006-05-11 17:41 654 --------- c:\windows\remove.iss
2008-10-20 15:18 . 2008-10-20 15:18 <DIR> d-------- c:\program files\Common Files\InterVideo
2008-10-20 15:18 . 2008-10-20 15:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-10-20 15:17 . 2008-10-20 15:18 <DIR> d-------- c:\program files\InterVideo
2008-10-19 17:50 . 2008-10-19 17:50 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-10-19 17:49 . 2008-10-19 17:49 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-19 17:49 . 2008-10-19 17:50 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-10-19 17:48 . 2008-10-19 17:48 19,456 --a------ c:\windows\system32\sdarddlg.dll
2008-10-19 16:35 . 2008-04-13 20:17 83,072 --a------ c:\windows\system32\drivers\wdmaud.sys
2008-10-19 16:35 . 2008-04-13 20:17 83,072 --a--c--- c:\windows\system32\dllcache\wdmaud.sys
2008-10-19 16:20 . 2008-10-19 16:40 23 --a------ c:\windows\BlendSettings.ini
2008-10-19 16:08 . 2008-04-14 18:02 21,504 --a------ c:\windows\system32\hidserv.dll
2008-10-19 16:08 . 2008-04-14 18:02 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-10-19 16:08 . 2008-04-14 17:39 14,720 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-10-19 16:08 . 2008-04-14 17:39 14,720 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-10-19 16:08 . 2001-09-06 18:04 12,288 --a------ c:\windows\system32\drivers\mouhid.sys
2008-10-19 16:08 . 2001-09-06 18:04 12,288 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-10-19 16:08 . 2008-04-13 19:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-10-19 16:08 . 2008-04-13 19:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-10-19 16:07 . 2008-04-13 19:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-10-19 16:07 . 2008-04-13 19:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-10-16 19:56 . 2008-10-16 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\espionServerData
2008-10-16 19:56 . 2008-11-14 15:34 116 --a------ c:\windows\NeroDigital.ini
2008-10-16 19:53 . 2008-10-16 19:53 <DIR> d-------- c:\documents and settings\Erwin\Application Data\DivX
2008-10-16 19:17 . 2008-11-01 18:33 <DIR> d-------- c:\documents and settings\Erwin\Application Data\Ahead
2008-10-16 19:16 . 2008-10-16 19:16 <DIR> d-------- c:\program files\Nero
2008-10-16 19:16 . 2008-10-16 19:16 <DIR> d-------- c:\program files\Common Files\Ahead
2008-10-16 17:43 . 2008-10-16 17:43 <DIR> d--hs---- c:\documents and settings\Erwin\UserData

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-03 19:13 --------- d-----w c:\program files\ESET
2008-11-01 14:03 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 20:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 14:20 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-16 17:24 96,384 ----a-w c:\windows\system32\drivers\sptd5789.sys
2008-10-16 16:41 223,128 ----a-w c:\windows\system32\drivers\dtscsi.sys
2008-10-16 16:41 --------- d-----w c:\program files\DAEMON Tools
2008-10-16 16:40 643,072 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-16 16:36 --------- d-----w c:\program files\XviD
2008-10-16 16:19 --------- d-----w c:\program files\DivX
2008-10-16 16:04 315,392 ----a-w c:\windows\HideWin.exe
2008-10-16 16:04 --------- d-----w c:\program files\Realtek
2008-10-16 15:59 --------- d-----w c:\documents and settings\Erwin\Application Data\InstallShield
2008-10-16 15:54 --------- d-----w c:\program files\microsoft frontpage
2008-10-02 08:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 00:14 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-09-16 00:14 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:14 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-16 00:14 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-16 00:14 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 15:28 1,846,528 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:16 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-08 22:03 51,712 ----a-w c:\windows\system32\sirenacm.dll
2008-09-04 17:17 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 07:31 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2008-08-29 06:57 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-08-26 08:27 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 13:27 2,149,888 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 13:27 2,028,544 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-09_18.48.25.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-12 18:00:57 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-04-14 17:02:33 1,306,624 -c----w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:16:18 1,307,648 -c----w c:\windows\system32\dllcache\msxml6.dll
- 2008-10-07 10:19:42 16,721,856 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
- 2007-11-30 11:19:43 18,808 ------w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:07:36 18,808 ------w c:\windows\system32\spmsg.dll
+ 2008-09-30 15:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 15:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-09-08 3513344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xskthn.dll cxfuwd.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Standalone.exe"=
"d:\\Downloads\\Halo Custom Edition\\Halo Custom Edition\\Halo Custom Edition\\haloce.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-08-18 34312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b627a6b0-a5d2-11dd-a19f-001d92618be0}]
\Shell\AutoRun\command - k:\wd_windows_tools\WDSetup.exe

*Newly Created Service* - CATCHME
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 16:11:55
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-11-14 16:12:12
ComboFix-quarantined-files.txt 2008-11-14 15:12:08
ComboFix2.txt 2008-11-14 15:07:45

Pre-Run: 62.134.005.760 bytes beschikbaar
Post-Run: 62,124,621,824 bytes beschikbaar

219 --- E O F --- 2008-11-12 18:01:52








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:49, on 14-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: xskthn.dll cxfuwd.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5508 bytes

Bio-Hazard
2008-11-14, 17:24
Remove HijackThis entries



Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

O20 - AppInit_DLLs: xskthn.dll cxfuwd.dll
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.




