problem with Click.GiftLoad

[stapper]

Hi,

Spybot detected Click.GiftLoad.
Can someone help to remove this beast ?

thanks in advance

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Patrick at 11:56:48,62 on za 14/05/2011
Internet Explorer: 7.0.5730.13
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patrick\Bureaublad\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.be/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.euro.dell.com/
uWindow Title =
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [JDK5SWFMZY] c:\docume~1\patrick\locals~1\temp\Adl.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [BuildBU] c:\dell\bldbubg.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [A9YA3MI1CF] c:\windows\temp\Adl.exe
dRun: [KCSCPW1HKH] c:\windows\temp\Adk.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll,, mnrnmuxs.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\patrick\applic~1\mozilla\firefox\profiles\gsdxxua1.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R? ccfc;ccfc
R? GHTJJGIN;GHTJJGIN
R? gupdate;Google Updateservice (gupdate)
R? gupdatem;Google Update-service (gupdatem)
R? Hou85;Hou85
R? Lavasoft Kernexplorer;Lavasoft helper driver
R? msvsmon80;Visual Studio 2005 Remote Debugger
R? Pxf87;Pxf87
R? srv830;srv830
S? DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1)
S? DB2NTSECSERVER_DB2COPY1;DB2 Security Server (DB2COPY1)
S? FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance
S? FirebirdServerDefaultInstance;Firebird Server - DefaultInstance
S? GTIPCI21;GTIPCI21
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
.
=============== File Associations ===============
.
inifile=c:\program files\boxer text editor\b.exe "%1"
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-05-10 17:58:45 -------- d-----w- C:\screening
2011-05-01 12:17:33 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2011-05-14 09:01:28 0 ----a-w- c:\windows\system32\tmp.tmp
2011-02-15 18:29:29 31744 ----a-w- c:\windows\system32\mnrnmuxs.dll
2001-05-24 10:59:30 162304 ----a-w- c:\program files\UNWISE.EXE
1999-05-23 23:17:58 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS726060M9AT00 rev.MH4OA6EA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86E87EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85d4d872; SUB DWORD [EBP-0x4], 0x85d4d12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86F92AB8]
3 CLASSPNP[0xF75DBFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86EFC4D8]
[0x86F5C330] -> IRP_MJ_CREATE -> 0x86E87EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS726060M9AT00_________________________MH4OA6EA#5&36c68b59&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86E87AEA
user & kernel MBR OK
sectors 117210238 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:03:15,80 ===============

 

[ken545]

:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Besides Click.Giftload your also infected with a nasty rootkit :red:


This will remove Click.giftload

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
"svchost.exe"=-

Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

If you saved the file correctly it should look like this

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

 

[stapper]

Ok i did what you said.

Thanks in advance

Patrick

 

[stapper]

Here is is the attachment

 

[ken545]

Hi ,

Disable your Antivirus and then run Defogger, you can re enable your AV when were done, you can also re run DeFogger when where done to re enable your CD drivers


Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
• Click the Re-enable button to re-enable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.





Re-Run aswMBR

Click Scan

On completion of the scan

Click Fix

Save the log as before and post in your next reply

 

[stapper]

Hi,

I ran de defogger -> no problem. Except he did not ask me to reboot.
I did it myself.
Then i ran aswMBR
But the the button FIX was not enabled.
so i ran the FixMBR.

I reboot again en ran the scan again.
The log is attacht

 

[ken545]

Good Morning,

Please follow the instructions that are posted and dont do anything else, I hate to see you damage your system

Lets try this instead



Please download TDSSKiller.zip

• Extract it to your desktop
• Double click TDSSKiller.exe
• Press Start Scan
  • Only if Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now
• Copy and paste the log in your next reply
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)

 

[stapper]

I ran the TDSSKILLER yesterday.
The log file iss attached.

After the reboot i could not go to the internet anymore (wireless)
I tried to connect with a nteworkcable but then i get the message that the computer was shutting down between some seconds.
It looks like the lsass.exe virus.

Today i started up again and i can connect again to the internet but de laptop is very slow.

thanks again for all the work

 

[ken545]

Do this,

Run aswMBR just to scan, not to fix and post a new log please

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

 

[stapper]

Hi,
I ran aswMBR. Attached the log file.
I downoaded Combofix and install the recovery console.
Attached the log file.
The laptop runs faster now.

