PDA

View Full Version : lookanddiscover homepage



folmere
2009-03-04, 14:44
Hi

I am also having problems that my homepage is always pointing to LookandDiscover, even after I have changed it.

I have posted the HJT below.

Please will you let me know how to fix this and possible other bad ebtries in the logfile below

Thanks
Erica

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:28, on 4-3-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\xampp\apache\bin\apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\temp\spoolsv\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\twain_32\A4S2600X\WATCH.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Citrix\ICA Client\wfica32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookanddiscover.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [spoolsv] "C:\Windows\temp\spoolsv\spoolsv.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2600X\WATCH.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.nl/
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {91F52A42-C10D-49A7-B941-882C657C604F} (Installation Helper Object) - http://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

--
End of file - 10291 bytes

Blade81
2009-03-05, 21:11
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

folmere
2009-03-07, 18:40
Hi Blade81

Thanks for helping me with this problem. I have attached the DDS.txt file and the Attach.txt file.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Erica at 17:29:02,18 on za 07-03-2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.511.132 [GMT 1:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)
AV: NOD32 antivirus systeem 2.50 *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\xampp\apache\bin\apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\xampp\apache\bin\apache.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\temp\spoolsv\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\twain_32\A4S2600X\WATCH.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Erica\Local Settings\Temporary Internet Files\Content.IE5\FNZZLQ8K\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1392740
uSearch Page = hxxp://www.google.com
uWindow Title = Orange
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: MyPlayCity Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MyPlayCity Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MyPlayCity Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - No File
TB: MSTBR: {10ca15ea-c0a5-7caf-b9e9-b8b2a87efe11} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IncrediMail] c:\progra~1\incred~1\bin\IncMail.exe /c
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
mRun: [DellMCM] "c:\program files\dell photo aio printer 942\memcard.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [USB Storage Toolbox] c:\program files\usb disk win98 driver\Res.EXE
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [spoolsv] "c:\windows\temp\spoolsv\spoolsv.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Norton SystemWorks] "c:\program files\norton systemworks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\erica\menust~1\progra~1\opstar~1\erunta~1.lnk - c:\program files\tools\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\erica\menust~1\progra~1\opstar~1\watch.lnk - c:\windows\twain_32\a4s2600x\WATCH.exe
StartupFolder: c:\docume~1\erica\menust~1\progra~1\opstar~1\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} - hxxps://www.p3.postbank.nl/sesam/CAX.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {91F52A42-C10D-49A7-B941-882C657C604F} - hxxp://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - hxxp://www2.incredimail.com/contents/setup/downloader/imloader.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-3-21 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-3-21 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-3-21 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-3-21 10760]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2007-3-5 16896]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-3-21 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-3-21 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-3-21 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-3-21 4960]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2005-10-22 495616]
R3 SFC4;SFC4;c:\windows\system32\drivers\sfc4.sys [2004-10-19 41472]
S3 DbgProxy;Visual Studio Debugger Proxy Service;c:\program files\microsoft visual studio.net\common7\packages\debugger\dbgproxy.exe --> c:\program files\microsoft visual studio.net\common7\packages\debugger\dbgproxy.exe [?]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2007-7-29 299904]
S3 OM2800;TRUST 380 USB2 SPACEC@M;c:\windows\system32\drivers\OVTCAM2.SYS [2004-10-19 250343]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?]

=============== Created Last 30 ================

2009-03-07 17:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DivoGames
2009-03-07 17:14 <DIR> --d----- c:\program files\Conduit
2009-03-07 17:14 <DIR> --d----- c:\program files\MyPlayCity
2009-03-04 13:36 <DIR> --d----- c:\program files\Tools
2009-03-04 10:30 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-02-10 09:09 2,516 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-21 00:03 826,368 a------- c:\windows\system32\wininet.dll
2008-07-20 13:10 87,608 ac------ c:\docume~1\erica\applic~1\inst.exe
2008-07-20 13:10 47,360 ac------ c:\docume~1\erica\applic~1\pcouffin.sys
2007-12-19 20:58 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-08-26 20:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008082620080827\index.dat
2007-11-30 22:27 1,260 a--sh--- c:\windows\temp\spoolsv\a.reg
2007-11-28 12:56 194 a--sh--- c:\windows\temp\spoolsv\run.bat
2007-11-28 09:27 1,790,464 a--shr-- c:\windows\temp\spoolsv\spoolsv.exe

============= FINISH: 17:30:02,31 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11-10-2004 23:04:04
System Uptime: 3-7-2009 15:34:46 (-2830 hours ago)

Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 61,249 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP810: 1-12-2008 12:24:22 - Controlepunt van systeem
RP811: 2-12-2008 19:27:51 - Controlepunt van systeem
RP812: 4-12-2008 9:01:27 - Controlepunt van systeem
RP813: 5-12-2008 15:11:59 - Installed Private Folder & Playlist.
RP814: 6-12-2008 10:07:09 - Installed Java(TM) 6 Update 10
RP815: 8-12-2008 18:53:40 - Controlepunt van systeem
RP816: 11-12-2008 12:28:06 - Controlepunt van systeem
RP817: 11-12-2008 15:17:10 - Software Distribution Service 3.0
RP818: 13-12-2008 15:03:09 - Installed Java(TM) 6 Update 11
RP819: 14-12-2008 15:53:23 - Controlepunt van systeem
RP820: 22-12-2008 13:16:44 - Software Distribution Service 3.0
RP821: 23-12-2008 13:34:21 - Controlepunt van systeem
RP822: 28-12-2008 10:59:21 - Controlepunt van systeem
RP823: 29-12-2008 11:40:09 - Controlepunt van systeem
RP824: 30-12-2008 14:11:14 - Controlepunt van systeem
RP825: 1-1-2009 11:50:04 - Controlepunt van systeem
RP826: 4-1-2009 11:01:37 - Controlepunt van systeem
RP827: 5-1-2009 20:57:11 - Controlepunt van systeem
RP828: 7-1-2009 13:08:00 - Controlepunt van systeem
RP829: 9-1-2009 10:48:44 - Controlepunt van systeem
RP830: 16-1-2009 13:05:30 - Software Distribution Service 3.0
RP831: 19-1-2009 11:47:18 - Controlepunt van systeem
RP832: 22-1-2009 19:03:29 - Controlepunt van systeem
RP833: 25-1-2009 12:14:25 - Controlepunt van systeem
RP834: 30-1-2009 12:05:53 - Controlepunt van systeem
RP835: 6-2-2009 16:46:42 - Controlepunt van systeem
RP836: 10-2-2009 9:33:33 - Controlepunt van systeem
RP837: 12-2-2009 17:56:58 - Controlepunt van systeem
RP838: 12-2-2009 20:51:04 - Software Distribution Service 3.0
RP839: 14-2-2009 12:11:31 - Controlepunt van systeem
RP840: 14-2-2009 12:18:48 - Software Distribution Service 3.0
RP841: 22-2-2009 14:44:19 - Controlepunt van systeem
RP842: 25-2-2009 12:45:39 - Software Distribution Service 3.0
RP843: 26-2-2009 22:52:55 - Controlepunt van systeem
RP844: 4-3-2009 12:57:24 - Controlepunt van systeem
RP845: 6-3-2009 17:11:41 - Controlepunt van systeem

