|
|
|
problems with userinit.exe on my laptop
|
|
|
iceroyale
Newbie
|
3. August 2008 @ 12:28 |
Link to this message
|
|
hey,
just now, my laptop started saying that userinit.exe couldn't be started normally, and i had to press ok to stop the application. after that, it just loads my background and nothing else. i can't do anything except pen up the task manager. can anyone help me with this? also, lately my laptop has been getting slower. could be related.
|
|
Advertisement
|
|
|
|
AfterDawn Addict
|
5. August 2008 @ 04:49 |
Link to this message
|
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
iceroyale
Newbie
|
5. August 2008 @ 06:44 |
Link to this message
|
ok doing that. (took me a while to figure out I couldn't run it in safe mode :S). I am also scanning with Malwarebytes' Anti-Malware, I'll post the log when it's done.
|
|
iceroyale
Newbie
|
5. August 2008 @ 09:36 |
Link to this message
|
ok here's the log (only 2nd log, the first scan didn't save its log for some reason)
Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2
15:31:49 5/08/2008
mbam-log-8-5-2008 (15-31-49).txt
Scan type: Full Scan (C:\|)
Objects scanned: 109660
Time elapsed: 45 minute(s), 1 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 12
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 31
Memory Processes Infected:
c:\WINDOWS\system32\rwwnw64d.exe (Adware.ZenoSearch) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\hncljryg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yayxxuSL.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\efcBsQIy.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b332032-2b25-4767-bbe7-0d86acb43cce} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1b332032-2b25-4767-bbe7-0d86acb43cce} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c5e84927-cff0-4ca3-a068-02e7c01c1e7c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5e84927-cff0-4ca3-a068-02e7c01c1e7c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcbsqiy (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Plate (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MySidesearch (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\84315332 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c5e84927-cff0-4ca3-a068-02e7c01c1e7c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm870260ae (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{15-53-39-9d-dw} (Adware.ZenoSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayxxusl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayxxusl -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\yayxxuSL.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LSuxxyay.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\LSuxxyay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hncljryg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gyrjlcnh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcBsQIy.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\LSY9SDMT\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018711.dll (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018710.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018712.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018713.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018714.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018715.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018716.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018717.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018718.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018720.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018721.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018722.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018723.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018724.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018725.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018726.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018727.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CF87C584-A35B-4B50-B3B9-C4A4EECA13E6}\RP48\A0018728.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kjjbpjfy.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwwnw64d.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\Install (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\BM870260ae.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM870260ae.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
|
AfterDawn Addict
|
5. August 2008 @ 09:48 |
Link to this message
|
Hi iceroyale,
Looks like you?ve got a Vundo.. Malwarebytes usually don?t get it all so let?s do the following:
Download ComboFix from Here to your Desktop.
? Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
? Double click combofix.exe and follow the prompts.
? When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
2OG
Be sure to include a HJT Log......
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
iceroyale
Newbie
|
5. August 2008 @ 12:28 |
Link to this message
|
combofix log: (sorry that it's in dutch)
ComboFix 08-08-04.06 - User 2008-08-05 18:19:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.193 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\User\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\User\Menu Start\Programma's\Opstarten\Deewoo.lnk
C:\Documents and Settings\User\Menu Start\Programma's\Opstarten\DW_Start.lnk
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aafvaxbq.dll
C:\WINDOWS\system32\cgjjqrvn.ini
C:\WINDOWS\system32\cyntfbpe.dll
C:\WINDOWS\system32\evsjqfvk.dll
C:\WINDOWS\system32\gdyfbg.dll
C:\WINDOWS\system32\glrdck.dll
C:\WINDOWS\system32\kdyvkjnt.dll
C:\WINDOWS\system32\klgbtdos.dll
C:\WINDOWS\system32\ksrehs.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mseoukmx.dll
C:\WINDOWS\system32\msrffrmg.ini
C:\WINDOWS\system32\nrwovt.dll
C:\WINDOWS\system32\riqjblch.ini
C:\WINDOWS\system32\rjkbmivb.dll
C:\WINDOWS\system32\rswnw64q.exe
C:\WINDOWS\system32\ubxwyw.dll
C:\WINDOWS\system32\uggsjuev.dll
C:\WINDOWS\system32\xjqilw.dll
C:\WINDOWS\system32\yinkuufh.dll
C:\WINDOWS\system32\ypskbrnu.ini
C:\WINDOWS\system32\zwzhbq.dll
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-07-05 to 2008-08-05 ))))))))))))))))))))))))))))))
.
