PDA

View Full Version : problem with Click.GiftLoad



stapper
2011-05-14, 15:37
Hi,

Spybot detected Click.GiftLoad.
Can someone help to remove this beast ?

thanks in advance

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Patrick at 11:56:48,62 on za 14/05/2011
Internet Explorer: 7.0.5730.13
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick\Bureaublad\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.be/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.euro.dell.com/
uWindow Title =
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [JDK5SWFMZY] c:\docume~1\patrick\locals~1\temp\Adl.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [A9YA3MI1CF] c:\windows\temp\Adl.exe
dRun: [KCSCPW1HKH] c:\windows\temp\Adk.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll,, mnrnmuxs.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\patrick\applic~1\mozilla\firefox\profiles\gsdxxua1.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R? ccfc;ccfc
R? GHTJJGIN;GHTJJGIN
R? gupdate;Google Updateservice (gupdate)
R? gupdatem;Google Update-service (gupdatem)
R? Hou85;Hou85
R? Lavasoft Kernexplorer;Lavasoft helper driver
R? msvsmon80;Visual Studio 2005 Remote Debugger
R? Pxf87;Pxf87
R? srv830;srv830
S? DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1)
S? DB2NTSECSERVER_DB2COPY1;DB2 Security Server (DB2COPY1)
S? FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance
S? FirebirdServerDefaultInstance;Firebird Server - DefaultInstance
S? GTIPCI21;GTIPCI21
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
.
=============== File Associations ===============
.
inifile=c:\program files\boxer text editor\b.exe "%1"
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-05-10 17:58:45 -------- d-----w- C:\screening
2011-05-01 12:17:33 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2011-05-14 09:01:28 0 ----a-w- c:\windows\system32\tmp.tmp
2011-02-15 18:29:29 31744 ----a-w- c:\windows\system32\mnrnmuxs.dll
2001-05-24 10:59:30 162304 ----a-w- c:\program files\UNWISE.EXE
1999-05-23 23:17:58 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS726060M9AT00 rev.MH4OA6EA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86E87EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85d4d872; SUB DWORD [EBP-0x4], 0x85d4d12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F92AB8]
3 CLASSPNP[0xF75DBFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86EFC4D8]
[0x86F5C330] -> IRP_MJ_CREATE -> 0x86E87EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS726060M9AT00_________________________MH4OA6EA#5&36c68b59&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86E87AEA
user & kernel MBR OK
sectors 117210238 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:03:15,80 ===============

ken545
2011-05-17, 01:22
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Besides Click.Giftload your also infected with a nasty rootkit :red:


This will remove Click.giftload



REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
"svchost.exe"=-




Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg





Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

stapper
2011-05-17, 21:44
Ok i did what you said.

Thanks in advance

Patrick

stapper
2011-05-17, 21:47
Here is is the attachment

ken545
2011-05-18, 03:21
Hi ,

Disable your Antivirus and then run Defogger, you can re enable your AV when were done, you can also re run DeFogger when where done to re enable your CD drivers


Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


To re-enable your Emulation drivers, double click DeFogger to run the tool.

The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.





Re-Run aswMBR

Click Scan

On completion of the scan

Click Fix

http://public.avast.com/~gmerek/aswMBR3.png



Save the log as before and post in your next reply

stapper
2011-05-18, 11:01
Hi,

I ran de defogger -> no problem. Except he did not ask me to reboot.
I did it myself.
Then i ran aswMBR
But the the button FIX was not enabled.
so i ran the FixMBR.

I reboot again en ran the scan again.
The log is attacht

ken545
2011-05-18, 11:22
Good Morning,

Please follow the instructions that are posted and dont do anything else, I hate to see you damage your system

Lets try this instead



Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

stapper
2011-05-20, 21:20
I ran the TDSSKILLER yesterday.
The log file iss attached.

After the reboot i could not go to the internet anymore (wireless)
I tried to connect with a nteworkcable but then i get the message that the computer was shutting down between some seconds.
It looks like the lsass.exe virus.

Today i started up again and i can connect again to the internet but de laptop is very slow.

thanks again for all the work

ken545
2011-05-21, 00:32
Do this,

Run aswMBR just to scan, not to fix and post a new log please

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

stapper
2011-05-21, 15:02
Hi,
I ran aswMBR. Attached the log file.
I downoaded Combofix and install the recovery console.
Attached the log file.
The laptop runs faster now.

Thanks for all the help.




aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-21 11:38:25
-----------------------------
11:38:25.784 OS Version: Windows 5.1.2600 Service Pack 3
11:38:25.784 Number of processors: 1 586 0xD08
11:38:25.784 ComputerName: LAPTOP_DELL UserName: Patrick
11:38:28.676 Initialize success
11:38:33.052 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:38:33.052 Disk 0 Vendor: HTS726060M9AT00 MH4OA6EA Size: 57231MB BusType: 3
11:38:35.083 Disk 0 MBR read successfully
11:38:35.083 Disk 0 MBR scan
11:38:35.083 Disk 0 Windows XP default MBR code
11:38:37.084 Disk 0 scanning sectors +117178110
11:38:37.099 Disk 0 scanning C:\WINDOWS\system32\drivers
11:38:43.663 Service scanning
11:38:44.945 Disk 0 trace - called modules:
11:38:44.960 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
11:38:44.960 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f92ab8]
11:38:44.960 3 CLASSPNP.SYS[f75dbfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f6fd98]
11:38:44.960 Scan finished successfully
11:39:00.995 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Patrick\Bureaublad\MBR.dat"
11:39:01.026 The log file has been saved successfully to "C:\Documents and Settings\Patrick\Bureaublad\aswMBR.txt"