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
3D Ultra Minigolf Adventures
Aangifte inkomstenbelasting 2007
Ad-Aware SE Personal
Adobe Acrobat Reader 3.01
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.9 - Nederlands
Adventure Pinball (c) Electronic Arts
Ahead Nero - Burning Rom
Apple Software Update
ArcSoft Panorama Maker 3
Around the World in 80 Days Deluxe
Atlantis Quest
AVG 7.5
Belasting cd-rom 2005
Bengal - Game Of Gods
Beveiligingsupdate for Windows Media Player 10 (KB911565)
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows XP (KB923689)
Beveiligingsupdate for Windows XP (KB941569)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB937143)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB938127)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB939653)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB942615)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB944533)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB950759)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB953838)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB956390)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB958215)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB960714)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB961260)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows Media Player (KB952069)
Beveiligingsupdate voor Windows Media Player 11 (KB936782)
Beveiligingsupdate voor Windows Media Player 11 (KB954154)
Beveiligingsupdate voor Windows Media Player 6.4 (KB925398)
Beveiligingsupdate voor Windows XP (KB938464)
Beveiligingsupdate voor Windows XP (KB946648)
Beveiligingsupdate voor Windows XP (KB950760)
Beveiligingsupdate voor Windows XP (KB950762)
Beveiligingsupdate voor Windows XP (KB950974)
Beveiligingsupdate voor Windows XP (KB951066)
Beveiligingsupdate voor Windows XP (KB951376-v2)
Beveiligingsupdate voor Windows XP (KB951376)
Beveiligingsupdate voor Windows XP (KB951698)
Beveiligingsupdate voor Windows XP (KB951748)
Beveiligingsupdate voor Windows XP (KB952954)
Beveiligingsupdate voor Windows XP (KB953155)
Beveiligingsupdate voor Windows XP (KB953839)
Beveiligingsupdate voor Windows XP (KB954211)
Beveiligingsupdate voor Windows XP (KB954459)
Beveiligingsupdate voor Windows XP (KB954600)
Beveiligingsupdate voor Windows XP (KB955069)
Beveiligingsupdate voor Windows XP (KB956391)
Beveiligingsupdate voor Windows XP (KB956802)
Beveiligingsupdate voor Windows XP (KB956803)
Beveiligingsupdate voor Windows XP (KB956841)
Beveiligingsupdate voor Windows XP (KB957095)
Beveiligingsupdate voor Windows XP (KB957097)
Beveiligingsupdate voor Windows XP (KB958644)
Beveiligingsupdate voor Windows XP (KB958687)
Beveiligingsupdate voor Windows XP (KB960715)
Big Kahuna Reef
Big Kahuna Reef Deluxe
BitLord 1.1
BookWorm Deluxe
Butterfly Escape
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.2
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Charm Tale Deluxe
Citrix Presentation Server Client - Web Only
Color Trial
Corel Paint Shop Pro Photo X2
Cradle of Rome Deluxe
Cubis Gold 2
De Persoonlijke MS Word Helpdesk
Dell Photo AIO Printer 942
Dell ResourceCD
Dreamworlds Open Mini Golf
DVD Shrink 3.2
ERUNT 1.1j
FaceMorpher 1.0
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hitman Pro
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix voor Windows Internet Explorer 7 (KB947864)
Hotfix voor Windows Media Player 11 (KB939683)
Hotfix voor Windows XP (KB952287)
IncrediMail Xe
Intel(R) PRO Network Adapters and Drivers
iPAQ WebReg
iPhoto Plus 4
J2SE Runtime Environment 5.0 Update 2
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Jewel Quest 2 Deluxe
L&H TTS3000 Nederlands
Magic Lanterns
Magic Match (remove only)
Magic Match 2
Mahjong Journey of Enlightenment
Mahjong Match
Mahjong World
Mahjongg Artifacts 2
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft FrontPage Client - English
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office Outlook 2007
Microsoft Office Outlook 2007 Trial
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Outlook 2002
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Tools Express Edition CTP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Enterprise Developer 2003 - English
Microsoft Works 7.0
mIRC
Mozilla Firefox (3.0.6)
MSDN Library for Visual Studio .NET 2003
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MyPlayCity Toolbar
Mythic Mahjong
NewsBin Pro 4.3
Nikon FotoShare
Nikon Message Center
NOD32 antivirus systeem
NVIDIA Windows 2000/XP Display Drivers
Pantheon
Peggle Extreme
Pestering Birds
PictureProject
Port Detective
PowerDVD
Private Folder & Playlist
QuickTime
Rainbow Web 2
Rainforest Adventure Deluxe
ReaThumbnails 1.5
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update voor Microsoft .NET Framework 2.0 (KB928365)
Shockwave
SigmaTel MSCN Audio Player
SmartFTP Client
SmartFTP Client 2.5 Setup Files (remove only)
SmartFTP Client 3.0 Setup Files (remove only)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
SpaceMonger 2.1.1
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Subsea Relic
The legend of El Dorado Deluxe
TomTom HOME
TRUST 380 USB2 SPACEC@M
Trust Easy Connect 19200 v1.0
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959634)
Update voor Windows XP (KB951072-v2)
Update voor Windows XP (KB951978)
Update voor Windows XP (KB955839)
Update voor Windows XP (KB967715)
USB Disk Win98 Driver
VC_MergeModuleToMSI
Visual Studio .NET Enterprise Developer 2003 - English
Visual Studio.NET Baseline - English
WebFldrs XP
Webshots Desktop
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Fotogalerij
Windows Live installer
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Vista Upgrade Advisor
Windows XP Service Pack 3
WinRAR
XAMPP 1.6.3a
ZooEasy v6

==== End Of File ===========================

Blade81
2009-03-07, 23:02
Hi

Ad-aware SE is not supported anymore and that's why I recommend uninstalling it. You may get Ad-Aware AE later after system cleaning has been done :) Same thing with Spybot - Search & Destroy 1.4. You should uninstall it and get the latest one (1.6).

Uninstall your extra antivirus programs leaving only one installed. I recommend leaving AVG and uninstall Nod32 since it seems to be outdated one.

