I recently downloaded a file and that file downloaded viruses and trojans. I reformatted my HD and reinstalled Windows, but at the Documents and Settings directory still were the directory's LocalService and NetworkService which start a process named svchost.exe under the Username NetworkService and LocalService. I've tried many things to delete those directories but each time they are replaced immediately. I just scanned with Dr. Web and it found A0016368.dll and A0049118.exe in C:\System Volume Information\_restore which it deleted. But those svchost.exe's are still started. Please help me!
These are the files that are in use in the directories:
http://img183.imageshack.us/img183/5035/spyware6fj.jpg
Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 21:35:23, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINXP\system32\nvsvc32.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINXP\SOUNDMAN.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Applications\SpywareGuard\sgmain.exe
C:\Program Files\Applications\SpywareGuard\sgbhp.exe
C:\WINXP\system32\wuauclt.exe
C:\WINXP\system32\wuauclt.exe
C:\Downloads\Applications\Spyware\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Applications\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\Applications\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Applications\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\Applications\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\Applications\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: http://www.peid.tk
O15 - Trusted Zone: http://www.peidforums.tk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142811761343
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Waalen-Ansems.local
O17 - HKLM\Software\..\Telephony: DomainName = Waalen-Ansems.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB028783-0D5D-4D49-96F9-8346913B3761}: NameServer = 10.0.29.101,10.0.29.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Waalen-Ansems.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Waalen-Ansems.local
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINXP\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
And here my Panda ActiveScan log:
Incident Status Location
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@ad.yieldmanager[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@ad.yieldmanager[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@ad.yieldmanager[4].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@ad.yieldmanager[5].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@ad.yieldmanager[6].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@burstnet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@burstnet[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@burstnet[3].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@c2.gostats[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@cgi-bin[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@com[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@com[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@com[3].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@ct.360i[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@fe.lea.lycos[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@kmpads[2].txt
Spyware:Cookie/Mp3search Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@mp3search[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@searchportal.information[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@searchportal.information[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@searchportal.information[3].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@searchportal.information[4].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@searchportal.information[5].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@statcounter[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@statcounter[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@statcounter[3].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@statcounter[4].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@tucows[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@www.burstbeacon[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@xiti[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@xiti[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@yadro[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@yadro[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\thijs\Cookies\thijs@yadro[3].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\Applications\Spyware\SmitfraudFix\Process.exe
LonnyRJones
2006-06-23, 17:06
Welcome Th4K3y
You did search on the internet to find more information on ctfmon and svchost i hope ? Both are of cource lagit windows files, and so is everything in those screenshots.
I already knew they are windows FILES, but those directories weren't there before I got infected and they aren't on my father's PC and not on my brother's.
And would you please have a look at my ComboFix log, because I think it has found something (could be wrong about that).
And do you know why I can't, even if I'm logged in as admin, access System Restore?
Oh yeah, and why are those directories in the documents and settings directory and have a User ID, but don't show up in the place where you can make users?
My ComboFix log:
Start Time= 27/06/2006 19:22:59.71
(((((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform]
"sv1"=""
