system 32 lost modules
After cleaning my computer of pseudo antivirus programs(criminals at work) and reinstalling windows, I get the message Windows can not find module C:\windows\system 32\yadxljtl.dll, and similar (....)vgeoff.dll .
When I click them away, everything seems normal .Can anyone help?
Old man, Holland
When I click them away, everything seems normal .Can anyone help?
Old man, Holland
0
This discussion has been closed.
Comments
Obviously you did a "repair" installation of windows, because there's still some startup settings from those infections at work here. In the future if you want to completely be rid of any trace of the prior virus/malware then you need to select the option to do a complete fresh install. Note that you lose all the installed programs and possibly personal data, but it's the only way to be 100% sure everything is gone.
Find and learn to use hijackthis to remove those references from your computer so it doesn't try accessing them each time windows starts. It sounds like those items are no longer functioning as active viruses, you just need to finish some of the cleanup.
At the top of the following section are some instructions for using hijackthis and other virus removal related issues/techniques:
http://icrontic.com/forum/forumdisplay.php?f=57
I'll also ask that a mod move your thread there since this is related more to the infection than the windows installation.
I hope it all goes well for you.
Old man (wout Woltz)
Not sure if you had planned to go with posting some scan diagnostics to check here. To jump start things I'll provide some steps for those, if you do plan to follow up with some repair work.
Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.
Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Here are guidelines for using Silent Runners. You can use separate posts here when replying and posting the log files if needed.
Please have mercey: what is my mistake?
Wout Woltz,
Holland
PS
Tomorrow I am leaving for St Petersburg for a week. I hope we may stay in touch
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:51:46, on 7-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0983040A-984F-4BEF-BEBE-D3D3342D3954} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [68cab6d8] rundll32.exe "C:\WINDOWS\system32\vgoeofff.dll",b
O4 - HKLM\..\Run: [BM6bf98544] Rundll32.exe "C:\WINDOWS\system32\yadxljtl.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Documents and Settings\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200522697418
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: ComponentUnknown - {762a98a3-d10c-4438-9507-89b14567d14e} - C:\WINDOWS\Resources\ComponentUnknown.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
--
End of file - 7478 bytes
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"SiteAdvisor" = ""C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"" ["McAfee, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"mcagent_exe" = "C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey" ["McAfee, Inc."]
"McENUI" = "C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide" ["McAfee, Inc."]
"SPAMfighter Agent" = ""C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60" ["SPAMfighter ApS"]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"68cab6d8" = "rundll32.exe "C:\WINDOWS\system32\vgoeofff.dll",b" [MS]
"BM6bf98544" = "Rundll32.exe "C:\WINDOWS\system32\yadxljtl.dll",s" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6261\SiteAdv.dll" ["McAfee, Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Configuratiescherm-uitbreiding Beeldscherm-panning"
-> {HKLM...CLSID} = "Configuratiescherm-uitbreiding Beeldscherm-panning"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\DOCUME~1\Office\OLKFSTUB.DLL" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
"ComponentUnknown" = "{762a98a3-d10c-4438-9507-89b14567d14e}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\Resources\ComponentUnknown.dll" [file not found]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\urqPjIYo"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
Picasa2ImportPicturesOnArrival\
"Provider" = "Picasa2"
"InvokeProgID" = "picasa2.autoplay"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Program Files\Picasa2\Picasa2.exe "%1"" ["Google Inc."]
I let it run. And thanks for the effort.
Wout
And you do need to post your logs here, in your reply. You open the text file, like this Silent Runners Startup Programs (WOUTSPEELT22) 2008-06-08 14.33.16.txt log, copy all of the information in it, then right click and Paste in your reply to post the information. In Notepad - go to Edit - Select All, then Edit - Copy. Then here in your reply right click and select Paste. Very simple.
The information is needed to be here, where it can be worked with - I do my web searches this way so I can help you. I will post this new log again though:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"SiteAdvisor" = ""C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"" ["McAfee, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"mcagent_exe" = "C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey" ["McAfee, Inc."]
"McENUI" = "C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide" ["McAfee, Inc."]