Uninstall these vulnerable Java versions:
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

folmere
2009-03-09, 22:02
Thanks again for helping. I have copied the contents of the Combofix.txt file. I am however not sure about the DDS LOG.txt file as the logfile I saved to my desktop seems the same as the Combofix file

Combofix.txt

ComboFix 09-03-06.02 - Erica 2009-03-09 20:22:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.198 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Erica\Bureaublad\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Erica\Application Data\inst.exe
c:\documents and settings\Rosanna\Menu Start\Programma's\Videos.url
c:\windows\IE4 Error Log.txt
c:\windows\system32\Cache
c:\windows\Temp\spoolsv
c:\windows\Temp\spoolsv\a.reg
c:\windows\Temp\spoolsv\aliases.ini
c:\windows\Temp\spoolsv\com.mrc
c:\windows\Temp\spoolsv\control.ini
c:\windows\Temp\spoolsv\fullname.txt
c:\windows\Temp\spoolsv\ident.txt
c:\windows\Temp\spoolsv\mirc.ico
c:\windows\Temp\spoolsv\mirc.ini
c:\windows\Temp\spoolsv\remote.ini
c:\windows\Temp\spoolsv\run.bat
c:\windows\Temp\spoolsv\s.mrc
c:\windows\Temp\spoolsv\servers.ini
c:\windows\Temp\spoolsv\spoolsv.exe
c:\windows\Temp\spoolsv\users.ini
c:\windows\Temp\spoolsv\xmas.jpg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_svchost


(((((((((((((((((((( Bestanden Gemaakt van 2009-02-09 to 2009-03-09 ))))))))))))))))))))))))))))))
.

2009-03-07 17:14 . 2009-03-07 17:14 <DIR> d-------- c:\program files\MyPlayCity
2009-03-07 17:14 . 2009-03-07 17:14 <DIR> d-------- c:\program files\Conduit
2009-03-07 17:14 . 2009-03-07 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\DivoGames
2009-03-04 13:36 . 2009-03-04 13:36 <DIR> d-------- c:\program files\Tools
2009-03-04 10:30 . 2009-03-04 10:30 <DIR> d-------- c:\program files\Trend Micro
2009-02-22 15:42 . 2009-02-22 15:42 0 --a------ c:\windows\nsreg.dat

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 18:44 --------- d-----w c:\program files\Java
2009-03-09 18:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 18:38 --------- d-----w c:\program files\Eset
2009-03-09 18:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-09 18:31 --------- d-----w c:\documents and settings\Erica\Application Data\Lavasoft
2009-03-07 16:12 --------- d-----w c:\program files\Games
2009-03-05 16:23 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-02-21 12:21 --------- d-----w c:\documents and settings\Erica\Application Data\AVG7
2009-02-12 19:54 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-07-20 12:10 47,360 -c--a-w c:\documents and settings\Erica\Application Data\pcouffin.sys
2007-12-19 19:58 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-26 19:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-03-07 1883672]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
2009-03-07 17:15 1883672 --a------ c:\program files\MyPlayCity\tbMyP1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-03-07 1883672]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-03-07 1883672]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"IncrediMail"="c:\progra~1\INCRED~1\bin\IncMail.exe" [1724-12-25 188459]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 68856]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-17 4800512]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 65536]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]

c:\documents and settings\Rosanna\Menu Start\Programma's\Opstarten\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2005-07-29 45056]

c:\documents and settings\Erica\Menu Start\Programma's\Opstarten\
ERUNT AutoBackup.lnk - c:\program files\Tools\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Watch.lnk - c:\windows\twain_32\A4S2600X\WATCH.exe [2004-10-19 378368]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2005-07-29 45056]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Snelle start.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2005-06-29 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Port Detective\\PBDClient.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:*:Disabled:emule
"4661:TCP"= 4661:TCP:*:Disabled:emule 1
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"21:TCP"= 21:TCP:*:Disabled:FTP Server
"20:TCP"= 20:TCP:*:Disabled:FTP Data

R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2007-03-05 16896]
R3 SFC4;SFC4;c:\windows\system32\drivers\sfc4.sys [2004-10-19 41472]
S3 DbgProxy;Visual Studio Debugger Proxy Service;c:\program files\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe --> c:\program files\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe [?]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2007-07-29 299904]
S3 OM2800;TRUST 380 USB2 SPACEC@M;c:\windows\system32\drivers\OVTCAM2.SYS [2004-10-19 250343]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ead6d2a-6c3b-11dd-be85-000cf1d6c891}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
Inhoud van de 'Gedeelde Taken' map

2008-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS VERWIJDERD - - - -

HKU-Default-Run-Norton SystemWorks - c:\program files\Norton SystemWorks\cfgwiz.exe