ComboFix 11-05-19.02 - Patrick 21/05/2011 11:47:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.505 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Patrick\Bureaublad\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Favorieten\_favdata.dat
c:\documents and settings\Greetje\Application Data\Athe
c:\documents and settings\Greetje\Application Data\Athe\ozuqy.tmp
c:\documents and settings\Patrick\WINDOWS
c:\windows\system32\drivers\fad.sys
c:\windows\system32\lowsec
c:\windows\system32\tmp.tmp . . . . konden niet verwijderd worden
.
----- BITS: Mogelijk geïnfecteerde sites -----
.
hxxp://hallcash.net
Besmet exemplaar van c:\windows\system32\userinit.exe werd aangetroffen en gedesinfecteerd
Hersteld exemplaar van - c:\windows\ServicePackFiles\i386\userinit.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SRV830
-------\Legacy_SSHNAS
-------\Service_srv830
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-04-21 to 2011-05-21 ))))))))))))))))))))))))))))))
.
.
2011-05-21 09:55 . 2011-05-21 09:55 0 ----a-w- c:\windows\system32\tmp.tmp
2011-05-14 09:42 . 2011-05-14 09:52 -------- d-----w- c:\program files\ERUNT
2011-05-10 17:58 . 2011-05-10 21:26 -------- d-----w- C:\screening
2011-05-01 12:17 . 2011-05-01 12:17 -------- d-----w- c:\program files\CCleaner
2011-05-01 11:45 . 2011-05-01 11:45 -------- d-----w- c:\documents and settings\Greetje\Local Settings\Application Data\Mozilla
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-19 06:07 . 2004-09-13 12:52 153856 ----a-w- c:\windows\system32\drivers\dmio.sys
2001-05-24 10:59 . 2008-02-21 19:24 162304 ----a-w- c:\program files\UNWISE.EXE
1999-05-23 23:17 . 1999-05-23 23:17 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-16 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Poort voor Symantec Fax Starter Edition.lnk - c:\program files\Microsoft Office\Office\1043\OLFSNT40.EXE [1999-5-24 46077]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-20 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll, mnrnmuxs.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hou85.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pxf87.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2mgmtsvc.exe [8/11/2007 21:50 35616]
R2 DB2NTSECSERVER_DB2COPY1;DB2 Security Server (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2sec.exe [8/11/2007 21:51 14112]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 14:15 1375992]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [16/06/2005 18:07 80384]
S0 Hou85;Hou85;c:\windows\system32\Drivers\Hou85.sys --> c:\windows\system32\Drivers\Hou85.sys [?]
S0 Pxf87;Pxf87;c:\windows\system32\Drivers\Pxf87.sys --> c:\windows\system32\Drivers\Pxf87.sys [?]
S1 ccfc;ccfc;\??\c:\windows\system32\ccfc.sys --> c:\windows\system32\ccfc.sys [?]
S2 GHTJJGIN;GHTJJGIN;\??\c:\windows\system32\ghtjjgin.tfp --> c:\windows\system32\ghtjjgin.tfp [?]
S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 20:39 136176]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 20:39 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 14:15 15264]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 8:01 2799808]
.
Inhoud van de 'Gedeelde Taken' map
.
2011-05-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 19:36]
.
2011-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 18:39]
.
2011-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 18:39]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.be/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\gsdxxua1.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
------- Bestandsassociaties -------
.
inifile=c:\program files\Boxer Text Editor\b.exe "%1"
.
- - - - ORPHANS VERWIJDERD - - - -
.
HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM-Run-BuildBU - c:\dell\bldbubg.exe
SafeBoot-klmdb.sys
SafeBoot-Krx28.sys
SafeBoot-nvE54.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-21 11:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GHTJJGIN]
"ImagePath"="\??\c:\windows\system32\ghtjjgin.tfp"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\basfipm.exe
c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Voltooingstijd: 2011-05-21 12:05:02 - machine werd herstart
ComboFix-quarantined-files.txt 2011-05-21 10:05
.
Pre-Run: 22.580.400.128 bytes beschikbaar
Post-Run: 22.663.761.920 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4660F9ECB385984300D56D0DF741CBE1

ken545
2011-05-21, 15:17
Patrick, its best to copy and paste the logs into the thread in lew of attaching them, its easier for me to analyze.

Looks like the Rootkit is gone


While I am looking over your Combofix log, run this program and post the log please

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

stapper
2011-05-22, 11:19
ok, i will di that.

I downloaded,update and ran malware bytes.
Here are the results

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Databaseversie: 6639

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

22/05/2011 10:12:03
mbam-log-2011-05-22 (10-12-03).txt

Scantype: Snelle scan
Objecten gescand: 175865
Verstreken tijd: 4 minuut/minuten, 40 seconde(n)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 2
Registerwaarden geïnfecteerd: 0
Registerdata geïnfecteerd: 1
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 1

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels geïnfecteerd:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerdata geïnfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.FakeAlert) -> Bad: (mnrnmuxs.dll) Good: () -> Quarantined and deleted successfully.

Mappen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Bestanden geïnfecteerd:
c:\WINDOWS\system32\mnrnmuxs.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

ken545
2011-05-22, 13:44
Drag Combofix to the trash and download a fresh copy and run it and post the new log please

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

stapper
2011-05-23, 20:08
Hi,

I download a fresh copy of combofix.
I did the update.
Here is the log file and thanks in advance

ComboFix 11-05-22.02 - Patrick 23/05/2011 18:52:54.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.465 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Patrick\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\tmp.tmp
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-04-23 to 2011-05-23 ))))))))))))))))))))))))))))))
.
.
2011-05-22 08:05 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-22 08:04 . 2011-05-22 08:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-22 08:04 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-14 09:42 . 2011-05-14 09:52 -------- d-----w- c:\program files\ERUNT
2011-05-10 17:58 . 2011-05-10 21:26 -------- d-----w- C:\screening
2011-05-01 12:17 . 2011-05-01 12:17 -------- d-----w- c:\program files\CCleaner
2011-05-01 11:45 . 2011-05-01 11:45 -------- d-----w- c:\documents and settings\Greetje\Local Settings\Application Data\Mozilla
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-19 06:07 . 2004-09-13 12:52 153856 ----a-w- c:\windows\system32\drivers\dmio.sys
2001-05-24 10:59 . 2008-02-21 19:24 162304 ----a-w- c:\program files\UNWISE.EXE
1999-05-23 23:17 . 1999-05-23 23:17 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-16 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Poort voor Symantec Fax Starter Edition.lnk - c:\program files\Microsoft Office\Office\1043\OLFSNT40.EXE [1999-5-24 46077]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-20 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hou85.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pxf87.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2mgmtsvc.exe [8/11/2007 21:50 35616]
R2 DB2NTSECSERVER_DB2COPY1;DB2 Security Server (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2sec.exe [8/11/2007 21:51 14112]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 14:15 1375992]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [16/06/2005 18:07 80384]
S0 Hou85;Hou85;c:\windows\system32\Drivers\Hou85.sys --> c:\windows\system32\Drivers\Hou85.sys [?]
S0 Pxf87;Pxf87;c:\windows\system32\Drivers\Pxf87.sys --> c:\windows\system32\Drivers\Pxf87.sys [?]
S1 ccfc;ccfc;\??\c:\windows\system32\ccfc.sys --> c:\windows\system32\ccfc.sys [?]
S2 GHTJJGIN;GHTJJGIN;\??\c:\windows\system32\ghtjjgin.tfp --> c:\windows\system32\ghtjjgin.tfp [?]
S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 20:39 136176]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 20:39 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 14:15 15264]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 8:01 2799808]
.
Inhoud van de 'Gedeelde Taken' map
.
2011-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 19:36]
.
2011-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 18:39]
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 18:39]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.be/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\gsdxxua1.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
------- Bestandsassociaties -------
.
inifile=c:\program files\Boxer Text Editor\b.exe "%1"
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 19:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GHTJJGIN]
"ImagePath"="\??\c:\windows\system32\ghtjjgin.tfp"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Voltooingstijd: 2011-05-23 19:02:36
ComboFix-quarantined-files.txt 2011-05-23 17:02
ComboFix2.txt 2011-05-21 10:05
.
Pre-Run: 23.194.517.504 bytes beschikbaar
Post-Run: 23.194.001.408 bytes beschikbaar
.
- - End Of File - - 434931C215EFF924BDD53242F9633E8B

ken545
2011-05-23, 20:16
Hi,

Just a few files that I would like you to check for me

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

c:\windows\system32\Drivers\Hou85.sys
c:\windows\system32\Drivers\Pxf87.sys
c:\windows\system32\ccfc.sys
c:\windows\system32\ghtjjgin.tfp


If the site is busy you can try this one
http://virusscan.jotti.org/en

stapper
2011-05-24, 09:19
Hi,

I enabled windows to show the files and folders but the files are not in my system.

regards

Patrick

ken545
2011-05-24, 11:18
Ok, lets proceed, how are things running so far, any redirects or unwanted pop up windows ?



ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

stapper
2011-05-25, 00:52
Here is the logfile from ESET. The log is also attached if this better for you

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMuollo1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMuollo3.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\j.jar-1dcd5b4f-21c8fe54.zip a variant of Java/TrojanDownloader.OpenStream.NBU trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\j.jar-21ede86b-214a64b5.zip a variant of Java/TrojanDownloader.OpenStream.NBU trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javajsm.jar-3ae85437-162d9161.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javaobe.jar-25f45de5-1d5cabe1.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\plugins.jar-6ca7f74e-3be20236.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\plugins.jar-77c163e5-633658ef.zip Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\track5.id-3a7575ee-3465175d.zip probably a variant of Java/Agent.AF trojan
C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\yearsTend.class-17262f98-7b9eca77.class probably a variant of Java/TrojanDownloader.Agent.AB trojan
C:\Downloads\autorun.inf Win32/Ramnit.A.Gen virus
C:\Downloads\setup50045.fon Win32/AutoRun.Agent.ABK worm
C:\Downloads\setup50045.lnk LNK/Exploit.CVE-2010-2568 trojan
C:\Downloads\setup50076.fon Win32/AutoRun.Agent.ABK worm
C:\Downloads\setup50076.lnk LNK/Exploit.CVE-2010-2568 trojan
C:\Downloads\genesys\GeneSysSDK2006.zip a variant of Win32/TrojanDropper.Small.NIS trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir a variant of Win32/Kryptik.DKU trojan
C:\screening\autorun.inf Win32/Ramnit.A.Gen virus
C:\screening\setup50045.fon Win32/AutoRun.Agent.ABK worm
C:\screening\setup50045.lnk LNK/Exploit.CVE-2010-2568 trojan
C:\System Volume Information\_restore{CB32FFED-FFB0-4F82-9D41-E1A8368D0A19}\RP863\A0091682.dll Win32/TrojanDownloader.FakeAlert.ARF trojan
C:\System Volume Information\_restore{CB32FFED-FFB0-4F82-9D41-E1A8368D0A19}\RP863\A0092712.inf Win32/Ramnit.A.Gen virus
C:\System Volume Information\_restore{CB32FFED-FFB0-4F82-9D41-E1A8368D0A19}\RP865\A0102951.exe a variant of Win32/Kryptik.DKU trojan

ken545
2011-05-25, 01:28
You have infected files all over the place

1. Open Spybot and go to the Quarantine folder and remove it all

2. Go to these two folders and delete all thats inside
C:\screening
C:\Downloads


3.C:\Qoobox <-- This is the combofix back up folder, cant hurt you we will remove this when where done

4. Your Jave Cache has bad files in it, do this

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

http://i24.photobucket.com/albums/c30/ken545/Atribune.jpg



5. System Restore also has bad files, but they can hurt you unless you use System restore to revert your computer to an earlier date so its best to flush this all out

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.


Then remove all previous Restore Points

Click Start > Run > copy and paste the following into the run box:

cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.


After your done, reboot your system and run ESET again and post the log

stapper
2011-05-26, 02:58
Here is the logfile from ESET.thanks in advance

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\j.jar-21ede86b-214a64b5.zip a variant of Java/TrojanDownloader.OpenStream.NBU trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javajsm.jar-3ae85437-162d9161.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javaobe.jar-25f45de5-1d5cabe1.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\plugins.jar-6ca7f74e-3be20236.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\plugins.jar-77c163e5-633658ef.zip Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\track5.id-3a7575ee-3465175d.zip probably a variant of Java/Agent.AF trojan
C:\Documents and Settings\Patrick\Local Settings\temp\srv294.tmp Win32/AutoRun.Agent.ABK worm
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir a variant of Win32/Kryptik.DKU trojan

ken545
2011-05-26, 03:35
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe







Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses

:OTL



:Services

:Reg
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GHTJJGIN]





:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

stapper
2011-05-26, 09:03
Here is the log file. Thanks in advance

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 128693 bytes
->Flash cache emptied: 2130 bytes

User: Patrick
->Temp folder emptied: 71404 bytes
->Temporary Internet Files folder emptied: 4183961 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 32054514 bytes
->Flash cache emptied: 2058966 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2845 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 16576415 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 56,00 mb


OTL by OldTimer - Version 3.2.23.0 log created on 05262011_075540

Files\Folders moved on Reboot...
C:\Documents and Settings\Patrick\Local Settings\Temporary Internet Files\Content.IE5\RDBWTYPZ\showthread[3].htm moved successfully.
C:\Documents and Settings\Patrick\Local Settings\Temporary Internet Files\Content.IE5\RDBWTYPZ\showthread[5].htm moved successfully.
C:\Documents and Settings\Patrick\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

ken545
2011-05-26, 11:16
How are things running now ?

stapper
2011-05-26, 13:01
verry good no problems speed is ok.

I suppose this is the happy end.

Thank you for all your time.

Now i have to convinced my wife that she has to be more carefull en use her own login and update her tools to keep it clean.

Again alot off thanks for your excellent guiding trough the cleaning process

Patrick

ken545
2011-05-26, 14:13
Your welcome Patrick, do me one last favor, run scan with OTL and let me take one final look

OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

stapper
2011-05-26, 19:46
Hi,
I did already today a windows update and installed spywareblaster.
there were 2 updates that i diden't do Sql server express and Genuine advantage.

Here is the OTL.log
OTL logfile created on: 26/05/2011 17:35:39 - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Patrick\Bureaublad
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000813 | Country: België | Language: NLB | Date Format: d/MM/yyyy

1023,39 Mb Total Physical Memory | 507,96 Mb Available Physical Memory | 49,64% Memory free
2,40 Gb Paging File | 2,11 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): C:\pagefile.sys 1535 2096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55,78 Gb Total Space | 24,34 Gb Free Space | 43,64% Space Free | Partition Type: NTFS

Computer Name: LAPTOP_DELL | User Name: Patrick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Patrick\Bureaublad\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe (International Business Machines Corporation)
PRC - C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe (International Business Machines Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe ()
PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project)
PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project)
PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\1XConfig.exe (Intel)
PRC - C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\WINDOWS\system32\BAsfIpM.exe (Broadcom Corp.)
PRC - C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
PRC - C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
PRC - C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Patrick\Bureaublad\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (DB2NTSECSERVER_DB2COPY1) DB2 Security Server (DB2COPY1) -- C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe (International Business Machines Corporation)
SRV - (DB2MGMTSVC_DB2COPY1) DB2 Management Service (DB2COPY1) -- C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe (International Business Machines Corporation)
SRV - (msvsmon80) -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)
SRV - (FirebirdServerDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project)
SRV - (FirebirdGuardianDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project)
SRV - (WLANKEEPER) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)
SRV - (BAsfIpM) -- C:\WINDOWS\system32\BAsfIpM.exe (Broadcom Corp.)