"SPAMfighter Agent" = ""C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60" ["SPAMfighter ApS"]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"68cab6d8" = "rundll32.exe "C:\WINDOWS\system32\vgoeofff.dll",b" [MS]
"BM6bf98544" = "Rundll32.exe "C:\WINDOWS\system32\yadxljtl.dll",s" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6261\SiteAdv.dll" ["McAfee, Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Configuratiescherm-uitbreiding Beeldscherm-panning"
-> {HKLM...CLSID} = "Configuratiescherm-uitbreiding Beeldscherm-panning"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\DOCUME~1\Office\OLKFSTUB.DLL" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
"ComponentUnknown" = "{762a98a3-d10c-4438-9507-89b14567d14e}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\Resources\ComponentUnknown.dll" [file not found]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\urqPjIYo"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
Picasa2ImportPicturesOnArrival\
"Provider" = "Picasa2"
"InvokeProgID" = "picasa2.autoplay"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Program Files\Picasa2\Picasa2.exe "%1"" ["Google Inc."]
Startup items in "Eigenaar" & "All Users" startup folders:
C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten
"Microsoft Office" -> shortcut to: "C:\Documents and Settings\Office\OSA9.EXE -b -l" [MS]
Enabled Scheduled Tasks:
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" [file not found]
"McDefragTask" -> launches: "C:\WINDOWS\system32\defrag.exe C: -f" ["Microsoft Corp. and Executive Software International, Inc."]
"McQcTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe 78 0" ["McAfee, Inc."]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"RegistrySmart Scheduled Scan" -> launches: "C:\Program Files\RegistrySmart\RegistrySmart.exe scheduled" [file not found]
"Uniblue SpeedUpMyPC Nag" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" [file not found]
"Uniblue SpeedUpMyPC" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" [file not found]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6261\SiteAdv.dll" ["McAfee, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe" ["McAfee, Inc."]
McAfee Real-time Scanner, McShield, "C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe" ["McAfee, Inc."]
McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee, Inc."]
McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe" ["McAfee, Inc."]
SiteAdvisor Service, SiteAdvisor Service, ""C:\Program Files\SiteAdvisor\6261\SAService.exe"" ["McAfee, Inc."]
SPAMfighter Update Service, SPAMfighter Update Service, ""C:\Program Files\SPAMfighter\sfus.exe"" ["SPAMfighter ApS"]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Print Monitors:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
(launch time: 2008-06-08 14:33:16)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 33 seconds.
(total run time: 80 seconds)
These next steps have quite a few different steps to do. If you can copy the information here, and save that to look at as you do the steps.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Then you will want to print or have other access to a copy of the next steps, as some will be done without net access or in Safe Mode.
Download SDFix.exe and save it to your desktop.
Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.
===================================================
Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).
In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.
Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.
=============================
After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
============================
Then Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Options, place a check next to the following:
Backup Registry Hives
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)
Post those along with the Malwarebytes log and the SDFix report.txt log please.
If you have problems getting the Deckards scan to run the way I posted you can use this instead.
Open Notepad (Start - Run, type Notepad then press OK), and copy the following and paste it into the open Notepad textbox.
Dim Wshshell, Desk Set Wshshell = Wscript.CreateObject("Wscript.shell") Desk = Wshshell.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop") & "\" Wshshell.run Chr(34) & Desk & "dss.exe" & Chr(34) & " /config"Save this to your desktop as "dssrun.vbs"
Be sure to include the "" quotes in the name. Then click on dssrun.vbs and the Deckards display should open.
I hope this information will help.