.
------- Bijkomende Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1392740
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Add animation to IncrediMail Style Box - c:\progra~1\INCRED~1\bin\resources\WebMenuImg.htm
DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} - hxxps://www.p3.postbank.nl/sesam/CAX.cab
DPF: {91F52A42-C10D-49A7-B941-882C657C604F} - hxxp://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 20:36:33
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-1060284298-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\xampp\mysql\bin\mysqld-nt.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell Photo AIO Printer 942\dlbubmon.exe
c:\progra~1\Webshots\webshots.scr
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\progra~1\INCRED~1\bin\IMApp.exe
.
**************************************************************************
.
Voltooingstijd: 2009-03-09 20:44:26 - machine werd herstart
ComboFix-quarantined-files.txt 2009-03-09 19:44:23

Pre-Run: 65.705.811.968 bytes beschikbaar
Post-Run: 66,908,442,624 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

205 --- E O F --- 2009-02-25 11:46:50

folmere
2009-03-09, 22:13
Hoi

I have copied the contents of a new dds.txt file.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Erica at 21:10:12,82 on ma 09-03-2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.511.107 [GMT 1:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\xampp\apache\bin\apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\twain_32\A4S2600X\WATCH.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Erica\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1392740
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: MyPlayCity Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MyPlayCity Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MyPlayCity Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: MSTBR: {10ca15ea-c0a5-7caf-b9e9-b8b2a87efe11} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IncrediMail] c:\progra~1\incred~1\bin\IncMail.exe /c
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
mRun: [DellMCM] "c:\program files\dell photo aio printer 942\memcard.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [USB Storage Toolbox] c:\program files\usb disk win98 driver\Res.EXE
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\erica\menust~1\progra~1\opstar~1\erunta~1.lnk - c:\program files\tools\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\erica\menust~1\progra~1\opstar~1\watch.lnk - c:\windows\twain_32\a4s2600x\WATCH.exe
StartupFolder: c:\docume~1\erica\menust~1\progra~1\opstar~1\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} - hxxps://www.p3.postbank.nl/sesam/CAX.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {91F52A42-C10D-49A7-B941-882C657C604F} - hxxp://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - hxxp://www2.incredimail.com/contents/setup/downloader/imloader.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-3-21 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-3-21 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-3-21 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-3-21 10760]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2007-3-5 16896]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-3-21 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-3-21 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-3-21 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-3-21 4960]
R3 SFC4;SFC4;c:\windows\system32\drivers\sfc4.sys [2004-10-19 41472]
S3 DbgProxy;Visual Studio Debugger Proxy Service;c:\program files\microsoft visual studio.net\common7\packages\debugger\dbgproxy.exe --> c:\program files\microsoft visual studio.net\common7\packages\debugger\dbgproxy.exe [?]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2007-7-29 299904]
S3 OM2800;TRUST 380 USB2 SPACEC@M;c:\windows\system32\drivers\OVTCAM2.SYS [2004-10-19 250343]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?]

=============== Created Last 30 ================

2009-03-09 20:12 <DIR> a-dshr-- C:\cmdcons
2009-03-09 20:09 161,792 a------- c:\windows\SWREG.exe
2009-03-09 20:09 98,816 a------- c:\windows\sed.exe
2009-03-07 17:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DivoGames
2009-03-07 17:14 <DIR> --d----- c:\program files\Conduit
2009-03-07 17:14 <DIR> --d----- c:\program files\MyPlayCity
2009-03-04 13:36 <DIR> --d----- c:\program files\Tools
2009-03-04 10:30 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-02-10 09:09 2,516 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-21 00:03 826,368 a------- c:\windows\system32\wininet.dll
2008-07-20 13:10 47,360 ac------ c:\docume~1\erica\applic~1\pcouffin.sys
2007-12-19 20:58 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-08-26 20:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 21:10:59,31 ===============

Blade81
2009-03-10, 09:35
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitLord


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\BitLord


Empty Recycle Bin.

After that:


Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!


Open notepad and copy/paste the text in the quotebox below into it:



DDS::
uURLSearchHooks: H - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: MSTBR: {10ca15ea-c0a5-7caf-b9e9-b8b2a87efe11} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Folder::
C:\Program Files\BitLord

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitLord\\BitLord.exe"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"=-
"4661:TCP"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a dds.txt log and above mentioned ComboFix resultant log.

folmere
2009-03-11, 14:42
Hi

I have attached the 3 files, but the Kapersky scan is only of my documents and settings. I have run it twice and each time after about 2 hours and over 95000 files scanned, it stops. Th error at the bottom left corner says that JVM stopped abruptly.