Thanks for all the help.




aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-21 11:38:25
-----------------------------
11:38:25.784 OS Version: Windows 5.1.2600 Service Pack 3
11:38:25.784 Number of processors: 1 586 0xD08
11:38:25.784 ComputerName: LAPTOP_DELL UserName: Patrick
11:38:28.676 Initialize success
11:38:33.052 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:38:33.052 Disk 0 Vendor: HTS726060M9AT00 MH4OA6EA Size: 57231MB BusType: 3
11:38:35.083 Disk 0 MBR read successfully
11:38:35.083 Disk 0 MBR scan
11:38:35.083 Disk 0 Windows XP default MBR code
11:38:37.084 Disk 0 scanning sectors +117178110
11:38:37.099 Disk 0 scanning C:\WINDOWS\system32\drivers
11:38:43.663 Service scanning
11:38:44.945 Disk 0 trace - called modules:
11:38:44.960 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
11:38:44.960 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f92ab8]
11:38:44.960 3 CLASSPNP.SYS[f75dbfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f6fd98]
11:38:44.960 Scan finished successfully
11:39:00.995 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Patrick\Bureaublad\MBR.dat"
11:39:01.026 The log file has been saved successfully to "C:\Documents and Settings\Patrick\Bureaublad\aswMBR.txt"





ComboFix 11-05-19.02 - Patrick 21/05/2011 11:47:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.505 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Patrick\Bureaublad\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Favorieten\_favdata.dat
c:\documents and settings\Greetje\Application Data\Athe
c:\documents and settings\Greetje\Application Data\Athe\ozuqy.tmp
c:\documents and settings\Patrick\WINDOWS
c:\windows\system32\drivers\fad.sys
c:\windows\system32\lowsec
c:\windows\system32\tmp.tmp . . . . konden niet verwijderd worden
.
----- BITS: Mogelijk geïnfecteerde sites -----
.
hxxp://hallcash.net
Besmet exemplaar van c:\windows\system32\userinit.exe werd aangetroffen en gedesinfecteerd
Hersteld exemplaar van - c:\windows\ServicePackFiles\i386\userinit.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SRV830
-------\Legacy_SSHNAS
-------\Service_srv830
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-04-21 to 2011-05-21 ))))))))))))))))))))))))))))))
.
.
2011-05-21 09:55 . 2011-05-21 09:55 0 ----a-w- c:\windows\system32\tmp.tmp
2011-05-14 09:42 . 2011-05-14 09:52 -------- d-----w- c:\program files\ERUNT
2011-05-10 17:58 . 2011-05-10 21:26 -------- d-----w- C:\screening
2011-05-01 12:17 . 2011-05-01 12:17 -------- d-----w- c:\program files\CCleaner
2011-05-01 11:45 . 2011-05-01 11:45 -------- d-----w- c:\documents and settings\Greetje\Local Settings\Application Data\Mozilla
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-19 06:07 . 2004-09-13 12:52 153856 ----a-w- c:\windows\system32\drivers\dmio.sys
2001-05-24 10:59 . 2008-02-21 19:24 162304 ----a-w- c:\program files\UNWISE.EXE
1999-05-23 23:17 . 1999-05-23 23:17 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-16 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Poort voor Symantec Fax Starter Edition.lnk - c:\program files\Microsoft Office\Office\1043\OLFSNT40.EXE [1999-5-24 46077]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-20 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll, mnrnmuxs.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hou85.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pxf87.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2mgmtsvc.exe [8/11/2007 21:50 35616]
R2 DB2NTSECSERVER_DB2COPY1;DB2 Security Server (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2sec.exe [8/11/2007 21:51 14112]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 14:15 1375992]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [16/06/2005 18:07 80384]
S0 Hou85;Hou85;c:\windows\system32\Drivers\Hou85.sys --> c:\windows\system32\Drivers\Hou85.sys [?]
S0 Pxf87;Pxf87;c:\windows\system32\Drivers\Pxf87.sys --> c:\windows\system32\Drivers\Pxf87.sys [?]
S1 ccfc;ccfc;\??\c:\windows\system32\ccfc.sys --> c:\windows\system32\ccfc.sys [?]
S2 GHTJJGIN;GHTJJGIN;\??\c:\windows\system32\ghtjjgin.tfp --> c:\windows\system32\ghtjjgin.tfp [?]
S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 20:39 136176]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 20:39 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 14:15 15264]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 8:01 2799808]
.
Inhoud van de 'Gedeelde Taken' map
.
2011-05-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 19:36]
.
2011-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 18:39]
.
2011-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 18:39]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.be/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\gsdxxua1.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
------- Bestandsassociaties -------
.
inifile=c:\program files\Boxer Text Editor\b.exe "%1"
.
- - - - ORPHANS VERWIJDERD - - - -
.
HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM-Run-BuildBU - c:\dell\bldbubg.exe
SafeBoot-klmdb.sys
SafeBoot-Krx28.sys
SafeBoot-nvE54.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-21 11:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GHTJJGIN]
"ImagePath"="\??\c:\windows\system32\ghtjjgin.tfp"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\basfipm.exe
c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Voltooingstijd: 2011-05-21 12:05:02 - machine werd herstart
ComboFix-quarantined-files.txt 2011-05-21 10:05
.
Pre-Run: 22.580.400.128 bytes beschikbaar
Post-Run: 22.663.761.920 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4660F9ECB385984300D56D0DF741CBE1

 

[ken545]

Patrick, its best to copy and paste the logs into the thread in lew of attaching them, its easier for me to analyze.

Looks like the Rootkit is gone


While I am looking over your Combofix log, run this program and post the log please

Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

 

[stapper]

ok, i will di that.

I downloaded,update and ran malware bytes.
Here are the results

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Databaseversie: 6639

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

22/05/2011 10:12:03
mbam-log-2011-05-22 (10-12-03).txt

Scantype: Snelle scan
Objecten gescand: 175865
Verstreken tijd: 4 minuut/minuten, 40 seconde

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 2
Registerwaarden geïnfecteerd: 0
Registerdata geïnfecteerd: 1
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 1

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels geïnfecteerd:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerdata geïnfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.FakeAlert) -> Bad: (mnrnmuxs.dll) Good: () -> Quarantined and deleted successfully.

Mappen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Bestanden geïnfecteerd:
c:\WINDOWS\system32\mnrnmuxs.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

[ken545]

Drag Combofix to the trash and download a fresh copy and run it and post the new log please

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

[stapper]

Hi,

I download a fresh copy of combofix.
I did the update.
Here is the log file and thanks in advance

ComboFix 11-05-22.02 - Patrick 23/05/2011 18:52:54.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1023.465 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Patrick\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\tmp.tmp
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-04-23 to 2011-05-23 ))))))))))))))))))))))))))))))
.
.
2011-05-22 08:05 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-22 08:04 . 2011-05-22 08:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-22 08:04 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-14 09:42 . 2011-05-14 09:52 -------- d-----w- c:\program files\ERUNT
2011-05-10 17:58 . 2011-05-10 21:26 -------- d-----w- C:\screening
2011-05-01 12:17 . 2011-05-01 12:17 -------- d-----w- c:\program files\CCleaner
2011-05-01 11:45 . 2011-05-01 11:45 -------- d-----w- c:\documents and settings\Greetje\Local Settings\Application Data\Mozilla
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-19 06:07 . 2004-09-13 12:52 153856 ----a-w- c:\windows\system32\drivers\dmio.sys
2001-05-24 10:59 . 2008-02-21 19:24 162304 ----a-w- c:\program files\UNWISE.EXE
1999-05-23 23:17 . 1999-05-23 23:17 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-16 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Poort voor Symantec Fax Starter Edition.lnk - c:\program files\Microsoft Office\Office\1043\OLFSNT40.EXE [1999-5-24 46077]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-20 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hou85.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pxf87.sys]
@="Driver"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2mgmtsvc.exe [8/11/2007 21:50 35616]
R2 DB2NTSECSERVER_DB2COPY1;DB2 Security Server (DB2COPY1);c:\program files\IBM\SQLLIB\BIN\db2sec.exe [8/11/2007 21:51 14112]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/08/2010 14:15 1375992]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [16/06/2005 18:07 80384]
S0 Hou85;Hou85;c:\windows\system32\Drivers\Hou85.sys --> c:\windows\system32\Drivers\Hou85.sys [?]
S0 Pxf87;Pxf87;c:\windows\system32\Drivers\Pxf87.sys --> c:\windows\system32\Drivers\Pxf87.sys [?]
S1 ccfc;ccfc;\??\c:\windows\system32\ccfc.sys --> c:\windows\system32\ccfc.sys [?]
S2 GHTJJGIN;GHTJJGIN;\??\c:\windows\system32\ghtjjgin.tfp --> c:\windows\system32\ghtjjgin.tfp [?]
S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 20:39 136176]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [19/11/2010 20:39 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/08/2010 14:15 15264]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 8:01 2799808]
.
Inhoud van de 'Gedeelde Taken' map
.
2011-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 19:36]
.
2011-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 18:39]
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 18:39]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.be/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\gsdxxua1.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
------- Bestandsassociaties -------
.
inifile=c:\program files\Boxer Text Editor\b.exe "%1"
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 19:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GHTJJGIN]
"ImagePath"="\??\c:\windows\system32\ghtjjgin.tfp"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Voltooingstijd: 2011-05-23 19:02:36
ComboFix-quarantined-files.txt 2011-05-23 17:02
ComboFix2.txt 2011-05-21 10:05
.
Pre-Run: 23.194.517.504 bytes beschikbaar
Post-Run: 23.194.001.408 bytes beschikbaar
.
- - End Of File - - 434931C215EFF924BDD53242F9633E8B

 

[ken545]

Hi,

Just a few files that I would like you to check for me

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

c:\windows\system32\Drivers\Hou85.sys
c:\windows\system32\Drivers\Pxf87.sys
c:\windows\system32\ccfc.sys
c:\windows\system32\ghtjjgin.tfp


If the site is busy you can try this one
http://virusscan.jotti.org/en

 

[stapper]

Hi,

I enabled windows to show the files and folders but the files are not in my system.

regards

Patrick

 

[ken545]

Ok, lets proceed, how are things running so far, any redirects or unwanted pop up windows ?



ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Make sure that the option "Remove found threats" is Unchecked
9. Push the Start button.
10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
11. When the scan completes, push
    
12. Push
    
    , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
13. Push the
    
    button.
14. Push
    

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

 

[stapper]

Here is the logfile from ESET. The log is also attached if this better for you

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMuollo1.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMuollo3.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\j.jar-1dcd5b4f-21c8fe54.zip a variant of Java/TrojanDownloader.OpenStream.NBU trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\j.jar-21ede86b-214a64b5.zip a variant of Java/TrojanDownloader.OpenStream.NBU trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javajsm.jar-3ae85437-162d9161.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javaobe.jar-25f45de5-1d5cabe1.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\plugins.jar-6ca7f74e-3be20236.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\plugins.jar-77c163e5-633658ef.zip Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\track5.id-3a7575ee-3465175d.zip probably a variant of Java/Agent.AF trojan
C:\Documents and Settings\Patrick\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\yearsTend.class-17262f98-7b9eca77.class probably a variant of Java/TrojanDownloader.Agent.AB trojan
C:\Downloads\autorun.inf Win32/Ramnit.A.Gen virus
C:\Downloads\setup50045.fon Win32/AutoRun.Agent.ABK worm
C:\Downloads\setup50045.lnk LNK/Exploit.CVE-2010-2568 trojan
C:\Downloads\setup50076.fon Win32/AutoRun.Agent.ABK worm
C:\Downloads\setup50076.lnk LNK/Exploit.CVE-2010-2568 trojan
C:\Downloads\genesys\GeneSysSDK2006.zip a variant of Win32/TrojanDropper.Small.NIS trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir a variant of Win32/Kryptik.DKU trojan
C:\screening\autorun.inf Win32/Ramnit.A.Gen virus
C:\screening\setup50045.fon Win32/AutoRun.Agent.ABK worm
C:\screening\setup50045.lnk LNK/Exploit.CVE-2010-2568 trojan
C:\System Volume Information\_restore{CB32FFED-FFB0-4F82-9D41-E1A8368D0A19}\RP863\A0091682.dll Win32/TrojanDownloader.FakeAlert.ARF trojan
C:\System Volume Information\_restore{CB32FFED-FFB0-4F82-9D41-E1A8368D0A19}\RP863\A0092712.inf Win32/Ramnit.A.Gen virus
C:\System Volume Information\_restore{CB32FFED-FFB0-4F82-9D41-E1A8368D0A19}\RP865\A0102951.exe a variant of Win32/Kryptik.DKU trojan

 

[ken545]

You have infected files all over the place

1. Open Spybot and go to the Quarantine folder and remove it all

2. Go to these two folders and delete all thats inside
C:\screening
C:\Downloads


3.C:\Qoobox <-- This is the combofix back up folder, cant hurt you we will remove this when where done

4. Your Jave Cache has bad files in it, do this

Please download ATF Cleaner by Atribune to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

5. System Restore also has bad files, but they can hurt you unless you use System restore to revert your computer to an earlier date so its best to flush this all out

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

1. Click Start > Run > copy and paste the following into the run box:
   
   %SystemRoot%\System32\restore\rstrui.exe​
2. Press OK. Choose Create a Restore Point then click Next.
3. Name it (something you'll remember) and click Create.
4. When the confirmation screen shows the restore point has been created click Close.

Then remove all previous Restore Points

1. Click Start > Run > copy and paste the following into the run box:
   
   cleanmgr​
2. Choose to scan drive C:\ (if C:\ is your main drive).
3. At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
4. Click on the Yes button.
5. When finished, click on Cancel button to exit.

After your done, reboot your system and run ESET again and post the log

 

[stapper]

Here is the logfile from ESET.thanks in advance

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\j.jar-21ede86b-214a64b5.zip a variant of Java/TrojanDownloader.OpenStream.NBU trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javajsm.jar-3ae85437-162d9161.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javaobe.jar-25f45de5-1d5cabe1.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\plugins.jar-6ca7f74e-3be20236.zip multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\plugins.jar-77c163e5-633658ef.zip Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\track5.id-3a7575ee-3465175d.zip probably a variant of Java/Agent.AF trojan
C:\Documents and Settings\Patrick\Local Settings\temp\srv294.tmp Win32/AutoRun.Agent.ABK worm
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir a variant of Win32/Kryptik.DKU trojan