2008-08-05 18:15 . 2008-08-05 18:15 268 --ah----- C:\sqmdata03.sqm
2008-08-05 18:15 . 2008-08-05 18:15 244 --ah----- C:\sqmnoopt03.sqm
2008-08-05 15:37 . 2008-08-05 15:37 268 --ah----- C:\sqmdata02.sqm
2008-08-05 15:37 . 2008-08-05 15:37 244 --ah----- C:\sqmnoopt02.sqm
2008-08-05 13:14 . 2004-08-04 01:03 116,736 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-08-05 13:14 . 2001-09-06 21:27 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-08-05 13:13 . 2001-09-06 21:27 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-08-05 13:13 . 2001-09-06 21:27 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-08-05 13:13 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-08-05 13:13 . 2004-08-03 23:10 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2008-08-05 13:13 . 2001-09-06 21:27 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-08-05 13:13 . 2001-08-17 20:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-08-05 13:13 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-08-05 13:13 . 2004-08-03 23:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-08-05 13:13 . 2001-09-06 21:27 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-08-05 13:11 . 2001-08-17 21:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-08-05 13:10 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-08-05 13:09 . 2001-09-06 21:27 216,576 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-08-05 13:09 . 2001-09-06 21:27 212,480 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-08-05 13:09 . 2001-09-06 21:27 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2008-08-05 13:09 . 2001-09-06 21:27 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-08-05 13:09 . 2001-09-06 21:27 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-08-05 13:09 . 2001-09-06 21:27 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-08-05 13:09 . 2001-09-06 21:27 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-08-05 13:09 . 2001-09-06 21:27 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2008-08-05 13:09 . 2001-09-06 21:27 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2008-08-05 13:09 . 2001-08-17 21:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-08-05 13:07 . 2001-08-17 22:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-08-05 13:07 . 2001-08-17 22:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-08-05 13:07 . 2004-08-03 23:00 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2008-08-05 13:07 . 2001-08-17 20:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-08-05 13:07 . 2001-08-17 20:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-08-05 13:07 . 2001-09-06 21:26 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-08-05 13:07 . 2001-09-06 21:27 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-08-05 13:07 . 2001-08-17 20:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-08-05 13:07 . 2001-08-17 20:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-08-05 13:07 . 2001-09-06 18:37 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-08-05 13:05 . 2001-09-06 18:20 286,432 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-08-05 13:04 . 2001-09-06 21:27 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-08-05 13:04 . 2001-09-06 21:27 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-08-05 13:04 . 2001-08-17 21:51 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-08-05 13:04 . 2001-08-17 20:51 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-08-05 13:04 . 2001-09-06 21:27 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-08-05 13:04 . 2001-08-17 20:51 20,752 --a--c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-08-05 13:04 . 2001-08-17 22:07 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-08-05 13:04 . 2001-08-17 21:53 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-08-05 13:04 . 2001-08-17 21:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-08-05 13:04 . 2004-08-03 23:00 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2008-08-05 13:04 . 2001-08-17 21:53 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-08-05 13:03 . 2001-09-06 21:26 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-08-05 13:03 . 2001-08-17 20:51 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2008-08-05 13:03 . 2001-09-06 20:56 36,425 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2008-08-05 13:03 . 2001-08-17 20:12 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2008-08-05 13:03 . 2001-08-17 20:12 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys
2008-08-05 13:03 . 2004-08-03 23:07 6,912 --a--c--- C:\WINDOWS\system32\dllcache\smbclass.sys
2008-08-05 13:03 . 2001-08-17 21:57 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2008-08-05 13:01 . 2001-09-06 21:26 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-08-05 13:00 . 2004-08-04 01:03 3,901 --a--c--- C:\WINDOWS\system32\dllcache\siint5.dll