ComboFix Log

ComboFix 09-03-06.02 - Erica 2009-03-10 17:12:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.236 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Erica\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Erica\Bureaublad\CFScript.txt
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((( Bestanden Gemaakt van 2009-02-10 to 2009-03-10 ))))))))))))))))))))))))))))))
.

2009-03-10 17:09 . 2009-03-10 17:09 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-10 16:48 . 2009-03-10 16:48 2,560 --a------ c:\windows\_MSRSTRT.EXE
2009-03-07 17:14 . 2009-03-07 17:14 <DIR> d-------- c:\program files\MyPlayCity
2009-03-07 17:14 . 2009-03-07 17:14 <DIR> d-------- c:\program files\Conduit
2009-03-07 17:14 . 2009-03-07 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\DivoGames
2009-03-04 13:36 . 2009-03-04 13:36 <DIR> d-------- c:\program files\Tools
2009-03-04 10:30 . 2009-03-04 10:30 <DIR> d-------- c:\program files\Trend Micro
2009-02-22 15:42 . 2009-02-22 15:42 0 --a------ c:\windows\nsreg.dat

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 16:05 --------- d-----w c:\program files\Common Files\Adobe
2009-03-09 18:44 --------- d-----w c:\program files\Java
2009-03-09 18:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 18:38 --------- d-----w c:\program files\Eset
2009-03-09 18:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-09 18:31 --------- d-----w c:\documents and settings\Erica\Application Data\Lavasoft
2009-03-07 16:12 --------- d-----w c:\program files\Games
2009-03-05 16:23 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-02-21 12:21 --------- d-----w c:\documents and settings\Erica\Application Data\AVG7
2009-02-12 19:54 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-10 08:09 2,516 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-12-20 23:03 826,368 ----a-w c:\windows\system32\wininet.dll
2008-07-20 12:10 47,360 -c--a-w c:\documents and settings\Erica\Application Data\pcouffin.sys
2007-12-19 19:58 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-26 19:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-09_20.42.24.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-10 15:48:12 2,560 ----a-w c:\windows\_MSRSTRT.EXE
+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\10-3-2009\ERDNT.EXE
+ 2009-03-10 15:34:59 8,294,400 ----a-w c:\windows\ERDNT\AutoBackup\10-3-2009\Users\00000001\NTUSER.DAT
+ 2009-03-10 15:35:00 184,320 ----a-w c:\windows\ERDNT\AutoBackup\10-3-2009\Users\00000002\UsrClass.dat
+ 2007-12-12 14:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2009-03-09 19:36:14 226,131 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-10 15:49:57 226,125 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-10 15:49:51 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_734.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-03-07 1883672]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
2009-03-07 17:15 1883672 --a------ c:\program files\MyPlayCity\tbMyP1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-03-07 1883672]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2009-03-07 1883672]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"IncrediMail"="c:\progra~1\INCRED~1\bin\IncMail.exe" [1724-12-25 188459]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 68856]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2006-06-20 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-17 4800512]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"USB Storage Toolbox"="c:\program files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 65536]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-23 219136]

c:\documents and settings\Rosanna\Menu Start\Programma's\Opstarten\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2005-07-29 45056]

c:\documents and settings\Erica\Menu Start\Programma's\Opstarten\
ERUNT AutoBackup.lnk - c:\program files\Tools\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Watch.lnk - c:\windows\twain_32\A4S2600X\WATCH.exe [2004-10-19 378368]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2005-07-29 45056]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2005-06-29 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Port Detective\\PBDClient.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"21:TCP"= 21:TCP:*:Disabled:FTP Server
"20:TCP"= 20:TCP:*:Disabled:FTP Data

R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2007-03-05 16896]
R3 SFC4;SFC4;c:\windows\system32\drivers\sfc4.sys [2004-10-19 41472]
S3 DbgProxy;Visual Studio Debugger Proxy Service;c:\program files\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe --> c:\program files\Microsoft Visual Studio.NET\Common7\Packages\Debugger\dbgproxy.exe [?]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2007-07-29 299904]
S3 OM2800;TRUST 380 USB2 SPACEC@M;c:\windows\system32\drivers\OVTCAM2.SYS [2004-10-19 250343]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ead6d2a-6c3b-11dd-be85-000cf1d6c891}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
Inhoud van de 'Gedeelde Taken' map