Thanks, Wout Woltz, Holland
SDFix: Version 1.193
Run by Eigenaar on ma 16-06-2008 at 10:44
Microsoft Windows XP [versie 5.1.2600]
Running From: C:\DOCUME~1\Eigenaar\MIJNDO~1\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed
Folder C:\WINDOWS\system32\824223 - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 10:55:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Wizard Bestanden en instellingen overzetten"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Documents and Settings\\Eigenaar\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Eigenaar\\Local Settings\\Temp\\usmt\\migwiz.exe:*:Disabled:Wizard Bestanden en instellingen overzetten"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
Files with Hidden Attributes :
Mon 17 Dec 2007 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 13 Sep 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Mon 13 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sun 23 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 3 Apr 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 3 Apr 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Wed 13 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 14 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\27d4a83e15599dacf71be27edd0b072a\BIT3.tmp"
Sat 29 Dec 2007 14,749,216 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6ffbed0407a315e9775fdcc40c4385ad\BITB4.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a282fd7b00204b775909f4664bd74484\BIT4.tmp"
Thu 10 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a7b63628b39fd8bdb7e535e34d0ea696\BIT2.tmp"
Mon 19 Mar 2007 27,136 ...H. --- "C:\Documents and Settings\Eigenaar\Application Data\Microsoft\Templates\~WRL3124.tmp"
Tue 10 Apr 2007 375,808 ...H. --- "C:\Documents and Settings\Eigenaar\Application Data\Microsoft\Word\~WRL0005.tmp"
Wed 18 Apr 2007 19,968 ...H. --- "C:\Documents and Settings\Eigenaar\Application Data\Microsoft\Word\~WRL0006.tmp"
Tue 10 Apr 2007 374,784 ...H. --- "C:\Documents and Settings\Eigenaar\Application Data\Microsoft\Word\~WRL1572.tmp"
Sun 23 Mar 2008 4,348 ...H. --- "C:\Documents and Settings\Eigenaar\Mijn documenten\Mijn muziek\Back-up van licentie\drmv1key.bak"
Mon 24 Mar 2008 20 A..H. --- "C:\Documents and Settings\Eigenaar\Mijn documenten\Mijn muziek\Back-up van licentie\drmv1lic.bak"
Sun 23 Mar 2008 312 ...H. --- "C:\Documents and Settings\Eigenaar\Mijn documenten\Mijn muziek\Back-up van licentie\drmv2key.bak"
Mon 24 Mar 2008 1,536 A..H. --- "C:\Documents and Settings\Eigenaar\Mijn documenten\Mijn muziek\Back-up van licentie\drmv2lic.bak"
Finished!
Malwarebytes' Anti-Malware 1.17
Database versie: 859
11:57:52 16-6-2008
mbam-log-6-16-2008 (11-57-52).txt
Scan type: Snelle Scan
Objecten gescand: 42367
Verstreken tijd: 19 minute(s), 38 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 13
Registerwaarden geïnfecteerd: 4
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 13
Bestanden geïnfecteerd: 23
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
HKEY_CLASSES_ROOT\labelcommand.labelcommand (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\labelcommand.labelcommand.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8b8df25f-2c47-4473-8e1c-7f54ac7ef481} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7c4bcd17-bdba-4078-9d8c-8ca8b7eabe77} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gktxaspm.bvwm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{392d96eb-4548-4f7d-b204-e0ed139c88a2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cd36f5bd-425f-4e81-99b9-bd527f658277} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3f8febf0-4a50-4420-904c-52b90054223e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a825b3f7-6d09-4e4b-89a3-0dc05c0121fe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0983040a-984f-4bef-bebe-d3d3342d3954} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\RegistrySmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68cab6d8 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM6bf98544 (Trojan.Agent) -> Quarantined and deleted successfully.
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\Infected (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\Suspicious (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\BASE (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\DELETED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\SAVED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
Bestanden geïnfecteerd:
C:\Program Files\KvmSecure\KvmSecure.exe (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\vscan.tsi (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\zlib.dll (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool\Abbr (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool\prod_code (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522043919546.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522044204984.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522060043234.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522103448140.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522103608218.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522103646953.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522144127609.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522150723205.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522163315218.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522164117111.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080523115907406.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log\2008 Jan 21 - 02_29_59 PM_906.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log\2008 Jan 21 - 02_30_05 PM_140.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log\2008 Jan 21 - 10_18_23 AM_046.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log\2008 Jan 21 - 10_18_42 AM_500.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\Microsoft\Internet Explorer\Quick Launch\KvmSecure.lnk (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.17
Database versie: 859
11:57:52 16-6-2008
mbam-log-6-16-2008 (11-57-52).txt
Scan type: Snelle Scan
Objecten gescand: 42367
Verstreken tijd: 19 minute(s), 38 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 13
Registerwaarden geïnfecteerd: 4
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 13
Bestanden geïnfecteerd: 23
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
HKEY_CLASSES_ROOT\labelcommand.labelcommand (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\labelcommand.labelcommand.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8b8df25f-2c47-4473-8e1c-7f54ac7ef481} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7c4bcd17-bdba-4078-9d8c-8ca8b7eabe77} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gktxaspm.bvwm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{392d96eb-4548-4f7d-b204-e0ed139c88a2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cd36f5bd-425f-4e81-99b9-bd527f658277} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3f8febf0-4a50-4420-904c-52b90054223e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a825b3f7-6d09-4e4b-89a3-0dc05c0121fe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0983040a-984f-4bef-bebe-d3d3342d3954} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\RegistrySmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68cab6d8 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM6bf98544 (Trojan.Agent) -> Quarantined and deleted successfully.