========== Driver Services (SafeList) ==========

DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (STAC97) -- C:\WINDOWS\system32\drivers\STAC97.sys (SigmaTel, Inc.)
DRV - (w29n51) Stuurprogramma voor Intel(R) -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (IWCA) -- C:\WINDOWS\system32\drivers\iwca.sys (Intel Corporation)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (GTIPCI21) -- C:\WINDOWS\system32\drivers\gtipci21.sys (Texas Instruments)
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Inc)
DRV - (BASFND) -- C:\WINDOWS\system32\drivers\BASFND.sys (Broadcom Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
IE - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 13:45:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/10 21:17:16 | 000,000,000 | ---D | M]

[2009/04/09 22:07:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Patrick\Application Data\Mozilla\Extensions
[2011/02/21 20:48:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\gsdxxua1.default\extensions
[2010/10/11 21:00:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\gsdxxua1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2005/03/13 07:07:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/25 18:05:05 | 000,001,892 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bolcom-nl.xml
[2010/11/25 18:05:05 | 000,004,558 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\marktplaats-nl.xml
[2010/11/25 18:05:05 | 000,001,111 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\vandale-nl.xml
[2010/11/25 18:05:05 | 000,001,049 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-nl.xml
[2010/11/25 18:05:05 | 000,001,106 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-nl.xml

O1 HOSTS File: ([2011/05/26 07:55:41 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - File not found
O3 - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - File not found
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe ()
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-464677283-1223472582-1953054680-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/09/13 15:06:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/26 12:49:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\SpywareBlaster
[2011/05/26 12:09:44 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/05/26 07:57:10 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/26 07:55:40 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/26 07:54:28 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Patrick\Bureaublad\OTL.exe
[2011/05/26 07:41:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Patrick\Bureaublad\Nieuwe map
[2011/05/26 00:01:37 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/05/25 22:57:46 | 000,000,000 | ---D | C] -- C:\mY_stuff
[2011/05/25 17:41:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/05/25 10:24:49 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Patrick\Bureaublad\ATF-Cleaner.exe
[2011/05/24 21:52:35 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/05/22 10:05:00 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/22 10:05:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\Malwarebytes' Anti-Malware
[2011/05/22 10:04:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/22 10:04:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/22 10:02:51 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Patrick\Bureaublad\mbam-setup.exe
[2011/05/21 11:44:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/05/21 11:40:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/21 11:40:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/21 11:40:16 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/21 11:40:16 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/21 11:40:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/21 11:39:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/20 18:15:05 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2011/05/20 18:14:49 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/05/20 18:14:21 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/05/20 18:09:53 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/05/20 18:08:33 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2011/05/19 08:02:57 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Patrick\Bureaublad\TDSSKiller.exe
[2011/05/14 11:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Patrick\Mijn documenten\14-05-2011
[2011/05/14 11:42:42 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/05/14 11:42:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\ERUNT
[2011/05/14 11:39:33 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Patrick\Bureaublad\erunt-setup.exe
[2011/05/10 22:50:23 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Patrick\Bureaublad\aswMBR.exe
[2011/05/01 14:29:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/05/01 14:17:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\CCleaner
[2011/05/01 14:17:33 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[1999/05/24 01:17:58 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/09 04:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/09 04:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/09 04:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/09 04:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/09 04:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL

========== Files - Modified Within 30 Days ==========

[2011/05/26 17:32:00 | 000,001,046 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/26 12:49:43 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\SpywareBlaster.lnk
[2011/05/26 12:30:18 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/05/26 12:29:34 | 000,001,042 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/26 12:29:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/26 12:29:00 | 000,255,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/26 12:26:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/05/26 12:13:48 | 000,559,088 | ---- | M] () -- C:\WINDOWS\System32\perfh013.dat
[2011/05/26 12:13:48 | 000,490,570 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/26 12:13:48 | 000,110,604 | ---- | M] () -- C:\WINDOWS\System32\perfc013.dat
[2011/05/26 12:13:48 | 000,090,578 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/26 07:55:41 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/26 07:54:32 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Patrick\Bureaublad\OTL.exe
[2011/05/26 07:37:20 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\erunt.zip
[2011/05/25 10:24:50 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Patrick\Bureaublad\ATF-Cleaner.exe
[2011/05/23 18:49:13 | 004,353,829 | R--- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\ComboFix.exe
[2011/05/23 18:42:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/22 10:05:00 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2011/05/22 10:02:51 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Patrick\Bureaublad\mbam-setup.exe
[2011/05/21 11:44:30 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/05/21 11:39:00 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\MBR.dat
[2011/05/19 08:02:37 | 001,280,208 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\tdsskiller.zip
[2011/05/18 08:48:28 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\Defogger.exe
[2011/05/17 20:39:40 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Patrick\Bureaublad\aswMBR.exe
[2011/05/17 20:38:38 | 000,000,135 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\Regfix.reg
[2011/05/14 23:45:16 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/14 11:50:25 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\ERUNT.lnk
[2011/05/14 11:40:28 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\dds.scr
[2011/05/14 11:39:36 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Patrick\Bureaublad\erunt-setup.exe
[2011/05/13 13:21:28 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Patrick\Bureaublad\TDSSKiller.exe
[2011/05/10 22:14:04 | 000,434,142 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110514-120905.backup
[2011/05/01 21:48:42 | 000,433,442 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110510-221404.backup
[2011/05/01 21:33:10 | 000,000,326 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/05/01 14:17:34 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\CCleaner.lnk