2008-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS VERWIJDERD - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Bijkomende Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1392740
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Add animation to IncrediMail Style Box - c:\progra~1\INCRED~1\bin\resources\WebMenuImg.htm
DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} - hxxps://www.p3.postbank.nl/sesam/CAX.cab
DPF: {91F52A42-C10D-49A7-B941-882C657C604F} - hxxp://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 17:18:42
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-1060284298-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Voltooingstijd: 2009-03-10 17:25:39
ComboFix-quarantined-files.txt 2009-03-10 16:25:36
ComboFix2.txt 2009-03-09 19:44:31

Pre-Run: 66.869.252.096 bytes beschikbaar
Post-Run: 66,893,533,184 bytes beschikbaar

162 --- E O F --- 2009-02-25 11:46:50


Kapersky scan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 11, 2009 11:40:34
Records in database: 1888936
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\Documents and Settings

Scan statistics:
Files scanned: 32436
Threat name: 6
Infected objects: 20
Suspicious objects: 0
Duration of the scan: 00:32:03


File name / Threat name / Threats count
C:\Documents and Settings\Erica\Application Data\Sun\Java\Deployment\cache\6.0\41\49fe2029-6782dfaf Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\Documents and Settings\Erica\Application Data\Sun\Java\Deployment\cache\6.0\60\53c9283c-75b4caf3 Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\Rosanna\Application Data\Sun\Java\Deployment\cache\6.0\20\2f39d394-2331c4e9 Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\Rosanna\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-2e0d3f17.zip Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd -2008.nfo.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.af 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd -2008.nfo.exe Infected: Trojan-Downloader.Win32.Zlob.tah 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd -2008.nfo.exe Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd-2008.m3u.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.af 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd-2008.m3u.exe Infected: Trojan-Downloader.Win32.Zlob.tah 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd-2008.m3u.exe Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd-2008.sfv.exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.af 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd-2008.sfv.exe Infected: Trojan-Downloader.Win32.Zlob.tah 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd-2008.sfv.exe Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\Where The Light Is (Bonus Tracks).exe Infected: not-a-virus:Server-Proxy.Win32.3proxy.af 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\Where The Light Is (Bonus Tracks).exe Infected: Trojan-Downloader.Win32.Zlob.tah 1
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\Where The Light Is (Bonus Tracks).exe Infected: Trojan.Win32.Monderc.gen 1
C:\Documents and Settings\Rosanna\Shared\Top of Charts - 2005.wma Infected: Trojan-Downloader.WMA.Wimad.c 1

The selected area was scanned.


dds.txt



DDS (Ver_09-02-01.01) - NTFSx86
Run by Erica at 13:35:10,64 on wo 11-03-2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.511.291 [GMT 1:00]

AV: AVG 7.5.557 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\twain_32\A4S2600X\WATCH.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Erica\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: MyPlayCity Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: MyPlayCity Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MyPlayCity Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IncrediMail] c:\progra~1\incred~1\bin\IncMail.exe /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Dell Photo AIO Printer 942] "c:\program files\dell photo aio printer 942\dlbubmgr.exe"
mRun: [DellMCM] "c:\program files\dell photo aio printer 942\memcard.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [USB Storage Toolbox] c:\program files\usb disk win98 driver\Res.EXE
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\erica\menust~1\progra~1\opstar~1\erunta~1.lnk - c:\program files\tools\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\erica\menust~1\progra~1\opstar~1\watch.lnk - c:\windows\twain_32\a4s2600x\WATCH.exe
StartupFolder: c:\docume~1\erica\menust~1\progra~1\opstar~1\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} - hxxps://www.p3.postbank.nl/sesam/CAX.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {91F52A42-C10D-49A7-B941-882C657C604F} - hxxp://kitcentral.wanadoo.nl/download/install/win32/nl/instwact/instwact.dll
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - hxxp://www2.incredimail.com/contents/setup/downloader/imloader.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-3-21 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-3-21 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-3-21 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-3-21 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-3-21 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-3-21 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-3-21 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-3-21 4960]
R3 SFC4;SFC4;c:\windows\system32\drivers\sfc4.sys [2004-10-19 41472]
S2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice --> c:\xampp\apache\bin\apache.exe [?]
S3 DbgProxy;Visual Studio Debugger Proxy Service;c:\program files\microsoft visual studio.net\common7\packages\debugger\dbgproxy.exe --> c:\program files\microsoft visual studio.net\common7\packages\debugger\dbgproxy.exe [?]
S3 MRVW225;802.11g/b Wireless LAN Dirver for Windows XP;c:\windows\system32\drivers\MRVW225.sys [2007-7-29 299904]
S3 OM2800;TRUST 380 USB2 SPACEC@M;c:\windows\system32\drivers\OVTCAM2.SYS [2004-10-19 250343]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?]