OTMoveIt3

Download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by Old Timer and save it to your Desktop.


Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below.




:files
c:\windows\system32\jempimcp.ini
c:\windows\system32\fbiufgqu.ini
c:\windows\system32\etmhxpwo.ini
c:\windows\remove.iss
c:\windows\QTFont.qfn
c:\windows\QTFont.for
:commands
[EmptyTemp]


Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.




Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3




Kaspersky Online Scan

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
Archives


Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:


OTMoveIt3 Log
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

masterwin
2008-11-15, 13:05
========== FILES ==========
c:\windows\system32\jempimcp.ini moved successfully.
c:\windows\system32\fbiufgqu.ini moved successfully.
c:\windows\system32\etmhxpwo.ini moved successfully.
c:\windows\remove.iss moved successfully.
c:\windows\QTFont.qfn moved successfully.
c:\windows\QTFont.for moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11152008_120127

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

masterwin
2008-11-15, 14:14
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 14, 2008 21:21:13
Records in database: 1385194
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 40164
Threat name: 1
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 00:42:18


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\dsbmhxtx.dll.vir Infected: Email-Worm.Win32.Zhelatin.ahu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kupkpmpq.dll.vir Infected: Email-Worm.Win32.Zhelatin.ahu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vnsshu.dll.vir Infected: Email-Worm.Win32.Zhelatin.ahu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vzntnm.dll.vir Infected: Email-Worm.Win32.Zhelatin.ahu 1

The selected area was scanned.







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:14:15, on 15-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger

Bio-Hazard
2008-11-15, 20:03
Hello! HijackThis log is not complete, could you post a new HijackThis log for me to see?

masterwin
2008-11-16, 16:57
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:56:58, on 16-11-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?e=1226747342994&h=5c24e51ddcd9daf08526327e5d0a841c/&filename=jinstall-6u10-windows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

Bio-Hazard
2008-11-16, 17:49
Firewall

Looking over your log it seems you don't have any evidence of a third party FIREWALL. As the term conveys a firewall is an extra layer of security installed onto computers which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders.

If you are using the built-in Windows XP firewall it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to phone home for more instructions. Simply put Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

I would recommend to install install a free firewall for personal use from one of these excellent vendors. Choice is yours:



Online-Armor Free (http://www.tallemu.com/downloads.html)
Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
Sunbelt/Kerio (Free version after 30 days) (http://www.sunbelt-software.com/Kerio-Download.cfm)
Comodo (http://www.personalfirewall.comodo.com/) (Uncheck during installation Install Comodo SafeSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!)





Your log now appears to be clean. Congratulations!


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php). You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
http://i147.photobucket.com/albums/r301/DFW_photos/CF_Cleanup.png
Please advise if this step is missed for any reason as it performs some important actions.

Clean up with OTMoveIt3



Double-click OTMoveIt3.exe to start the program.
Close all other programs apart from OTMoveIt3 as this step will require a reboot
On the OTMoveIt main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.



Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.



Clear Infected System Restore Points

Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.

Note: only do this once,and not on a regular basis
Set correct settings for files

Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under Hidden files and folders if necessary select Do not show hidden files and folders.
If unchecked please check Hide protected operating system files (Recommended)
If necessary check Display content of system folders
If necessary Uncheck Hide file extensions for known file types.
Click OK


Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Install and use a firewall with outbound protection
The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
NOTE: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month.
Make Internet Explorer More Secure
You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE (http://surfthenetsafely.com/ieseczone8.htm)




Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.



WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/)




Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard

masterwin
2008-11-17, 23:25
i did all those things:
but combofix was already from my computer because i deleted it earlier
oops :( also i installed online armor and i tryed operah but i do not like it sorry :( so i thank you for all those things you did for me and all the time you spend in me. Than you very mutch. :):2thumb::wav:


Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)


Clean up with OTMoveIt3


Double-click OTMoveIt3.exe to start the program.
Close all other programs apart from OTMoveIt3 as this step will require a reboot
On the OTMoveIt main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.


Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


Clear Infected System Restore Points
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once,and not on a regular basis
Set correct settings for files
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under Hidden files and folders if necessary select Do not show hidden files and folders.
If unchecked please check Hide protected operating system files (Recommended)
If necessary check Display content of system folders
If necessary Uncheck Hide file extensions for known file types.
Click OK