========== Files Created - No Company Name ==========

[2011/05/26 12:49:43 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\SpywareBlaster.lnk
[2011/05/26 07:37:16 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\erunt.zip
[2011/05/23 18:47:40 | 004,353,829 | R--- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\ComboFix.exe
[2011/05/22 10:05:00 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2011/05/21 11:44:30 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/05/21 11:44:27 | 000,261,936 | RHS- | C] () -- C:\cmldr
[2011/05/21 11:40:17 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/21 11:40:17 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/21 11:40:16 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/21 11:40:16 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/21 11:40:16 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/19 08:02:33 | 001,280,208 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\tdsskiller.zip
[2011/05/18 08:48:28 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\Defogger.exe
[2011/05/17 20:40:44 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\MBR.dat
[2011/05/17 20:38:38 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\Regfix.reg
[2011/05/14 11:50:25 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\ERUNT.lnk
[2011/05/14 11:40:24 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\dds.scr
[2011/05/01 14:17:34 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Bureaublad\CCleaner.lnk
[2010/08/22 21:09:07 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/08/21 17:27:29 | 000,000,326 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/02/05 00:03:00 | 000,046,856 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/03/29 21:59:36 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/02/21 21:24:46 | 000,162,304 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2007/11/12 19:34:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2007/08/26 20:16:58 | 000,000,120 | ---- | C] () -- C:\WINDOWS\imagedit.ini
[2007/01/15 20:59:25 | 000,000,018 | ---- | C] () -- C:\WINDOWS\paswoord.INI
[2006/11/04 19:24:55 | 000,001,168 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/11/04 16:16:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/10/28 20:44:56 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/05/21 00:05:04 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/03/17 14:53:42 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\ArmAccess.dll
[2005/11/08 20:56:26 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2005/09/11 10:31:43 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/08/21 17:30:54 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2005/07/13 19:57:11 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\WebOffer.exe
[2005/07/13 19:57:10 | 000,716,800 | ---- | C] () -- C:\WINDOWS\System32\WebOffer.dll
[2005/06/20 22:48:45 | 000,000,763 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/20 22:48:45 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/06/20 22:48:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2005/06/20 22:09:43 | 000,000,424 | ---- | C] () -- C:\WINDOWS\ChssBase.ini
[2005/06/20 19:46:19 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\fusioncache.dat
[2005/06/16 18:26:12 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/06/16 18:23:59 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2005/06/16 18:21:30 | 000,028,779 | ---- | C] () -- C:\WINDOWS\System32\javaw.exe
[2005/06/16 18:21:30 | 000,024,681 | ---- | C] () -- C:\WINDOWS\System32\java.exe
[2005/06/16 18:07:40 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2005/06/16 18:07:26 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2005/06/16 18:06:56 | 000,000,423 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/09/13 15:11:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/09/13 15:04:15 | 000,021,748 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/09/13 15:03:33 | 000,003,717 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/09/13 14:59:34 | 000,004,774 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/09/13 14:58:52 | 000,255,064 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/09/13 14:52:55 | 000,559,088 | ---- | C] () -- C:\WINDOWS\System32\perfh013.dat
[2004/09/13 14:52:55 | 000,318,670 | ---- | C] () -- C:\WINDOWS\System32\perfi013.dat
[2004/09/13 14:52:55 | 000,110,604 | ---- | C] () -- C:\WINDOWS\System32\perfc013.dat
[2004/09/13 14:52:55 | 000,039,178 | ---- | C] () -- C:\WINDOWS\System32\perfd013.dat
[2004/09/13 14:52:42 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/09/13 14:52:40 | 000,490,570 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/09/13 14:52:40 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/09/13 14:52:40 | 000,090,578 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/09/13 14:52:40 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/09/13 14:52:39 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/09/13 14:52:38 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/09/13 14:52:37 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/09/13 14:52:32 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/09/13 14:52:32 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/09/13 14:52:24 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/09/13 14:52:17 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/12 09:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2002/06/28 16:20:54 | 000,005,025 | ---- | C] () -- C:\WINDOWS\System32\patterns.dat
[1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/04/10 20:44:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IBM
[2006/02/10 22:20:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2011/05/26 17:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/08/22 20:19:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
[2010/08/21 17:27:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Greetje\Application Data\Imomx
[2009/08/16 10:43:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Patrick\Application Data\ChessBase
[2005/12/27 21:18:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Patrick\Application Data\HK-Software
[2008/05/27 20:45:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Patrick\Application Data\IBM
[2006/05/12 15:53:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Patrick\Application Data\RSC_Antwerpen
[2008/07/08 21:34:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Patrick\Application Data\Toad Data Modeler Freeware
[2005/06/23 08:09:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Patrick\Application Data\Van Dyke Technologies
[2010/06/21 19:08:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Patrick\Application Data\Widyo
[2011/05/26 12:30:18 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

stapper
2011-05-26, 19:48
Here is the extra's log

ÿþOTL Extras logfile created on: 26/05/2011 17:35:39 - Run 1

OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Patrick\Bureaublad

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000813 | Country: België | Language: NLB | Date Format: d/MM/yyyy



1023,39 Mb Total Physical Memory | 507,96 Mb Available Physical Memory | 49,64% Memory free

2,40 Gb Paging File | 2,11 Gb Available in Paging File | 88,00% Paging File free

Paging file location(s): C:\pagefile.sys 1535 2096 [binary data]



%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 55,78 Gb Total Space | 24,34 Gb Free Space | 43,64% Space Free | Partition Type: NTFS



Computer Name: LAPTOP_DELL | User Name: Patrick | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days



========== Extra Registry (SafeList) ==========





========== File Associations ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.ini [@ = inifile] -- C:\Program Files\Boxer Text Editor\b.exe (Boxer Software)

.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l



========== Shell Spawning ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [edit] -- C:\Program Files\Boxer Text Editor\b.exe "%1" (Boxer Software)

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)

inifile [open] -- C:\Program Files\Boxer Text Editor\b.exe "%1" (Boxer Software)

InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- C:\Program Files\Boxer Text Editor\b.exe "%1" (Boxer Software)

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)



========== Security Center Settings ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]



========== System Restore Settings ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2



========== Firewall Settings ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]



[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]



[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002



========== Authorized Applications List ==========



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]





========== HKEY_LOCAL_MACHINE Uninstall List ==========



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition

"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)

"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer

"CCleaner" = CCleaner

"ERUNT_is1" = ERUNT 1.1j

"ESET Online Scanner" = ESET Online Scanner v3

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft SQL Server 2005" = Microsoft SQL Server 2005

"SpywareBlaster_is1" = SpywareBlaster 4.4



========== Last 10 Event Log Errors ==========



[ Application Events ]

Error - 18/05/2011 2:47:33 | Computer Name = LAPTOP_DELL | Source = crypt32 | ID = 131080

Description = Het bij <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

opvragen van de automatische update van het basislijstvolgordenummer van derden

is mislukt met de fout: Deze bewerking is geretourneerd omdat de time-outperiode

verlopen is.



Error - 19/05/2011 1:58:45 | Computer Name = LAPTOP_DELL | Source = crypt32 | ID = 131080

Description = Het bij <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

opvragen van de automatische update van het basislijstvolgordenummer van derden

is mislukt met de fout: The connection with the server was terminated abnormally





Error - 19/05/2011 1:58:52 | Computer Name = LAPTOP_DELL | Source = crypt32 | ID = 131080

Description = Het bij <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

opvragen van de automatische update van het basislijstvolgordenummer van derden

is mislukt met de fout: Deze netwerkverbinding bestaat niet.



Error - 19/05/2011 3:07:25 | Computer Name = LAPTOP_DELL | Source = Microsoft Fax | ID = 32045

Description = Fax Service kan niet worden geïnitialiseerd omdat de TAPI-apparaten

niet kunnen worden geïnitialiseerd. Controleer of de faxmodem is geïnstalleerd en

op de juiste wijze is geconfigureerd. Win32-foutcode: -2147483576. Deze foutcode

geeft de oorzaak van de fout aan.



Error - 19/05/2011 3:07:25 | Computer Name = LAPTOP_DELL | Source = VSS | ID = 8193

Description = Fout van de Volume Shadow Copy-service: onverwachte fout bij het aanroepen

van routine IEventSystem::Store. hr = 0x800706be.



Error - 19/05/2011 11:24:56 | Computer Name = LAPTOP_DELL | Source = Winlogon | ID = 1015

Description = Het kritieke systeemproces C:\WINDOWS\system32\lsass.exe is mislukt.

Statuscode: 00000000. De computer dient nu opnieuw te worden opgestart.



Error - 19/05/2011 11:37:55 | Computer Name = LAPTOP_DELL | Source = Winlogon | ID = 1015

Description = Het kritieke systeemproces C:\WINDOWS\system32\lsass.exe is mislukt.

Statuscode: 00000000. De computer dient nu opnieuw te worden opgestart.



Error - 24/05/2011 15:51:47 | Computer Name = LAPTOP_DELL | Source = crypt32 | ID = 131083

Description = Het uitpakken van een basislijst uit de cab voor automatische updates

is mislukt op <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

met de fout: Een vereist certificaat valt niet binnen de geldigheidsperiode als

gekeken wordt naar de huidige systeemklok of de tijdstempel in het ondertekende

bestand.



Error - 24/05/2011 15:51:47 | Computer Name = LAPTOP_DELL | Source = crypt32 | ID = 131083

Description = Het uitpakken van een basislijst uit de cab voor automatische updates

is mislukt op <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

met de fout: Een vereist certificaat valt niet binnen de geldigheidsperiode als

gekeken wordt naar de huidige systeemklok of de tijdstempel in het ondertekende

bestand.



Error - 26/05/2011 6:20:30 | Computer Name = LAPTOP_DELL | Source = MsiInstaller | ID = 10005

Description = Product: Microsoft SQL Server 2005 Express Edition -- Error 2259.

The installer has encountered an unexpected error. The error code is 2259. Database:

Table(s) Update failed



[ System Events ]

Error - 26/05/2011 1:55:41 | Computer Name = LAPTOP_DELL | Source = Service Control Manager | ID = 7034

Description = De DB2 Management Service (DB2COPY1)-service is onverwacht beëindigd.

Dit is nu 1 keer gebeurd.



Error - 26/05/2011 1:55:41 | Computer Name = LAPTOP_DELL | Source = Service Control Manager | ID = 7034

Description = De DB2 Security Server (DB2COPY1)-service is onverwacht beëindigd.

Dit is nu 1 keer gebeurd.



Error - 26/05/2011 1:55:41 | Computer Name = LAPTOP_DELL | Source = Service Control Manager | ID = 7034

Description = De NICCONFIGSVC-service is onverwacht beëindigd. Dit is nu 1 keer

gebeurd.



Error - 26/05/2011 1:55:41 | Computer Name = LAPTOP_DELL | Source = Service Control Manager | ID = 7034

Description = De Firebird Guardian - DefaultInstance-service is onverwacht beëindigd.

Dit is nu 1 keer gebeurd.



Error - 26/05/2011 1:55:41 | Computer Name = LAPTOP_DELL | Source = Service Control Manager | ID = 7034

Description = De RegSrvc-service is onverwacht beëindigd. Dit is nu 1 keer gebeurd.



Error - 26/05/2011 1:55:41 | Computer Name = LAPTOP_DELL | Source = Service Control Manager | ID = 7034

Description = De Firebird Server - DefaultInstance-service is onverwacht beëindigd.

Dit is nu 1 keer gebeurd.



Error - 26/05/2011 1:55:41 | Computer Name = LAPTOP_DELL | Source = Service Control Manager | ID = 7034

Description = De iPod-service-service is onverwacht beëindigd. Dit is nu 1 keer

gebeurd.



Error - 26/05/2011 5:48:32 | Computer Name = LAPTOP_DELL | Source = Dhcp | ID = 1001

Description = Deze computer heeft geen adres toegewezen gekregen van het netwerk

(door de DHCP-server) voor de netwerkkaart met netwerkadres 0013CE11886B. De volgende

fout is opgetreden: %%1223. De computer zal doorgaan om zelf een adres van de server

met netwerkadressen (DHCP-server) proberen te krijgen.



Error - 26/05/2011 6:15:06 | Computer Name = LAPTOP_DELL | Source = Windows Update Agent | ID = 20

Description = Installatiefout: de volgende update kan niet worden geïnstalleerd,

foutcode 0x80070643: KB905474: Meldingen van Windows Genuine Advantage.



Error - 26/05/2011 6:23:03 | Computer Name = LAPTOP_DELL | Source = Windows Update Agent | ID = 20

Description = Installatiefout: de volgende update kan niet worden geïnstalleerd,

foutcode 0x80070643: Microsoft SQL Server 2005 Express Edition Service Pack 4 (KB2463332).





< End of report >

ken545
2011-05-26, 20:27
You still have infected copies of your Hosts file on your system

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses

:OTL
[2011/05/10 22:14:04 | 000,434,142 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110514-120905.backup
[2011/05/01 21:48:42 | 000,433,442 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110510-221404.backup


:Services

:Reg

:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c





:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

stapper
2011-05-27, 00:38
Here is the first one.

ÿþAll processes killed

========== PROCESSES ==========

========== OTL ==========

C:\WINDOWS\system32\drivers\etc\hosts.20110514-120905.backup moved successfully.

C:\WINDOWS\system32\drivers\etc\hosts.20110510-221404.backup moved successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

< ipconfig /release /c >

Windows IP-configuratie

Er kan geen enkele bewerking op LAN-verbinding worden uitgevoerd als het medium ervan niet

is aangesloten.

Ethernet-adapter Draadloze netwerkverbinding:

Verbindingsspec. DNS-achtervoegsel:

IP-adres. . . . . . . . . . . . . : 0.0.0.0

Subnetmasker. . . . . . . . . . . : 0.0.0.0

Standaardgateway. . . . . . . . . :

Ethernet-adapter LAN-verbinding:

Status van medium . . . . . . . . : medium ontkoppeld

C:\Documents and Settings\Patrick\Bureaublad\cmd.bat deleted successfully.

C:\Documents and Settings\Patrick\Bureaublad\cmd.txt deleted successfully.

< ipconfig /renew /c >

Windows IP-configuratie

Er kan geen enkele bewerking op LAN-verbinding worden uitgevoerd als het medium ervan niet

is aangesloten.

Ethernet-adapter Draadloze netwerkverbinding:

Verbindingsspec. DNS-achtervoegsel: telenet.be

IP-adres. . . . . . . . . . . . . : 192.168.0.100

Subnetmasker. . . . . . . . . . . : 255.255.255.0

Standaardgateway. . . . . . . . . : 192.168.0.1

Ethernet-adapter LAN-verbinding:

Status van medium . . . . . . . . : medium ontkoppeld

C:\Documents and Settings\Patrick\Bureaublad\cmd.bat deleted successfully.

C:\Documents and Settings\Patrick\Bureaublad\cmd.txt deleted successfully.

< ipconfig /flushdns /c >

Windows IP-configuratie

De DNS-omzettingscache is leeggemaakt.

C:\Documents and Settings\Patrick\Bureaublad\cmd.bat deleted successfully.