=============== Created Last 30 ================

2009-03-10 16:48 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-03-09 20:12 <DIR> a-dshr-- C:\cmdcons
2009-03-09 20:09 161,792 a------- c:\windows\SWREG.exe
2009-03-09 20:09 98,816 a------- c:\windows\sed.exe
2009-03-07 17:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DivoGames
2009-03-07 17:14 <DIR> --d----- c:\program files\Conduit
2009-03-07 17:14 <DIR> --d----- c:\program files\MyPlayCity
2009-03-04 13:36 <DIR> --d----- c:\program files\Tools
2009-03-04 10:30 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-02-10 09:09 2,516 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-21 00:03 826,368 a------- c:\windows\system32\wininet.dll
2008-07-20 13:10 47,360 ac------ c:\docume~1\erica\applic~1\pcouffin.sys
2007-12-19 20:58 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-08-26 20:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 13:36:24,57 ===============

Blade81
2009-03-11, 18:21
Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



DDS::
mSearch Bar =
uURLSearchHooks: H - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

File::
C:\Documents and Settings\Erica\Application Data\Sun\Java\Deployment\cache\6.0\41\49fe2029-6782dfaf
C:\Documents and Settings\Erica\Application Data\Sun\Java\Deployment\cache\6.0\60\53c9283c-75b4caf3
C:\Documents and Settings\Rosanna\Application Data\Sun\Java\Deployment\cache\6.0\20\2f39d394-2331c4e9
C:\Documents and Settings\Rosanna\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-2e0d3f17.zip
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd -2008.nfo.exe
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd-2008.m3u.exe
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\000-john_mayer-where_the_light_is-(live)-2cd-2008.sfv.exe
C:\Documents and Settings\Rosanna\Mijn documenten\Mijn muziek\John_Mayer-Where_The_Light_Is-(Live)-2CD-2008-DV8\Where The Light Is (Bonus Tracks).exe
C:\Documents and Settings\Rosanna\Shared\Top of Charts - 2005.wma



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Make sure you have all browser windows closed (including this one) and then refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh dds.txt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Please try Kaspersky online scanner again after making following two things before it:
1) defrag your hard drive
2) disable AVG and keep it disabled during Kaspersky run.

folmere
2009-03-13, 13:50
Hi Blade

I haven't followed your steps above as yet, as I now have a bigger problem. Somehow during the process of us trying to fix the homepage problem (which is fixed), I now have what looks like the Vundo virus. I expect that this might have happened during Kapersky online scan where my own antivirus (AVG 7.5) had te be disabled.

My problems now are:
1) On startup get an error on the RunDll taht c:\windows\system32\sxqsmknq.dll cannot be found
2) Cant do automatic updates also not via the services (Error 1058)
3) IE opens on its own with eg "http://85.12.43.105/go/?cmp=gmail&uid=2DAAF90A0E3B11DEBC3A158617CFFFFF&rid=zdez&guid=5877C652F93F407086E4A1AB86FBF81D&affid=158617&lid=http&url=http:%2F%2Fforums.spybot.info%2Fnewreply.php%3Fdo=newreply%26noquote=1%26p=296652&v=1176&m=an2g&rv=10790" - The ip adress is always the same
4) other IE pages open with advertising stuff
5) Dummy malware and virus threats
6) It seems to want to take over my browser (occasionally flickers from active to inactive)

Steps that I have taken since then:
1) Upgraded AVG from 7.5 to 8.5 (which has since then found Trojans and Vundo and has moved them to the vault)
2) installed and ran spybot 1.6
3) Installed and scanned the registry, defrag the registry, cleaned and defrag my hard drive (all with Auslogic)
4) Scanned the system with Symantic fix for vundo 1.5.1 and found 1 error and fixed it.

Regarding the problem on automatic updates; I have sent an email to Microsoft and they will apparently reply and help within 1 day.

One thing I noticed is that I think that the Combofix icon is changed. I think that when I installed it, it was a big C and now is still a red circle but with a different white something? on top.

How do you want me to proceed.

Blade81
2009-03-13, 17:51
Hi

Let's still use those instructions in my previous post and then take further action if needed :)

folmere
2009-03-15, 14:50
Hoi Blade

Microsoft solution didn't work. Live Onecare couldn't remove all the problems in the system32 folder. I googled further and on one forum came across a solution of installing and running from www. malwarebytes.org. I installed, ran the scanner, and it found and removed the Vundo.Gen!BB. Thereafter I could activate my automatic updates and all is working 100% now.

I have uninstalled Combofix with Run ==> combofix /u

Thanks for your help. You may close this thread

Blade81
2009-03-15, 18:12
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.