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\Infected (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\Suspicious (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\BASE (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\DELETED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\SAVED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
Bestanden geïnfecteerd:
C:\Program Files\KvmSecure\KvmSecure.exe (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\vscan.tsi (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\zlib.dll (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool\Abbr (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool\prod_code (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522043919546.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522044204984.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522060043234.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522103448140.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522103608218.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522103646953.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522144127609.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522150723205.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522163315218.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080522164117111.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080523115907406.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log\2008 Jan 21 - 02_29_59 PM_906.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log\2008 Jan 21 - 02_30_05 PM_140.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log\2008 Jan 21 - 10_18_23 AM_046.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\RegistrySmart\Log\2008 Jan 21 - 10_18_42 AM_500.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eigenaar\Application Data\Microsoft\Internet Explorer\Quick Launch\KvmSecure.lnk (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
Run by Eigenaar on 2008-06-16 18:12:14
Computer is in Normal Mode.
Total Physical Memory: 510 MiB (512 MiB recommended).
-- HijackThis (run as Eigenaar.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:12:21, on 16-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Eigenaar\Mijn documenten\dockards.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Eigenaar.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Documents and Settings\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200522697418
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: ComponentUnknown - {762a98a3-d10c-4438-9507-89b14567d14e} - C:\WINDOWS\Resources\ComponentUnknown.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
--
End of file - 7446 bytes
-- Files created between 2008-05-16 and 2008-06-16
2008-06-16 11:33:31 0 d
C:\Documents and Settings\Eigenaar\Application Data\Malwarebytes
2008-06-16 11:33:28 0 d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-16 11:33:27 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 10:40:58 0 d
C:\WINDOWS\ERUNT
2008-06-16 10:33:41 0 d
C:\ SDFixe.exe
2008-06-07 20:36:40 0 d
C:\Program Files\Trend Micro
2008-06-04 15:47:55 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 18:03:11 53248 --a
C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-31 17:10:59 0 d
C:\c439dd0af753c1470a4fc2fb88
2008-05-26 11:23:18 168960 --a
C:\WINDOWS\evyrtd7.dll <Not Verified; Novell, Inc.; Envoy 7 For Windows 95>
2008-05-26 11:23:17 1947648 --a
C:\WINDOWS\evyrte7.exe <Not Verified; Novell, Inc.; Envoy 7 For Windows 95>
2008-05-26 10:19:24 0 d
C:\WINDOWS\Prefetch
2008-05-26 08:47:11 7168 --a
C:\WINDOWS\system32\bitsprx4.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-26 08:42:38 1845376 --a
C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Besturingssysteem Microsoft® Windows®>
2008-05-26 08:41:33 0 d
C:\WINDOWS\EHome
2008-05-25 22:42:35 0 d
C:\WINDOWS\system32\CatRoot_bak
2008-05-25 14:13:32 3402 --a
C:\WINDOWS\system32\tmp.reg
2008-05-25 14:11:10 82944 --a
C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-25 14:11:09 25600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-05-25 14:11:09 86528 --a
C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-25 14:11:09 82944 --a
C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-25 14:11:08 289144 --a
C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-25 14:11:08 288417 --a
C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-25 14:11:08 51200 --a
C:\WINDOWS\system32\dumphive.exe
2008-05-24 16:28:58 0 d
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-24 16:28:02 0 d
C:\Program Files\SUPERAntiSpyware
2008-05-24 16:28:02 0 d
C:\Documents and Settings\Eigenaar\Application Data\SUPERAntiSpyware.com
2008-05-24 09:22:53 0 d
C:\Documents and Settings\Eigenaar\Application Data\ParetoLogic
2008-05-24 09:22:36 0 d
C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-05-24 09:21:51 0 d
C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-05-24 09:15:40 0 d
C:\Documents and Settings\Administrator\Bureaublad
2008-05-24 09:15:40 0 dr-h