C:\Documents and Settings\Patrick\Bureaublad\cmd.txt deleted successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully



[EMPTYTEMP]



User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes



User: All Users



User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes



User: Greetje

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Flash cache emptied: 0 bytes



User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes



User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 0 bytes



User: Patrick

->Temp folder emptied: 29783226 bytes

->Temporary Internet Files folder emptied: 9415758 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Flash cache emptied: 0 bytes



%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 9986 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes



Total Files Cleaned = 37,00 mb





OTL by OldTimer - Version 3.2.23.0 log created on 05262011_232559



Files\Folders moved on Reboot...

C:\Documents and Settings\Patrick\Local Settings\Temporary Internet Files\Content.IE5\WX42SNUQ\showthread[3].htm moved successfully.

C:\Documents and Settings\Patrick\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.



Registry entries deleted on Reboot...

stapper
2011-05-27, 00:40
and here is the second

OTL logfile created on: 26/05/2011 23:32:03 - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Patrick\Bureaublad
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000813 | Country: België | Language: NLB | Date Format: d/MM/yyyy

1023,39 Mb Total Physical Memory | 503,74 Mb Available Physical Memory | 49,22% Memory free
2,40 Gb Paging File | 1,94 Gb Available in Paging File | 80,71% Paging File free
Paging file location(s): C:\pagefile.sys 1535 2096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55,78 Gb Total Space | 24,35 Gb Free Space | 43,66% Space Free | Partition Type: NTFS

Computer Name: LAPTOP_DELL | User Name: Patrick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Patrick\Bureaublad\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe (International Business Machines Corporation)
PRC - C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe (International Business Machines Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe ()
PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project)
PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project)
PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\1XConfig.exe (Intel)
PRC - C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\WINDOWS\system32\BAsfIpM.exe (Broadcom Corp.)
PRC - C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
PRC - C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
PRC - C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Patrick\Bureaublad\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (DB2NTSECSERVER_DB2COPY1) DB2 Security Server (DB2COPY1) -- C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe (International Business Machines Corporation)
SRV - (DB2MGMTSVC_DB2COPY1) DB2 Management Service (DB2COPY1) -- C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe (International Business Machines Corporation)
SRV - (msvsmon80) -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe (Microsoft Corporation)
SRV - (FirebirdServerDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project)
SRV - (FirebirdGuardianDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project)
SRV - (WLANKEEPER) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)
SRV - (BAsfIpM) -- C:\WINDOWS\system32\BAsfIpM.exe (Broadcom Corp.)


========== Driver Services (SafeList) ==========

DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()
DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (STAC97) -- C:\WINDOWS\system32\drivers\STAC97.sys (SigmaTel, Inc.)
DRV - (w29n51) Stuurprogramma voor Intel(R) -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (IWCA) -- C:\WINDOWS\system32\drivers\iwca.sys (Intel Corporation)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (GTIPCI21) -- C:\WINDOWS\system32\drivers\gtipci21.sys (Texas Instruments)
DRV - (omci) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Inc)
DRV - (BASFND) -- C:\WINDOWS\system32\drivers\BASFND.sys (Broadcom Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 13:45:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/10 21:17:16 | 000,000,000 | ---D | M]

[2009/04/09 22:07:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Patrick\Application Data\Mozilla\Extensions
[2011/02/21 20:48:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\gsdxxua1.default\extensions
[2010/10/11 21:00:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\gsdxxua1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2005/03/13 07:07:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/25 18:05:05 | 000,001,892 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bolcom-nl.xml
[2010/11/25 18:05:05 | 000,004,558 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\marktplaats-nl.xml
[2010/11/25 18:05:05 | 000,001,111 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\vandale-nl.xml
[2010/11/25 18:05:05 | 000,001,049 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-nl.xml
[2010/11/25 18:05:05 | 000,001,106 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-nl.xml

O1 HOSTS File: ([2011/05/26 23:26:04 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - File not found
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - File not found
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe ()
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/09/13 15:06:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/26 12:49:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\SpywareBlaster
[2011/05/26 12:09:44 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/05/26 07:57:10 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/26 07:55:40 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/26 07:54:28 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Patrick\Bureaublad\OTL.exe
[2011/05/26 07:41:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Patrick\Bureaublad\Nieuwe map
[2011/05/26 00:01:37 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/05/25 22:57:46 | 000,000,000 | ---D | C] -- C:\mY_stuff
[2011/05/25 17:41:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/05/25 10:24:49 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Patrick\Bureaublad\ATF-Cleaner.exe
[2011/05/24 21:52:35 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/05/22 10:05:00 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/22 10:05:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\Malwarebytes' Anti-Malware
[2011/05/22 10:04:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/22 10:04:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/22 10:02:51 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Patrick\Bureaublad\mbam-setup.exe
[2011/05/21 11:44:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/05/21 11:40:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/21 11:40:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/21 11:40:16 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/21 11:40:16 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/21 11:40:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/21 11:39:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/20 18:15:05 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2011/05/20 18:14:49 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2011/05/20 18:14:21 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2011/05/20 18:09:53 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2011/05/20 18:08:33 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2011/05/19 08:02:57 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Patrick\Bureaublad\TDSSKiller.exe
[2011/05/14 11:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Patrick\Mijn documenten\14-05-2011
[2011/05/14 11:42:42 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/05/14 11:42:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\ERUNT
[2011/05/14 11:39:33 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Patrick\Bureaublad\erunt-setup.exe
[2011/05/10 22:50:23 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Patrick\Bureaublad\aswMBR.exe
[2011/05/01 14:29:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/05/01 14:17:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\CCleaner
[2011/05/01 14:17:33 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[1999/05/24 01:17:58 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/09 04:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/09 04:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/09 04:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/09 04:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/09 04:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL

========== Files - Modified Within 30 Days ==========

[2011/05/26 23:32:00 | 000,001,046 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/26 23:31:00 | 000,001,042 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/26 23:28:06 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/05/26 23:27:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/26 23:26:04 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/26 12:49:43 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\SpywareBlaster.lnk
[2011/05/26 12:29:00 | 000,255,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/26 12:26:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/05/26 12:13:48 | 000,559,088 | ---- | M] () -- C:\WINDOWS\System32\perfh013.dat
[2011/05/26 12:13:48 | 000,490,570 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/26 12:13:48 | 000,110,604 | ---- | M] () -- C:\WINDOWS\System32\perfc013.dat
[2011/05/26 12:13:48 | 000,090,578 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/26 07:54:32 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Patrick\Bureaublad\OTL.exe
[2011/05/26 07:37:20 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\erunt.zip
[2011/05/25 10:24:50 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Patrick\Bureaublad\ATF-Cleaner.exe
[2011/05/23 18:49:13 | 004,353,829 | R--- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\ComboFix.exe
[2011/05/23 18:42:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/22 10:05:00 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2011/05/22 10:02:51 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Patrick\Bureaublad\mbam-setup.exe
[2011/05/21 11:44:30 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/05/21 11:39:00 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\MBR.dat
[2011/05/19 08:02:37 | 001,280,208 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\tdsskiller.zip
[2011/05/18 08:48:28 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\Defogger.exe
[2011/05/17 20:39:40 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Patrick\Bureaublad\aswMBR.exe
[2011/05/17 20:38:38 | 000,000,135 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\Regfix.reg
[2011/05/14 23:45:16 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/14 11:50:25 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\ERUNT.lnk
[2011/05/14 11:40:28 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Patrick\Bureaublad\dds.scr
[2011/05/14 11:39:36 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Patrick\Bureaublad\erunt-setup.exe
[2011/05/13 13:21:28 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Patrick\Bureaublad\TDSSKiller.exe
[2011/05/01 21:33:10 | 000,000,326 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/05/01 14:17:34 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\CCleaner.lnk

========== Files Created - No Company Name ==========

[2011/05/26 12:49:43 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\SpywareBlaster.lnk
[2011/05/26 07:37:16 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\erunt.zip
[2011/05/23 18:47:40 | 004,353,829 | R--- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\ComboFix.exe
[2011/05/22 10:05:00 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2011/05/21 11:44:30 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/05/21 11:44:27 | 000,261,936 | RHS- | C] () -- C:\cmldr
[2011/05/21 11:40:17 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/21 11:40:17 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/21 11:40:16 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/21 11:40:16 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/21 11:40:16 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/19 08:02:33 | 001,280,208 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\tdsskiller.zip
[2011/05/18 08:48:28 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\Defogger.exe
[2011/05/17 20:40:44 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\MBR.dat
[2011/05/17 20:38:38 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\Regfix.reg
[2011/05/14 11:50:25 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\ERUNT.lnk
[2011/05/14 11:40:24 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Patrick\Bureaublad\dds.scr
[2011/05/01 14:17:34 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Bureaublad\CCleaner.lnk
[2010/08/22 21:09:07 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/08/21 17:27:29 | 000,000,326 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/02/05 00:03:00 | 000,046,856 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/03/29 21:59:36 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/02/21 21:24:46 | 000,162,304 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2007/11/12 19:34:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2007/08/26 20:16:58 | 000,000,120 | ---- | C] () -- C:\WINDOWS\imagedit.ini
[2007/01/15 20:59:25 | 000,000,018 | ---- | C] () -- C:\WINDOWS\paswoord.INI
[2006/11/04 19:24:55 | 000,001,168 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/11/04 16:16:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/10/28 20:44:56 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/05/21 00:05:04 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/03/17 14:53:42 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\ArmAccess.dll
[2005/11/08 20:56:26 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2005/09/11 10:31:43 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/08/21 17:30:54 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2005/07/13 19:57:11 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\WebOffer.exe
[2005/07/13 19:57:10 | 000,716,800 | ---- | C] () -- C:\WINDOWS\System32\WebOffer.dll
[2005/06/20 22:48:45 | 000,000,763 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/06/20 22:48:45 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/06/20 22:48:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2005/06/20 22:09:43 | 000,000,424 | ---- | C] () -- C:\WINDOWS\ChssBase.ini
[2005/06/20 19:46:19 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Patrick\Local Settings\Application Data\fusioncache.dat
[2005/06/16 18:26:12 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/06/16 18:23:59 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2005/06/16 18:21:30 | 000,028,779 | ---- | C] () -- C:\WINDOWS\System32\javaw.exe
[2005/06/16 18:21:30 | 000,024,681 | ---- | C] () -- C:\WINDOWS\System32\java.exe
[2005/06/16 18:07:40 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\stac97co.dll
[2005/06/16 18:07:26 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2005/06/16 18:06:56 | 000,000,423 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/09/13 15:11:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/09/13 15:04:15 | 000,021,748 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/09/13 15:03:33 | 000,003,717 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/09/13 14:59:34 | 000,004,774 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/09/13 14:58:52 | 000,255,064 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/09/13 14:52:55 | 000,559,088 | ---- | C] () -- C:\WINDOWS\System32\perfh013.dat
[2004/09/13 14:52:55 | 000,318,670 | ---- | C] () -- C:\WINDOWS\System32\perfi013.dat
[2004/09/13 14:52:55 | 000,110,604 | ---- | C] () -- C:\WINDOWS\System32\perfc013.dat
[2004/09/13 14:52:55 | 000,039,178 | ---- | C] () -- C:\WINDOWS\System32\perfd013.dat
[2004/09/13 14:52:42 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/09/13 14:52:40 | 000,490,570 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/09/13 14:52:40 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/09/13 14:52:40 | 000,090,578 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/09/13 14:52:40 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/09/13 14:52:39 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/09/13 14:52:38 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/09/13 14:52:37 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/09/13 14:52:32 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/09/13 14:52:32 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/09/13 14:52:24 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/09/13 14:52:17 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/12 09:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2002/06/28 16:20:54 | 000,005,025 | ---- | C] () -- C:\WINDOWS\System32\patterns.dat
[1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

ken545
2011-05-27, 01:15
Is your system running any better, any problems ?

stapper
2011-05-27, 21:00
Hi,

No problems. start-up speed and execcution speed is ok. Almost instanly internetconnection.
I think the laptop is an good condition now (i hope it stays that way).

Again thank you verry much for the excellent guiding trough the proces.
Do i have to install execpt a virus scan and spyware blaster and spybot (incl. Tea timer) ?.

Best regards

Patrick

ken545
2011-05-27, 23:06
Hi,

You can keep Malwarebytes, its the free version, if you upgrade to the Pro version it includes a protection moduale that will block access to known bad sites, the cost is minimal but this is your call

ATF Cleaner is also free, I use it on my own systems about once a week to clean out the clutter.



Lets update your Java to make your system more secure

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 25, if not proceed with the instructions.

Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 25 <--The wording is confusing but this is what you need


Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)






System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.


Then remove all previous Restore Points

Click Start > Run > copy and paste the following into the run box:

cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.









Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png




Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

stapper
2011-05-28, 18:37
I could not uninstall Java 2 Runtime environmet,SE v1.4.2_03 from controll panel/software.
Instead i use JavaRa from sourceforge.
Its removed now, but there is stll an entry in controll panel/software
It seems that there is by alot of programs no poosibilty to remove them from the system via controll panel/software no remove button. weird

after a while i get an error "An unhandled win32 exception occured in jusched.exe [1412]. its something new, its started after the installation of the new java.

regards

Patrick

ken545
2011-05-28, 20:38
First reboot your computer . Thats the Java update function, you can do it manually

http://www.howtogeek.com/howto/windows-vista/what-is-juschedexe-and-why-is-it-running/

If it continues to give you problems go to Task Manager by pressing Ctrl. Alt. Del on your keyboard and click on the Process tab and end process on jusched.exe

stapper
2011-05-30, 21:41
Hi,

Its gonne now.

It seems that there ialot alot of programs in controll panel/software where is no no remove or change button button.
Only the programs installed before the cleaning have no button the others are ok.

strange

Regards

Patrick

ken545
2011-05-30, 23:36
Patrick,

We just do malware removal on this forum, I would like you to post here for help with the problems your having with Add Remove Programs

http://forums.whatthetech.com/index.php?showforum=119


Post back and let me know if they helped you fix it