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschappenvenster van multimediabestand"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-scannerbeheer"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Het tabblad Beveiliging"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Eigenschappenblad voor OLE-docbestand"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell-uitbreidingen voor delen"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Beeldschermadapter"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Monitor"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Beeldscherm-panning"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Het tabblad Beveiliging"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibiliteitspagina"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Knipselgegevensverwerker van shell"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Schijfkopieer-uitbreiding"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell-uitbreidingen voor Microsoft Windows Network-objecten"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-monitorbeheer"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-printerbeheer"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell-uitbreidingen voor bestandscompressie"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shell-uitbreiding voor Web Printer"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Snelmenu Codering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Werkmap"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-pictogramuitbreiding"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profiel"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Het tabblad Beveiliging voor printers"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell-uitbreidingen voor delen"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-extensie"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto-handtekeningextensie"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netwerkverbindingen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netwerkverbindingen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners en camera's"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners en camera's"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners en camera's"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners en camera's"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners en camera's"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell-uitbreidingen voor Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplande taken"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taakbalk en menu Start"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Zoeken"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help en ondersteuning"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help en ondersteuning"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Uitvoeren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Lettertypen"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Systeembeheer"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet-werkbalk"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Downloadstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Uitgebreide shell-map"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Uitgebreide shell-map 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft-browserbalk"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Zoekbalk"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Mediabalk"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Zoeken binnen deelvenster"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Zoeken op het web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Hulpprogramma met opties voor registerboomstructuur"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adres"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoAanvullen"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU-lijst voor AutoAanvullen"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Aangepaste MRU-lijst voor AutoAanvullen"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Toegankelijk"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Pop-upbalk Volgen"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Parser voor adresbalk"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lijst voor AutoAanvullen: Microsoft Geschiedenis"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lijst voor AutoAanvullen: Microsoft Shell-map"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft-container met meervoudige lijst voor AutoAanvullen"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Sitemenu van shell-band"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Gebruikersondersteuning"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Globale mapinstellingen"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url-geschiedenisservice"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Geschiedenis"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Tijdelijke Internet-bestanden"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Tijdelijke Internet-bestanden"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url-zoeken Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-welkomstscherm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Het Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Cachemap van ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Map met abonnementen"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Toepassingsbeheer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Programma voor inventarisatie van geïnstalleerde toepassingen"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI- en bestandsextractieprogramma voor miniaturen"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Informatie over de handler voor miniatuurweergaven (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-extractie voor miniatuurweergaven"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Wizard Webpublicaties"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Afdrukken via het web bestellen"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell-object voor publicatiewizard"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Wizard Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Gebruikersaccounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Gecomprimeerde map"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanaal-bestand"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanaal-snelkoppeling"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Handler-object voor kanalen"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Map Off line bestanden"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{0561EC90-CE54-4f0c-9C55-E226110A740C}"="Haali Column Provider"
