Bad download, a lot of crap on my pc

[steamwiz]

Hi

It appears you have part of your last anti-virus still ... Norton ...

1. Empty this Quarantine folder C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

2. you have an Infected file in your Temporary Internet Files, I want you to run Ccleaner to remove it and a lot more uneccessary temp files ... instructions further down in this post.

3. Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK



4.
This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

---
Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

-
Now run a new KASPERSKY ONLINE SCAN please & post the report

steam

[jurgen]

Hi,

hereby the following logfile:
- ComboFix
- Kaspersky
- HaijackThis

ComboFix 08-01-23.1C - Jur 2008-01-27 9:36:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.546 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\Jur\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jur\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

FILE
C:\WINDOWS\system32\vtstt.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vtstt.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))
.

2008-01-25 10:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 23:32 . 2008-01-25 11:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-24 23:31 . 2008-01-24 23:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-23 23:07 . 2008-01-25 11:29 <DIR> d-------- C:\Program Files\Shareaza
2008-01-23 22:14 . 2008-01-23 22:14 145 --a------ C:\WINDOWS\system32\winver.bat
2007-12-30 17:45 . 2007-12-30 17:45 193 --a------ C:\WINDOWS\hppsapp.INI

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 09:04 561,152 ----a-w C:\WINDOWS\system32\LVCOMSX.EXE
2008-01-23 19:01 --------- d-----w C:\Program Files\Trojan Remover
2007-10-29 22:45 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2006-11-07 21:24 463 ----a-w C:\Program Files\CONFIG.DAT
2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2002-01-04 15:16 3,306,069 ----a-w C:\Program Files\cap2.exe
2001-11-15 14:07 66 ----a-w C:\Program Files\cap2home.url
.

Code:

<pre>
----a-w            45,056 2008-01-24 10:55:50  C:\Program Files\ATI Technologies\ATI.ACE\cli .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-26_20.34.57.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 19:25:59 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 08:35:46 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 19:25:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 08:35:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 19:25:59 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 08:35:46 679,936 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-26 19:25:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 08:35:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 19:25:59 6,221,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 08:35:47 6,221,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-26 19:26:00 122,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 08:35:47 122,880 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-26 08:15:29 65,034 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-27 08:19:56 65,034 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-26 08:15:29 84,342 ----a-w C:\WINDOWS\system32\perfc013.dat
+ 2008-01-27 08:19:56 84,342 ----a-w C:\WINDOWS\system32\perfc013.dat
- 2008-01-26 08:15:29 407,078 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-27 08:19:56 407,078 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-01-26 08:15:29 472,104 ----a-w C:\WINDOWS\system32\perfh013.dat
+ 2008-01-27 08:19:56 472,104 ----a-w C:\WINDOWS\system32\perfh013.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JPEG]
@={40DAD1B9-DDCF-4A31-A5D3-A03BC8881370}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"InternetCalls"="C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-24 10:03 415232]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 12:34 544768 C:\WINDOWS\sm56hlpr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-24 10:03 385536]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-24 10:03 1115136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2008-01-24 10:03 418304]
"RTHDCPL"="RTHDCPL.EXE" []
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-07 09:03 1115728]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2008-01-24 10:03 1255936]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-01-24 10:04 827904]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2008-01-24 10:04 561152]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-24 10:04 822272]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2008-01-24 10:04 557056]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-24 10:04 495104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 11:19 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys [2005-01-11 16:58]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-04-08 10:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2325a216-9b69-11dc-833e-00c0a8be5a87}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 09:40:05
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-01-27 9:40:31
ComboFix-quarantined-files.txt 2008-01-27 08:40:29
ComboFix2.txt 2008-01-26 19:35:12
.
2007-12-14 08:58:10 --- E O F ---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 29, 2008 4:38:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/01/2008
Kaspersky Anti-Virus database records: 535777
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 86671
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:09:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jur\Application Data\Microsoft\Sjablonen\Normal.dot Object is locked skipped
C:\Documents and Settings\Jur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Jur\Bureaublad\Steam advise 2.doc Object is locked skipped
C:\Documents and Settings\Jur\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\MSHist012008012920080130\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF123.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF37C5.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF504E.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DFD1C5.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jur\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe Object is locked skipped
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Object is locked skipped
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000348.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000349.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000350.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000351.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000352.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000353.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000354.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000355.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000356.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000357.EXE Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[jurgen]

And HaijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 16:39:51, on 29-1-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jur\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2...=1043&_lang=NL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InternetCalls] "C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" -nosplash -minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Snelle start.lnk = ?
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117w.bay117.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {BD324C84-E46E-11D3-83D0-00C04F4EB66B} (HTMLParser Class) - http://213.197.229.246/synergy/cab/ebcasp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

Maybe there is still something on my pc, sometimes different programs are trying to acces the Internet but my firewall is preventing this. (Catalyst control centre, MSN Messenger when it was not open)

Thanks for so far!
Jurgen

[jurgen]

Hi,

at this moment I have still an unwanted request to access the internet by the following program:
swHelper_1020023.exe

What does this mean? Is this bad?

And is my computer clean or are there still unwanted programs on my computer (see the last logfiles I posted)

Tnx!
Jurgen

[Metallica]

Hi Jurgen,

steamwiz seems to be unavailable at the moment.
Can you give me a short recap of the problems you are still facing?

In the meantime I'll read up on what you have done sofar.

Regards,

[jurgen]

Hi Pieter,

tanks for looking into my file!

I have still the problem of SwHelper that is trying to access the Internet, but my firewall is blocking this and than Internet Explorer doesn't work anymore after my firewall has blocked SwHelper.

Also I did new virus scans by AVG free and SuperAntispyware and I get still hits of Trojanhorse virusses and hostile cookies...

Besides this, I think my computer is fine.

Greet, Jurgen

[Metallica]

Hi jurgen,

swhelper reportedly belongs to Shockwave, so if you installed that program you can allow it access in your firewall.
That should stop the IE crashes on sites that require it.

Can you post the logs from AVG or SAS where trojans are listed?

I'd like to see what and where they are found.

[jurgen]

Hi Pieter,

I could not find a proper AVG scanning logfile, so I can not post a logfile of this. There were three threats of: Adobe/ photo album starter/ apdproxy.exe and HP software update/ HPWuSched2.exe and Nokia software launcher/NS Launcher.exe

And this is the logfile of SAS:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/02/2008 at 01:29 PM

Application Version : 3.9.1008

Core Rules Database Version : 3387
Trace Rules Database Version: 1381

Scan type : Complete Scan
Total Scan Time : 01:45:15

Memory items scanned : 436
Memory threats detected : 0
Registry items scanned : 6791
Registry threats detected : 0
File items scanned : 89310
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Jur\Cookies\jur@adbrite[2].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[5].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[4].txt
C:\Documents and Settings\Jur\Cookies\jur@ads.adbrite[1].txt
C:\Documents and Settings\Jur\Cookies\jur@www.googleadservices[2].txt
C:\Documents and Settings\Jur\Cookies\jur@doubleclick.hertz[2].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[1].txt
C:\Documents and Settings\Jur\Cookies\jur@www.googleadservices[1].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[6].txt
C:\Documents and Settings\Jur\Cookies\jur@www.fullreleases[1].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[2].txt
C:\Documents and Settings\Jur\Cookies\jur@nl.sitestat[3].txt

Tnx for your help!
greetings, Jurgen

[Metallica]

Tracking cookies are a pest but easy to cure and they don't do any harm except provide information about you.
You should read:
http://privacy.getnetwise.org/browsing/tips/cookies

You may also want to have a look a t my (Dutch) site
http://www.pieter-arntz.info/Spyware...html#voorkomen about how to prevent spyware.

To see if we can find some trojans:
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[jurgen]

Hi Pieter,

sorry for this late reply, I just moved to Italie so I was a bit busy last few days.
Is het toeval dat je ook Nederlands bent of had je al gezien aan mijn logfiles dat ik Nederlands bent?
Hier is mijn logfile, het lijkt erop dat ik niets meer heb, of wel?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 8:51:18 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 565623
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 88628
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:13:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Jur\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Geschiedenis\History.IE5\MSHist012008021420080215\index.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temp\~DF18AB.tmp Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jur\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jur\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jur\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000348.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000349.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000350.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000351.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000352.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000353.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000354.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000355.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000356.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP1\A0000357.EXE Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP5\A0000679.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP5\A0000680.exe Object is locked skipped
C:\System Volume Information\_restore{28D617AA-B4F3-4060-9BC2-85D787C0CC48}\RP5\A0000681.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Tnx!
greetings, Jurjen