C:\Documents and Settings\Administrator\Application Data
2008-05-24 09:15:40 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-24 09:15:39 0 d--h
C:\Documents and Settings\Administrator\Sjablonen
2008-05-24 09:15:39 0 dr-h
C:\Documents and Settings\Administrator\SendTo
2008-05-24 09:15:39 0 d--h
C:\Documents and Settings\Administrator\Onlangs geopend
2008-05-24 09:15:39 0 d--h
C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-05-24 09:15:39 0 d--h
C:\Documents and Settings\Administrator\NetHood
2008-05-24 09:15:39 0 d
C:\Documents and Settings\Administrator\Mijn documenten
2008-05-24 09:15:39 0 dr
C:\Documents and Settings\Administrator\Menu Start
2008-05-24 09:15:39 0 d--h
C:\Documents and Settings\Administrator\Local Settings
2008-05-24 09:15:39 0 d
C:\Documents and Settings\Administrator\Favorieten
2008-05-24 09:15:39 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-24 09:15:38 303104 --ah
C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-22 18:56:30 0 d
C:\Documents and Settings\NetworkService\Bureaublad
2008-05-22 18:56:30 0 d
C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
2008-05-22 17:12:50 0 d--hs---- C:\USMT.TMP
2008-05-22 04:39:26 0 d
C:\Program Files\LabelCommand
2008-05-22 04:34:36 0 d
C:\Documents and Settings\Eigenaar\Application Data\TmpRecentIcons
2008-05-21 22:56:28 228632 --ahs---- C:\WINDOWS\system32\oYIjPqru.ini2
2008-05-21 19:06:27 0 d
C:\9f991bcf8a2e555216ae9d3792164eed
2008-05-21 18:02:12 0 d
C:\Program Files\Common Files\Symantec Shared
-- Find3M Report
2008-06-16 17:03:09 0 d
C:\Program Files\SPAMfighter
2008-06-05 16:50:40 0 d
C:\Documents and Settings\Eigenaar\Application Data\SiteAdvisor
2008-06-04 15:47:55 0 d
C:\Program Files\Common Files
2008-05-26 11:24:32 10 --a
C:\WINDOWS\evypaths.bin
2008-05-26 10:10:07 0 d
C:\Program Files\Messenger
2008-05-26 10:00:55 0 d
C:\Program Files\Windows NT
2008-05-26 10:00:39 0 d
C:\Program Files\Movie Maker
2008-05-26 07:48:04 462262 --a
C:\WINDOWS\system32\perfh013.dat
2008-05-26 07:48:04 78822 --a
C:\WINDOWS\system32\perfc013.dat
2008-05-23 22:18:37 0 d
C:\Program Files\SiteAdvisor
2008-05-22 17:57:46 22920 --a
C:\WINDOWS\system32\emptyregdb.dat
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [14-10-2004 16:42]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12-05-2005 00:12]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [10-08-2006 21:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [26-11-2007 21:37]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [03-08-2007 23:33]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [30-11-2007 05:42]
"SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [02-01-2008 18:03]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03-11-2006 20:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22-02-2008 05:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11-01-2008 23:16]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20-09-2005 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20-09-2005 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20-09-2005 10:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [13-09-2004 22:01]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [23-10-2007 23:18]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [04-06-2008 18:18]
C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - C:\Documents and Settings\Office\OSA9.EXE [18-2-1999 6:05:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ComponentUnknown"= {762a98a3-d10c-4438-9507-89b14567d14e} - C:\WINDOWS\Resources\ComponentUnknown.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqPjIYo
"Notification Packages"= scecli
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
-- End of Deckard's System Scanner: finished at 2008-06-16 18:15:05
Good progress so far, and much of the active infection is removed. Some more to correct, then a new scan after.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O21 - SSODL: ComponentUnknown - {762a98a3-d10c-4438-9507-89b14567d14e} - C:\WINDOWS\Resources\ComponentUnknown.dll (file missing)
Download OTMoveIt2 by OldTimer to your desktop.
Then click OTMoveIt2.exe to run it (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator").
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
Then go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
These Kaspersky steps are not quite accurate - Kaspersky made some recent changes I have not corrected for. But you should have no problem using the scan.
Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
Or use the dssrun.vbs file if you need to.
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the OTMoveIt log and the Kaspersky log please.
It is stupid, but I am stuck. I did the registry thing, but now I have the line in Movelt you mention, in notebook, but I can not open it. If you are not fed up: what shall I do? Jump from bridge or enter monastry?
Wout
If you copy from the post, then click in the OTMoveIt textbox, and press the Ctrl key and the V key at the same time, the line should then show in OTMoveIt.
Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead