caught quarantined virus/trojan need checkup with HJT

Ginh · August 2009

Hey all,
it's been a long while, i would like to say that my windows has been reinstalled like 4 months ago or so, but i have a problem now.
right now i use:
AV software:
Avira Antivir free version

File/connection/registry viewer software
Advanced Task Manager 5.0

Anti spyware software:
Ad-aware free version
HiJackThis v2.0.2

Browsers:
IE 8.0
Mozilla FireFox 3.5.2

System & OS:
Microsoft Windows XP Home Edition version 2002 SP3

Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
=======================================
I recently ran into virus and scanned with Avira antivir and Ad-aware.
and found with:
Ad-aware: Win32.Trojan.Agent
It has been quarantined but i have not taken further steps.

And

Avira Antivir:
two .wma files being infected and it's they are called:
D:\Backup\MP3\Benito Pokoe\Cindy muziek\music\Ataris The - Let It Go.wma
[DETECTION] Is the TR/Dldr.Age.1171323 Trojan
[NOTE] The file was moved to '4af4d8ad.qua'!

D:\Backup\MP3\Benito Pokoe\Cindy muziek\music\r kelly - only the loot can make me happy.wma
[DETECTION] Is the TR/Dldr.Age.1171323 Trojan
[NOTE] The file was moved to '4afed859.qua'!

Got detected and quarantined and appearantly deleted when i restarted windows because it was showing the process of deleting those files in blue screen of Windows XP.
I would like some help to detect any possible backdoor / trojan / spyware / malware that messes with my files / programs mainly like msn who keeps DC'ing while i can still browse the web so no indication of connection failure.

=================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:48, on 27-8-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246528331843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250644849359
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5848 bytes

chiaz · August 2009

Hello.

Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

Ginh · August 2009

I hope i did things right.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:02, on 27-8-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246528331843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250644849359
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5313 bytes

===============================

ComboFix 09-08-26.05 - Ginh666 27-08-2009 12:03.1.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.3071.2600 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Ginh666\Bureaublad\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((( Bestanden Gemaakt van 2009-07-27 to 2009-08-27 ))))))))))))))))))))))))))))))
.

2009-08-27 09:25 . 2009-08-27 09:25

d

w- c:\documents and settings\Ginh666\Application Data\Malwarebytes
2009-08-27 09:25 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 09:25 . 2009-08-27 09:25

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 09:25 . 2009-08-27 09:25

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-27 09:25 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 00:06 . 2009-08-27 00:06

d

w- c:\program files\Trend Micro
2009-08-26 01:09 . 2008-10-16 12:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-08-25 23:30 . 2009-08-25 22:52 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-25 22:58 . 2009-08-25 22:58

d

w- c:\documents and settings\LocalService\Bureaublad
2009-08-25 22:51 . 2009-08-25 22:51

dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-08-25 22:51 . 2009-01-18 21:43 2892112 -c--a-w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe
2009-08-25 22:51 . 2009-08-25 22:52

d

w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-25 22:51 . 2009-08-25 22:51

d

w- c:\program files\Lavasoft
2009-08-25 12:22 . 2009-08-25 12:22

d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-25 12:03 . 2009-08-25 12:03

d

r- c:\documents and settings\LocalService\Favorieten
2009-08-25 11:52 . 2009-08-25 11:52

d

w- c:\program files\Avira
2009-08-25 11:52 . 2009-08-25 11:52

d

w- c:\documents and settings\All Users\Application Data\Avira
2009-08-25 11:52 . 2009-07-28 14:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-25 11:52 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-25 11:52 . 2009-02-13 10:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-25 11:52 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-25 01:11 . 2009-08-25 01:11

d

w- c:\program files\Innovative Solutions
2009-08-19 01:26 . 2008-04-15 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-19 01:22 . 2009-07-03 17:00 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-19 01:22 . 2009-07-03 17:00 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-19 01:16 . 2009-08-19 01:16

d

w- c:\documents and settings\All Users\Application Data\ESET
2009-08-09 11:41 . 2009-08-09 11:41

d

w- c:\documents and settings\Ginh666\Library
2009-08-07 17:38 . 2009-08-07 17:49

d

w- c:\program files\Kopie van Conquer 2.0
2009-08-04 19:42 . 2009-08-04 19:42 152576 ----a-w- c:\documents and settings\Ginh666\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-02 11:58 . 2009-08-02 11:58

d--h--w- c:\windows\PIF
2009-08-01 09:45 . 2008-05-29 06:03 37176 ----a-w- c:\documents and settings\Ginh666\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-01 09:44 . 2009-08-01 09:44

d

w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-01 09:39 . 2009-08-01 09:39

d

w- c:\program files\Adobe Media Player
2009-08-01 09:38 . 2009-08-01 09:38

d

w- c:\program files\Common Files\Adobe AIR
2009-08-01 09:38 . 2009-08-03 00:15

d

w- c:\documents and settings\Ginh666\Local Settings\Application Data\Adobe
2009-08-01 09:35 . 2009-08-01 09:35

d

w- c:\program files\Common Files\Macrovision Shared
2009-08-01 04:08 . 2009-08-01 09:32

d

w- c:\program files\Photoshop CS4
2009-08-01 03:58 . 2009-08-01 09:40

d

w- c:\program files\Common Files\Adobe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 12:31 . 2009-07-02 22:47

d

w- c:\documents and settings\Ginh666\Application Data\vlc
2009-08-25 01:27 . 2009-07-02 11:33

d

w- c:\program files\Conquer 2.0
2009-08-23 23:06 . 2009-07-10 05:05

d

w- c:\documents and settings\Ginh666\Application Data\uTorrent
2009-08-22 07:35 . 2009-07-24 17:44

d

w- c:\program files\FlashGet
2009-08-15 22:57 . 2009-07-02 11:38

d

w- c:\documents and settings\Ginh666\Application Data\Ventrilo
2009-08-15 05:43 . 2009-07-02 09:36

d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-05 09:01 . 2008-04-15 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:42 . 2009-07-22 11:20

d

w- c:\program files\Java
2009-08-01 09:57 . 2008-08-14 05:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2009-08-01 09:44 . 2009-07-02 00:27 12912 ----a-w- c:\documents and settings\Ginh666\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-29 04:37 . 2008-04-15 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2008-04-15 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-25 03:23 . 2009-07-22 11:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 17:38 . 2009-07-02 10:58

d

w- c:\program files\DAP
2009-07-22 11:20 . 2009-07-22 11:20 152576 ----a-w- c:\documents and settings\Ginh666\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-19 21:54 . 2009-07-19 21:41

d

w- c:\program files\AV Vcs 7.0 DIAMOND
2009-07-17 19:04 . 2008-04-15 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 12:22 . 2009-07-17 08:32

d

w- c:\documents and settings\Ginh666\Application Data\Winamp
2009-07-17 08:32 . 2009-07-17 08:32

d

w- c:\program files\Winamp
2009-07-16 20:57 . 2009-07-02 22:47

d

w- c:\program files\VideoLAN
2009-07-13 21:43 . 2008-04-15 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 08:11 . 2009-07-10 08:11

d

w- c:\program files\Alwil Software
2009-07-10 05:06 . 2009-07-10 05:06

d

w- c:\program files\uTorrent
2009-07-03 17:00 . 2008-04-15 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 22:51 . 2009-07-02 22:51

d

w- c:\program files\Windows Media Connect 2
2009-07-02 11:33 . 2009-07-02 09:32

d--h--w- c:\program files\InstallShield Installation Information
2009-07-02 10:58 . 2009-07-02 10:58

d

w- c:\documents and settings\All Users\Application Data\SpeedBit
2009-07-02 10:51 . 2009-07-02 10:51

d

w- c:\program files\Ventrilo
2009-07-02 10:51 . 2009-07-02 10:51

d

w- c:\program files\Common Files\Wise Installation Wizard
2009-07-02 10:42 . 2009-07-02 10:42 0 ----a-w- c:\windows\nsreg.dat
2009-07-02 10:36 . 2009-07-02 10:36

d

w- c:\program files\Philips ToUcam Camera
2009-07-02 10:36 . 2009-07-02 09:32

d

w- c:\program files\Common Files\InstallShield
2009-07-02 10:24 . 2009-07-02 10:24

d

w- c:\program files\Microsoft
2009-07-02 10:24 . 2009-07-02 10:23

d

w- c:\program files\Windows Live
2009-07-02 10:24 . 2009-07-02 10:24

d

w- c:\program files\Windows Live SkyDrive
2009-07-02 10:19 . 2009-07-02 10:19

d

w- c:\program files\Common Files\Windows Live
2009-07-02 10:12 . 2008-04-15 12:00 53652 ----a-w- c:\windows\system32\perfc013.dat
2009-07-02 10:12 . 2008-04-15 12:00 364644 ----a-w- c:\windows\system32\perfh013.dat
2009-07-02 09:42 . 2009-07-02 09:42 8 ----a-w- c:\windows\system32\nvModes.dat
2009-07-02 09:40 . 2009-07-02 09:40

d

w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-07-02 09:32 . 2009-07-02 09:32

d

w- c:\program files\Realtek
2009-07-02 09:32 . 2009-07-02 09:32 315392 ----a-w- c:\windows\HideWin.exe
2009-07-02 08:32 . 2009-07-01 23:49 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-01 23:56 . 2009-07-01 23:56

d

w- c:\documents and settings\Ginh666\Application Data\InstallShield
2009-07-01 23:49 . 2009-07-01 23:49

d

w- c:\program files\microsoft frontpage
2009-07-01 23:47 . 2009-07-01 23:47 21748 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-25 08:27 . 2008-04-15 12:00 735232 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:27 . 2008-04-15 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:27 . 2008-04-15 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:27 . 2008-04-15 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:27 . 2008-04-15 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:27 . 2008-04-15 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2008-04-15 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 10:45 . 2008-04-15 12:00 79872 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:16 . 2008-04-15 12:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 07:22 . 2009-07-01 23:45 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:16 . 2008-04-15 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:11 . 2008-04-15 12:00 1295360 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13541376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-08-25 520024]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-22 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [26-8-2009 0:52 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [25-8-2009 13:52 108289]
R3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\drivers\camdrv21.sys [2-7-2009 3:35 223232]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [27-8-2009 11:25 38160]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18-1-2009 23:34 1029456]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - MBAMSWISSARMY

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhoud van de 'Gedeelde Taken' map

2009-08-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 22:52]
.
- - - - ORPHANS VERWIJDERD - - - -

HKCU-Run-AdobeBridge - (no file)

.

Bijkomende Scan

.
uStart Page = hxxp://www.google.nl/
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\Ginh666\Application Data\Mozilla\Firefox\Profiles\s3ua94mf.default\
FF - prefs.js: browser.startup.homepage - www.google.nl

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-27 12:04
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.

DLLs Geladen Onder Lopende Processen

- - - - - - - > 'winlogon.exe'(680)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1068)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Voltooingstijd: 2009-08-27 12:05
ComboFix-quarantined-files.txt 2009-08-27 10:05

Pre-Run: 94.285.950.976 bytes beschikbaar
Post-Run: 94.488.006.656 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

244 --- E O F --- 2009-08-26 01:13

chiaz · August 2009

Your PC appears clean to me. May I know what problems you are currently encountering?

Ginh · August 2009

chiaz wrote:

Your PC appears clean to me. May I know what problems you are currently encountering?

Well i had virusses on my system i thought, and i was told that win32.trojan.agent had downloaded files unto my computer, that might cause some issues aswell.

Right now i have a problem with having a stable ping let's say:
when i play a game, or use ventrilo (voice chat program with mic), or msn, it will sometimes Disconnect me, but mainly MSN, that disconnected Regularly, so i thought something is on my system.

Someone else who's helping me had me do ping and tracert and he believes he saw a problem that only the network owners can fix but not too sure.

I just wanted to make sure that anything is not virus/trojan/malware/spyware related.

chiaz · August 2009

OK, let's be fully sure no malware remains on your system.

Let's have you go HERE to run Panda ActiveScan 2.0

Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply.

Ginh · August 2009

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-28 01:05:39
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AntiVir Desktop 9.0.1.32 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Ginh666\Cookies\ginh666@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Ginh666\Cookies\ginh666@atdmt[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location 6
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 6
;===================================================================================================================================================================================
;===================================================================================================================================================================================

chiaz · August 2009

I think our work is done here - your PC should be clean now.

It's time to remove ComboFix.

Go to to Start > Run
Type in box

combofix /u

Note: the space between the X and the /u

Press Enter.

This command will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

There are many gamers in this forum that can probably give you a hand with your existing problems. You may want to post here:
http://icrontic.com/forum/forumdisplay.php?f=18

Let me know...

Ginh · August 2009

How do set up a new system restore point.

chiaz · August 2009

To set a System Restore Point...

Open the Start menu
Open the Programs menu
Open the Accessories menu
Open the System Tools menu
Finally, start System Restore
Pick the option for setting a System Restore Point and click on the Next button
Fill in a name for the restore point so you can find it and click on the Create button
Click on the Close button when done

Ginh · August 2009

chiaz, thankyou very much, i was worried, so it must lie within my connection on my end or that of the network owners i will talk with some people in the gaming section, you and the crew are awesome also in the past when i had problems.

Ginh.

chiaz · August 2009

Glad we could be of assistance! This topic is now closed.

If I have helped you, please consider making a personal donation (Paypal) to me at parasite[AT]parasitedb.com.
To support Icrontic, click here:
http://icrontic.com/support
Donations are entirely voluntary in nature and will have no bearing on the future help that you may receive.

If you wish to reopen your topic, please send a Private Message (PM) to Trogan or me with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

caught quarantined virus/trojan need checkup with HJT

Comments