"{E4D8441D-F89C-4b5c-90AC-A857E1768F1F}"="Haali Matroska Thumbnail Exctractor"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}"="History Band"
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}"="Autodesk DWF Preview"
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension"
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"="PowerISO"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
My ComboFix log(continued):
REGISTRY ENTRIES REMOVED:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
FILES REMOVED:
Granting sedebugprivilege to Administrators ... successful
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-06-26 22:12:12 81920 ( ....R ) "C:\WINXP\bwUnin-6.1.4.36-8876480L.exe"
2006-06-26 22:10:20 ( .D... ) "C:\Program Files\Common Files\Logitech"
2006-06-26 22:10:18 ( .D... ) "C:\Program Files\Logitech"
2006-06-23 19:47:00 ( .D... ) "C:\Program Files\Unreal Tournament 2000"
2006-06-23 17:49:04 ( .D... ) "C:\Program Files\Steam"
2006-06-20 23:03:08 ( .D... ) "C:\Program Files\PepiMK Software"
2006-06-20 23:02:54 ( .D... ) "C:\Program Files\Safer Networking"
2006-06-19 14:51:14 ( .D... ) "C:\Program Files\Windows Defender"
2006-06-19 13:31:20 ( .D... ) "C:\Documents and Settings\Thijs_ADM\Application Data\Sun"
2006-06-19 13:22:56 ( .D... ) "C:\Program Files\Java"
2006-06-19 13:21:26 ( .D... ) "C:\Program Files\Common Files\Java"
2006-06-10 13:56:50 ( .D... ) "C:\Program Files\SG Corp"
2006-06-09 03:19:50 5967776 ( A.... ) "C:\WINXP\system32\MRT.exe"
2006-06-05 17:19:50 ( .D... ) "C:\Documents and Settings\Thijs_ADM\Application Data\AdobeUM"
2006-06-05 17:16:20 869 ( A.... ) "C:\Documents and Settings\Thijs_ADM\Application Data\AdobeDLM.log"
2006-06-05 17:16:20 0 ( A.... ) "C:\Documents and Settings\Thijs_ADM\Application Data\dm.ini"
2006-06-05 17:11:28 ( .D... ) "C:\Documents and Settings\Thijs_ADM\Application Data\InterTrust"
2006-06-02 13:39:54 579888 ( A.... ) "C:\WINXP\system32\LegitCheckControl.dll"
2006-06-02 13:39:46 402736 ( ..... ) "C:\WINXP\system32\WgaLogon.dll"
2006-06-02 13:39:46 286000 ( ..... ) "C:\WINXP\system32\WgaTray.exe"
2006-06-01 23:54:58 ( .D... ) "C:\Program Files\Spyware Doctor"
2006-06-01 23:42:04 ( .D... ) "C:\Documents and Settings\Thijs_ADM\Application Data\Webroot"
2006-06-01 23:33:34 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-01 22:18:32 14048 ( ..... ) "C:\WINXP\system32\spmsg.dll"
2006-06-01 20:49:44 163840 ( A.... ) "C:\WINXP\system32\jgdw400.dll"
2006-06-01 20:49:44 27648 ( A.... ) "C:\WINXP\system32\jgpl400.dll"
2006-05-29 17:32:20 1494016 ( A.... ) "C:\WINXP\system32\shdocvw.dll"
2006-05-24 22:22:18 ( .D... ) "C:\Documents and Settings\Thijs_ADM\Application Data\PC Tools"
2006-05-23 16:25:52 ( .D... ) "C:\Program Files\America's Army"
2006-05-19 17:10:26 3073536 ( A.... ) "C:\WINXP\system32\mshtml.dll"
2006-05-18 13:14:24 18359 ( A.... ) "C:\WINXP\system32\Ntaccess.sys"
2006-05-18 13:14:24 18359 ( A.... ) "C:\WINXP\system32\Ntaccess.sys"
2006-05-18 07:41:42 450560 ( A.... ) "C:\WINXP\system32\jscript.dll"
2006-05-16 21:24:54 356352 ( A.... ) "C:\WINXP\eSellerateEngine.dll"
2006-05-14 10:52:36 181248 ( A.... ) "C:\WINXP\system32\rasmans.dll"
2006-05-11 10:57:48 25600 ( A.... ) "C:\WINXP\system32\xpsp3res.dll"
2006-05-10 07:25:26 661504 ( A.... ) "C:\WINXP\system32\wininet.dll"
2006-05-10 07:25:26 615424 ( A.... ) "C:\WINXP\system32\urlmon.dll"
2006-05-10 07:25:26 532480 ( A.... ) "C:\WINXP\system32\mstime.dll"
2006-05-10 07:25:26 474624 ( A.... ) "C:\WINXP\system32\shlwapi.dll"
2006-05-10 07:25:26 39424 ( A.... ) "C:\WINXP\system32\pngfilt.dll"
2006-05-10 07:25:24 1057280 ( A.... ) "C:\WINXP\system32\danim.dll"
2006-05-10 07:25:24 1022976 ( A.... ) "C:\WINXP\system32\browseui.dll"
2006-05-10 07:25:24 448512 ( A.... ) "C:\WINXP\system32\mshtmled.dll"
2006-05-10 07:25:24 357888 ( A.... ) "C:\WINXP\system32\dxtmsft.dll"
2006-05-10 07:25:24 251392 ( A.... ) "C:\WINXP\system32\iepeers.dll"
2006-05-10 07:25:24 205312 ( A.... ) "C:\WINXP\system32\dxtrans.dll"
2006-05-10 07:25:24 151552 ( A.... ) "C:\WINXP\system32\cdfview.dll"
2006-05-10 07:25:24 146432 ( A.... ) "C:\WINXP\system32\msrating.dll"
2006-05-10 07:25:24 96768 ( A.... ) "C:\WINXP\system32\inseng.dll"
2006-05-10 07:25:24 55808 ( ..... ) "C:\WINXP\system32\extmgr.dll"
2006-05-10 07:25:24 16384 ( A.... ) "C:\WINXP\system32\jsproxy.dll"
2006-05-09 23:32:02 ( .D... ) "C:\Program Files\JFK Reloaded"
2006-05-08 21:53:32 ( .D... ) "C:\Program Files\Common Files\MAGIX Shared"
2006-05-07 02:26:04 95239 ( A.... ) "C:\WINXP\PixtopianBook Uninstaller.exe"
2006-05-06 23:01:46 ( .D... ) "C:\Program Files\Common Files\Autodesk Shared"
2006-05-06 23:01:38 ( .D... ) "C:\Program Files\Autodesk"
2006-05-06 19:21:22 ( .D... ) "C:\Documents and Settings\Thijs_ADM\Application Data\My Battle for Middle-earth(tm) II Files"
2006-05-06 15:06:12 49604 ( A.... ) "C:\WINXP\system32\RadLightOFRUninstall.exe"
2006-05-06 15:01:36 51600 ( A.... ) "C:\WINXP\system32\RadLightMPCUninstall.exe"
2006-05-06 15:00:32 33533 ( A.... ) "C:\WINXP\system32\CoreVorbis-uninstall.exe"
2006-05-06 14:50:18 ( .D... ) "C:\Documents and Settings\Thijs_ADM\Application Data\Real"
2006-05-06 14:31:12 ( .D... ) "C:\Program Files\DVBPortal"
2006-05-06 14:30:04 ( .D... ) "C:\Program Files\Codecs"
2006-05-06 14:05:04 ( .D... ) "C:\Documents and Settings\Thijs_ADM\Application Data\Media Player Classic"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINXP\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINXP\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINXP\system32\java.exe"
2006-05-01 01:24:12 ( .D... ) "C:\Documents and Settings\Thijs_ADM\Application Data\Help"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINXP\system32\wmp.dll"
2006-04-06 10:54:38 73728 ( A.... ) "C:\WINXP\system32\asuninst.exe"
2006-03-20 01:34:26 11209 ( A..H. ) "C:\Program Files\folder.htt"
2006-03-20 01:34:26 266 ( ..SH. ) "C:\Program Files\desktop.ini"
((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 -lock"
"SoundMan"="SOUNDMAN.EXE"
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
00
"NvCplDaemon"="RUNDLL32.EXE C:\\WINXP\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINXP\\system32\\NvMcTray.dll,NvTaskbarInit"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=dword:00000001
"NoStrCmpLogical"=dword:00000001
"NoClose"=dword:00000000
"NoWelcomeScreen"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~1\\Ad-Watch.exe\""
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,c4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,d2,03,00,00,23,00,00,00,1c,01,00,00,27,01,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programma's\\Opstarten\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINXP\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\APPLIC~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnlockerAssistant"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Applications\\Unlocker\\UnlockerAssistant.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mi-raysat_3dsmax8"=dword:00000002
"MDM"=dword:00000002
"FileChecker"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SW24"="C:\\WINXP\\system32\\sw24.exe"
"SW20"="C:\\WINXP\\system32\\sw20.exe"
Contents of the 'Scheduled Tasks' folder
C:\WINXP\tasks\At1.job
C:\WINXP\tasks\MP Scheduled Scan.job
C:\WINXP\tasks\Symantec NetDetect.job
Completion time: 27/06/2006 22:36:57.18
ComboFix ver 06.06.19 - This logfile is located at C:\ComboFix.txt
LonnyRJones
2006-06-28, 03:30
Nothing in that log either, but these are odd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SW24"="C:\\WINXP\\system32\\sw24.exe"
"SW20"="C:\\WINXP\\system32\\sw20.exe"
Do those files exist ?
localservice and NetworkService exist here, possibly they are hidden on your father's and brother's
PC's
C:\Documents and Settings\NetworkService\Application Data (9/23/2004 11:17:21 PM)
C:\Documents and Settings\NetworkService\Cookies (7/30/2005 2:06:54 AM)
C:\Documents and Settings\NetworkService\Local Settings (9/23/2004 11:17:22 PM)
C:\Documents and Settings\NetworkService\NTUSER.DAT (768 KB, 6/27/2006 11:52:12 AM)
C:\Documents and Settings\NetworkService\ntuser.dat.LOG (1 KB, 6/27/2006 5:04:18 PM)
C:\Documents and Settings\NetworkService\ntuser.ini (1 KB, 9/23/2004 11:17:22 PM)
C:\Documents and Settings\LocalService\Application Data (5/30/2005 2:10:51 PM)
C:\Documents and Settings\LocalService\Cookies (9/23/2004 11:17:36 PM)
C:\Documents and Settings\LocalService\Local Settings (9/23/2004 11:17:24 PM)
C:\Documents and Settings\LocalService\NTUSER.DAT (768 KB, 6/27/2006 11:52:12 AM)
C:\Documents and Settings\LocalService\ntuser.dat.LOG (1 KB, 6/27/2006 5:04:17 PM)
C:\Documents and Settings\LocalService\ntuser.ini (1 KB, 9/23/2004 11:17:24 PM)
C:\Documents and Settings\LocalService\Start Menu (2/19/2005 11:15:57 PM)
"And do you know why I can't, even if I'm logged in as admin, access System Restore? "
When antivirus/antispyware tools remove items from system restore it usualy breaks it, exactly what happens where ?
"I just scanned with Dr. Web and it found A0016368.dll and A0049118.exe in C:\System Volume Information\_restore which it deleted."
Have you tried disabling system restore, reboot your pc and enable it again ?
On my father's PC show hidden files is always on. And they're not there.
And the problem is I can't even turn off system restore, because it then says that I'm not an admin (And I definitely am an admin). And yes sw20.exe and sw24.exe are there, and I know why. (They're from my video card driver)
LonnyRJones
2006-07-01, 06:37
Try it from safe mode adinistrators account, or perhaps you've disabled some service's.
And the problem is I can't even turn off system restore, because it then says that I'm not an admin (
It helps if you quote the exact error messages word for word, that way we can do a search
LonnyRJones
2006-07-02, 03:21
Good
Your pc is malware free
I recently downloaded a file and that file downloaded viruses and trojans. I reformatted my HD and reinstalled Windows
You do realize virus/trojans and spyware cannot survive a reformat.(on NT systems)
Yeah I do, but I found it odd that those directories were still there. 'Cause Norton said before the reformat that the viruses and trojans were operating from those directories.
LonnyRJones
2006-07-03, 03:52
Perhaps your confusing a reformat then a fresh windows install with a
OEM PC's reinstall of wiindows/ or windows repair install.
Please do not try deleting files like you have without either asking other's or more research next time.
surf safe
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.
Glad we could help, thank you Lonny