2008-08-05 12:59 . 2001-09-06 21:26 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-08-05 12:59 . 2001-09-06 20:49 161,760 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-08-05 12:59 . 2001-08-17 20:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-08-05 12:59 . 2001-08-17 20:19 36,480 --a--c--- C:\WINDOWS\system32\dllcache\sfmanm.sys
2008-08-05 12:59 . 2001-07-21 22:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-08-05 12:59 . 2001-09-06 20:47 18,176 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
2008-08-05 12:59 . 2001-09-06 20:47 6,912 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-08-05 12:58 . 2001-09-06 21:27 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-08-05 12:58 . 2004-08-03 22:59 43,136 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2008-08-05 12:58 . 2001-08-17 21:51 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmusbm.sys
2008-08-05 12:58 . 2001-09-06 20:42 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmn50m.sys
2008-08-05 12:58 . 2001-09-06 20:44 17,536 --a--c--- C:\WINDOWS\system32\dllcache\scr111.sys
2008-08-05 12:58 . 2001-09-06 20:44 16,768 --a--c--- C:\WINDOWS\system32\dllcache\scmstcs.sys
2008-08-05 12:58 . 2001-08-17 21:52 11,648 --a--c--- C:\WINDOWS\system32\dllcache\scsiprnt.sys
2008-08-05 12:58 . 2001-08-17 21:53 10,880 --a--c--- C:\WINDOWS\system32\dllcache\scsiscan.sys
2008-08-05 12:58 . 2001-08-17 21:53 6,912 --a--c--- C:\WINDOWS\system32\dllcache\seaddsmc.sys
2008-08-05 12:56 . 2004-08-04 01:03 397,056 --a--c--- C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-08-05 12:55 . 2001-09-06 20:29 899,594 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-08-05 12:55 . 2001-09-06 20:29 715,210 --a--c--- C:\WINDOWS\system32\dllcache\r2mdmkxx.sys
2008-08-05 12:55 . 2001-09-06 21:27 86,097 --a--c--- C:\WINDOWS\system32\dllcache\reslog32.dll
2008-08-05 12:55 . 2004-08-03 23:10 59,648 --a--c--- C:\WINDOWS\system32\dllcache\rfcomm.sys
2008-08-05 12:55 . 2001-09-06 21:27 41,984 --a--c--- C:\WINDOWS\system32\dllcache\qvusd.dll
2008-08-05 12:55 . 2001-08-17 20:12 37,563 --a--c--- C:\WINDOWS\system32\dllcache\rlnet5.sys
2008-08-05 12:55 . 2004-08-03 22:41 13,776 --a--c--- C:\WINDOWS\system32\dllcache\recagent.sys
2008-08-05 12:55 . 2001-08-17 21:53 3,328 --a--c--- C:\WINDOWS\system32\dllcache\qv2kux.sys
2008-08-05 12:53 . 2004-08-04 01:03 363,520 --a--c--- C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-08-05 12:53 . 2001-08-17 22:04 173,696 --a--c--- C:\WINDOWS\system32\dllcache\philcam2.sys
2008-08-05 12:53 . 2001-09-06 21:27 121,344 --a--c--- C:\WINDOWS\system32\dllcache\phvfwext.dll
2008-08-05 12:53 . 2001-08-17 22:04 92,416 --a--c--- C:\WINDOWS\system32\dllcache\phildec.sys
2008-08-05 12:53 . 2001-08-17 22:07 19,840 --a--c--- C:\WINDOWS\system32\dllcache\philtune.sys
2008-08-05 12:53 . 2001-08-17 21:53 17,792 --a--c--- C:\WINDOWS\system32\dllcache\ppa.sys
2008-08-05 12:53 . 2004-08-03 23:00 17,664 --a--c--- C:\WINDOWS\system32\dllcache\ppa3.sys
2008-08-05 12:53 . 2001-09-06 20:24 16,128 --a--c--- C:\WINDOWS\system32\dllcache\pscr.sys
2008-08-05 12:53 . 2001-08-17 21:53 7,552 --a--c--- C:\WINDOWS\system32\dllcache\powerfil.sys
2008-08-05 12:53 . 2001-08-17 21:53 7,168 --a--c--- C:\WINDOWS\system32\dllcache\pnrmc.sys
2008-08-05 12:51 . 2001-08-17 22:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-08-05 12:50 . 2004-08-04 01:03 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-08-05 12:49 . 2004-08-04 00:57 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-08-05 12:48 . 2004-08-04 01:03 1,737,856 --a--c--- C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-08-05 12:47 . 2004-08-04 01:03 56,832 --a--c--- C:\WINDOWS\system32\dllcache\msdvbnp.ax
2008-08-05 12:47 . 2004-08-03 23:10 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
2008-08-05 12:47 . 2001-08-17 22:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2008-08-05 12:47 . 2004-08-03 23:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-08-05 12:47 . 2001-08-17 21:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2008-08-05 12:47 . 2001-08-17 21:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-08-05 12:47 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\mpe.sys
2008-08-05 12:47 . 2001-08-17 21:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2008-08-05 12:47 . 2001-08-17 22:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-08-05 12:45 . 2001-08-17 21:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-08-05 12:44 . 2001-09-06 21:26 242,688 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-08-05 12:44 . 2001-09-06 21:26 45,568 --a--c--- C:\WINDOWS\system32\dllcache\kdsui.dll
2008-08-05 12:44 . 2001-09-06 21:26 37,888 --a--c--- C:\WINDOWS\system32\dllcache\kousd.dll
2008-08-05 12:44 . 2004-08-04 00:57 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-08-05 12:44 . 2001-09-06 21:26 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-08-05 12:44 . 2001-09-06 21:26 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-08-05 12:42 . 2001-09-06 21:26 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-08-05 12:42 . 2001-08-17 22:06 154,496 --a--c--- C:\WINDOWS\system32\dllcache\icam4usb.sys
2008-08-05 12:42 . 2001-08-17 22:06 100,992 --a--c--- C:\WINDOWS\system32\dllcache\icam5usb.sys
2008-08-05 12:42 . 2001-09-06 21:26 91,648 --a--c--- C:\WINDOWS\system32\dllcache\icam4com.dll
2008-08-05 12:42 . 2001-09-06 21:26 62,976 --a--c--- C:\WINDOWS\system32\dllcache\icam4ext.dll
2008-08-05 12:42 . 2001-09-06 21:26 45,056 --a--c--- C:\WINDOWS\system32\dllcache\icam5com.dll
2008-08-05 12:42 . 2001-09-06 21:26 20,992 --a--c--- C:\WINDOWS\system32\dllcache\icam5ext.dll
2008-08-05 12:40 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-08-05 12:39 . 2001-09-06 21:26 324,608 --a--c--- C:\WINDOWS\system32\dllcache\hpojwia.dll
2008-08-05 12:38 . 2001-09-06 21:26 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-08-05 12:37 . 2001-08-17 20:15 455,680 --a--c--- C:\WINDOWS\system32\dllcache\fus2base.sys
2008-08-05 12:36 . 2001-09-06 20:14 630,016 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 10:30 2,048 ----a-w C:\WINDOWS\system32\uqsehioe.exe
2008-08-03 15:30 1,872,384 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-03 15:17 1,871,360 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-08-03 15:02 1,870,848 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-07-29 20:08 1,858,560 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-07-29 13:03 --------- d-----w C:\Program Files\Java
2008-07-24 23:09 131,584 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-07-22 16:55 1,837,056 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-22 16:55 1,179,136 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-09 07:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-06-20 17:43 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:53 --------- d-----w C:\Program Files\Microsoft Games
2008-06-20 11:13 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 23:25 --------- d-----w C:\Program Files\Sun
2008-06-19 23:24 --------- d-----w C:\Program Files\Common Files\Java
2008-06-19 20:41 --------- d-----w C:\Program Files\ESET
2008-06-19 20:41 --------- d-----w C:\Program Files\Common Files\Stardock
2008-06-19 20:40 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-06-19 20:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-19 20:18 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-19 20:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-19 19:01 --------- d-----w C:\Program Files\Hitman Pro
2008-06-19 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 18:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 18:58 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-19 18:30 164 ----a-w C:\install.dat
2008-06-19 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2008-06-19 17:58 --------- d-----w C:\Program Files\Synaptics
2008-06-18 20:27 21,419 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-18 20:25 --------- d-----w C:\Program Files\Hercules
2008-06-18 20:25 --------- d-----w C:\Documents and Settings\User\Application Data\InstallShield
2008-06-17 17:34 --------- d-----w C:\Program Files\Windows Live
2008-06-17 17:33 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-17 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-14 18:00 272,640 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 15:21 --------- d-----w C:\Documents and Settings\User\Application Data\gtk-2.0
2008-06-11 14:49 --------- d-----w C:\Program Files\7-Zip
2008-06-11 14:44 --------- d-----w C:\Program Files\GIMP-2.0
2008-06-07 10:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-30 12:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 12:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 12:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 12:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 12:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 12:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 12:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-27 11:23 23,400 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-03-20 00:36 1267040]
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 22:00 344064]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"EPSON Stylus DX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE" [2005-02-08 07:00 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 14:34 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 14:33 561152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 88363 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Alerter.lnk - C:\Program Files\Vampirefreaks\vfalerter.exe [2008-01-23 17:10:58 9752064]
WiFi Station.lnk - C:\Program Files\Hercules\WiFi Station\WifiStation.exe [2008-06-18 22:25:51 654336]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhoud van de 'Gedeelde Taken' map
2008-07-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\q6cskwyh.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 18:22:58
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
C:\DOCUME~1\User\LOCALS~1\Temp\TMP4352$.TMP
Scan succesvol afgerond
verborgen bestanden: 1
**************************************************************************
.
Voltooingstijd: 2008-08-05 18:27:32
ComboFix-quarantined-files.txt 2008-08-05 16:27:11
Pre-Run: 11,486,855,168 bytes beschikbaar
Post-Run: 11,469,578,240 bytes beschikbaar
293 --- E O F --- 2008-07-13 22:48:23
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:28:08, on 5/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hercules\WiFi Station\WifiStation.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alerter.lnk = C:\Program Files\Vampirefreaks\vfalerter.exe
O4 - Global Startup: WiFi Station.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6617 bytes
|
AfterDawn Addict
|
5. August 2008 @ 23:26 |
Link to this message
|
iceroyale,
Quote:
combofix log: (sorry that it's in dutch)
Life without challenges is so boring.. LOL
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C
Quote:
Rootkit::
C:\DOCUME~1\michael\LOCALS~1\Temp\RGI1B.tmp
Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop
Referring to the picture above, drag CFScript into ComboFix.exe
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
iceroyale
Newbie
|
6. August 2008 @ 07:18 |
Link to this message
|
didn't reboot. well here's another challenge for you ;)
ComboFix 08-08-04.06 - User 2008-08-06 13:10:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.228 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\User\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-07-06 to 2008-08-06 ))))))))))))))))))))))))))))))
.
2008-08-06 13:06 . 2008-08-06 13:06 268 --ah----- C:\sqmdata04.sqm
2008-08-06 13:06 . 2008-08-06 13:06 244 --ah----- C:\sqmnoopt04.sqm
2008-08-05 18:27 . 2008-08-05 18:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 18:15 . 2008-08-05 18:15 268 --ah----- C:\sqmdata03.sqm
2008-08-05 18:15 . 2008-08-05 18:15 244 --ah----- C:\sqmnoopt03.sqm
2008-08-05 15:37 . 2008-08-05 15:37 268 --ah----- C:\sqmdata02.sqm
2008-08-05 15:37 . 2008-08-05 15:37 244 --ah----- C:\sqmnoopt02.sqm
2008-08-05 13:14 . 2004-08-04 01:03 116,736 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-08-05 13:14 . 2001-09-06 21:27 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-08-05 13:13 . 2001-09-06 21:27 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-08-05 13:13 . 2001-09-06 21:27 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-08-05 13:13 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-08-05 13:13 . 2004-08-03 23:10 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2008-08-05 13:13 . 2001-09-06 21:27 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-08-05 13:13 . 2001-08-17 20:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-08-05 13:13 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-08-05 13:13 . 2004-08-03 23:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-08-05 13:13 . 2001-09-06 21:27 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-08-05 13:11 . 2001-08-17 21:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-08-05 13:10 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-08-05 13:09 . 2001-09-06 21:27 216,576 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-08-05 13:09 . 2001-09-06 21:27 212,480 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-08-05 13:09 . 2001-09-06 21:27 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2008-08-05 13:09 . 2001-09-06 21:27 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-08-05 13:09 . 2001-09-06 21:27 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-08-05 13:09 . 2001-09-06 21:27 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-08-05 13:09 . 2001-09-06 21:27 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-08-05 13:09 . 2001-09-06 21:27 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2008-08-05 13:09 . 2001-09-06 21:27 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2008-08-05 13:09 . 2001-08-17 21:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-08-05 13:07 . 2001-08-17 22:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-08-05 13:07 . 2001-08-17 22:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-08-05 13:07 . 2004-08-03 23:00 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys
2008-08-05 13:07 . 2001-08-17 20:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-08-05 13:07 . 2001-08-17 20:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-08-05 13:07 . 2001-09-06 21:26 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-08-05 13:07 . 2001-09-06 21:27 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-08-05 13:07 . 2001-08-17 20:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-08-05 13:07 . 2001-08-17 20:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-08-05 13:07 . 2001-09-06 18:37 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-08-05 13:05 . 2001-09-06 18:20 286,432 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-08-05 13:04 . 2001-09-06 21:27 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-08-05 13:04 . 2001-09-06 21:27 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-08-05 13:04 . 2001-08-17 21:51 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-08-05 13:04 . 2001-08-17 20:51 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-08-05 13:04 . 2001-09-06 21:27 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-08-05 13:04 . 2001-08-17 20:51 20,752 --a--c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-08-05 13:04 . 2001-08-17 22:07 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-08-05 13:04 . 2001-08-17 21:53 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-08-05 13:04 . 2001-08-17 21:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-08-05 13:04 . 2004-08-03 23:00 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2008-08-05 13:04 . 2001-08-17 21:53 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-08-05 13:03 . 2001-09-06 21:26 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-08-05 13:03 . 2001-08-17 20:51 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2008-08-05 13:03 . 2001-09-06 20:56 36,425 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2008-08-05 13:03 . 2001-08-17 20:12 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2008-08-05 13:03 . 2001-08-17 20:12 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys
2008-08-05 13:03 . 2004-08-03 23:07 6,912 --a--c--- C:\WINDOWS\system32\dllcache\smbclass.sys
2008-08-05 13:03 . 2001-08-17 21:57 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2008-08-05 13:01 . 2001-09-06 21:26 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-08-05 13:00 . 2004-08-04 01:03 3,901 --a--c--- C:\WINDOWS\system32\dllcache\siint5.dll
2008-08-05 12:59 . 2001-09-06 21:26 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-08-05 12:59 . 2001-09-06 20:49 161,760 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-08-05 12:59 . 2001-08-17 20:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-08-05 12:59 . 2001-08-17 20:19 36,480 --a--c--- C:\WINDOWS\system32\dllcache\sfmanm.sys
2008-08-05 12:59 . 2001-07-21 22:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-08-05 12:59 . 2001-09-06 20:47 18,176 --a--c--- C:\WINDOWS\system32\dllcache\sermouse.sys
2008-08-05 12:59 . 2001-09-06 20:47 6,912 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-08-05 12:58 . 2001-09-06 21:27 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-08-05 12:58 . 2004-08-03 22:59 43,136 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2008-08-05 12:58 . 2001-08-17 21:51 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmusbm.sys
2008-08-05 12:58 . 2001-09-06 20:42 23,936 --a--c--- C:\WINDOWS\system32\dllcache\sccmn50m.sys
2008-08-05 12:58 . 2001-09-06 20:44 17,536 --a--c--- C:\WINDOWS\system32\dllcache\scr111.sys
2008-08-05 12:58 . 2001-09-06 20:44 16,768 --a--c--- C:\WINDOWS\system32\dllcache\scmstcs.sys
2008-08-05 12:58 . 2001-08-17 21:52 11,648 --a--c--- C:\WINDOWS\system32\dllcache\scsiprnt.sys
2008-08-05 12:58 . 2001-08-17 21:53 10,880 --a--c--- C:\WINDOWS\system32\dllcache\scsiscan.sys
2008-08-05 12:58 . 2001-08-17 21:53 6,912 --a--c--- C:\WINDOWS\system32\dllcache\seaddsmc.sys
2008-08-05 12:56 . 2004-08-04 01:03 397,056 --a--c--- C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-08-05 12:55 . 2001-09-06 20:29 899,594 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-08-05 12:55 . 2001-09-06 20:29 715,210 --a--c--- C:\WINDOWS\system32\dllcache\r2mdmkxx.sys
2008-08-05 12:55 . 2001-09-06 21:27 86,097 --a--c--- C:\WINDOWS\system32\dllcache\reslog32.dll
2008-08-05 12:55 . 2004-08-03 23:10 59,648 --a--c--- C:\WINDOWS\system32\dllcache\rfcomm.sys
2008-08-05 12:55 . 2001-09-06 21:27 41,984 --a--c--- C:\WINDOWS\system32\dllcache\qvusd.dll
2008-08-05 12:55 . 2001-08-17 20:12 37,563 --a--c--- C:\WINDOWS\system32\dllcache\rlnet5.sys
2008-08-05 12:55 . 2004-08-03 22:41 13,776 --a--c--- C:\WINDOWS\system32\dllcache\recagent.sys
2008-08-05 12:55 . 2001-08-17 21:53 3,328 --a--c--- C:\WINDOWS\system32\dllcache\qv2kux.sys
2008-08-05 12:53 . 2004-08-04 01:03 363,520 --a--c--- C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-08-05 12:53 . 2001-08-17 22:04 173,696 --a--c--- C:\WINDOWS\system32\dllcache\philcam2.sys
2008-08-05 12:53 . 2001-09-06 21:27 121,344 --a--c--- C:\WINDOWS\system32\dllcache\phvfwext.dll
2008-08-05 12:53 . 2001-08-17 22:04 92,416 --a--c--- C:\WINDOWS\system32\dllcache\phildec.sys
2008-08-05 12:53 . 2001-08-17 22:07 19,840 --a--c--- C:\WINDOWS\system32\dllcache\philtune.sys
2008-08-05 12:53 . 2001-08-17 21:53 17,792 --a--c--- C:\WINDOWS\system32\dllcache\ppa.sys
2008-08-05 12:53 . 2004-08-03 23:00 17,664 --a--c--- C:\WINDOWS\system32\dllcache\ppa3.sys
2008-08-05 12:53 . 2001-09-06 20:24 16,128 --a--c--- C:\WINDOWS\system32\dllcache\pscr.sys
2008-08-05 12:53 . 2001-08-17 21:53 7,552 --a--c--- C:\WINDOWS\system32\dllcache\powerfil.sys
2008-08-05 12:53 . 2001-08-17 21:53 7,168 --a--c--- C:\WINDOWS\system32\dllcache\pnrmc.sys
2008-08-05 12:51 . 2001-08-17 22:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-08-05 12:50 . 2004-08-04 01:03 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-08-05 12:49 . 2004-08-04 00:57 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-08-05 12:48 . 2004-08-04 01:03 1,737,856 --a--c--- C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-08-05 12:47 . 2004-08-04 01:03 56,832 --a--c--- C:\WINDOWS\system32\dllcache\msdvbnp.ax
2008-08-05 12:47 . 2004-08-03 23:10 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
2008-08-05 12:47 . 2001-08-17 22:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2008-08-05 12:47 . 2004-08-03 23:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-08-05 12:47 . 2001-08-17 21:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2008-08-05 12:47 . 2001-08-17 21:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-08-05 12:47 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\mpe.sys
2008-08-05 12:47 . 2001-08-17 21:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2008-08-05 12:47 . 2001-08-17 22:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-08-05 12:45 . 2001-08-17 21:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-08-05 12:44 . 2001-09-06 21:26 242,688 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-08-05 12:44 . 2001-09-06 21:26 45,568 --a--c--- C:\WINDOWS\system32\dllcache\kdsui.dll
2008-08-05 12:44 . 2001-09-06 21:26 37,888 --a--c--- C:\WINDOWS\system32\dllcache\kousd.dll
2008-08-05 12:44 . 2004-08-04 00:57 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-08-05 12:44 . 2001-09-06 21:26 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-08-05 12:44 . 2001-09-06 21:26 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-08-05 12:42 . 2001-09-06 21:26 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-08-05 12:42 . 2001-08-17 22:06 154,496 --a--c--- C:\WINDOWS\system32\dllcache\icam4usb.sys
2008-08-05 12:42 . 2001-08-17 22:06 100,992 --a--c--- C:\WINDOWS\system32\dllcache\icam5usb.sys
2008-08-05 12:42 . 2001-09-06 21:26 91,648 --a--c--- C:\WINDOWS\system32\dllcache\icam4com.dll
2008-08-05 12:42 . 2001-09-06 21:26 62,976 --a--c--- C:\WINDOWS\system32\dllcache\icam4ext.dll
2008-08-05 12:42 . 2001-09-06 21:26 45,056 --a--c--- C:\WINDOWS\system32\dllcache\icam5com.dll
2008-08-05 12:42 . 2001-09-06 21:26 20,992 --a--c--- C:\WINDOWS\system32\dllcache\icam5ext.dll
2008-08-05 12:40 . 2004-08-03 22:41 1,041,536 --a--c--- C:\WINDOWS\system32\dllcache\hsfdpsp2.sys
2008-08-05 12:39 . 2001-09-06 21:26 324,608 --a--c--- C:\WINDOWS\system32\dllcache\hpojwia.dll
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 10:30 2,048 ----a-w C:\WINDOWS\system32\uqsehioe.exe
2008-08-03 15:30 1,872,384 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-08-03 15:17 1,871,360 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-08-03 15:02 1,870,848 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-07-29 20:08 1,858,560 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-07-29 13:03 --------- d-----w C:\Program Files\Java
2008-07-24 23:09 131,584 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-07-22 16:55 1,837,056 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-22 16:55 1,179,136 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-09 07:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-06-20 17:43 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:53 --------- d-----w C:\Program Files\Microsoft Games
2008-06-20 11:13 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 23:25 --------- d-----w C:\Program Files\Sun
2008-06-19 23:24 --------- d-----w C:\Program Files\Common Files\Java
2008-06-19 20:41 --------- d-----w C:\Program Files\ESET
2008-06-19 20:41 --------- d-----w C:\Program Files\Common Files\Stardock
2008-06-19 20:40 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-06-19 20:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-19 20:18 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-19 20:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-19 19:01 --------- d-----w C:\Program Files\Hitman Pro
2008-06-19 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 18:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 18:58 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-19 18:30 164 ----a-w C:\install.dat
2008-06-19 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2008-06-19 17:58 --------- d-----w C:\Program Files\Synaptics
2008-06-18 20:27 21,419 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-18 20:25 --------- d-----w C:\Program Files\Hercules
2008-06-18 20:25 --------- d-----w C:\Documents and Settings\User\Application Data\InstallShield
2008-06-17 17:34 --------- d-----w C:\Program Files\Windows Live
2008-06-17 17:33 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-17 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-14 18:00 272,640 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 15:21 --------- d-----w C:\Documents and Settings\User\Application Data\gtk-2.0
2008-06-11 14:49 --------- d-----w C:\Program Files\7-Zip
2008-06-11 14:44 --------- d-----w C:\Program Files\GIMP-2.0
2008-06-07 10:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-30 12:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 12:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 12:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 12:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 12:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 12:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 12:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-27 11:23 23,400 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-03-20 00:36 1267040]
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 22:00 344064]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"EPSON Stylus DX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE" [2005-02-08 07:00 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 14:34 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 14:33 561152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 09:53 88363 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Alerter.lnk - C:\Program Files\Vampirefreaks\vfalerter.exe [2008-01-23 17:10:58 9752064]
WiFi Station.lnk - C:\Program Files\Hercules\WiFi Station\WifiStation.exe [2008-06-18 22:25:51 654336]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\NEXON\EuropeMapleStory\GameGuard\dump_wmimmc.sys []
.
Inhoud van de 'Gedeelde Taken' map
2008-07-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 13:14:01
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
C:\DOCUME~1\User\LOCALS~1\Temp\RGI7.tmp
Scan succesvol afgerond
verborgen bestanden: 1
**************************************************************************
.
Voltooingstijd: 2008-08-06 13:18:21
ComboFix-quarantined-files.txt 2008-08-06 11:18:06
ComboFix2.txt 2008-08-05 16:27:32
Pre-Run: 11,745,935,360 bytes beschikbaar
Post-Run: 11,750,735,872 bytes beschikbaar
261 --- E O F --- 2008-07-13 22:48:23
|
AfterDawn Addict
|
6. August 2008 @ 07:38 |
Link to this message
|
It?s like skinning a cat, there?s more than way ; )
Delete Files on Reboot
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot.
Navigate to this file and click on it once, and then click on the Open button.
C:\Documents and Settings\michael\Local Settings\Temp\RGI1B.tmp
You will now be asked if you would like to reboot your computer to delete the file.
Click on the Yes button.
after the reboot,
Check to see if it?s gone? It should be, and that?s the last of the Vundo.. A Rootkit..
Let me know.
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
iceroyale
Newbie
|
6. August 2008 @ 13:54 |
Link to this message
|
|
C:\Documents and Settings\michael isn't there :s
|
AfterDawn Addict
|
6. August 2008 @ 21:00 |
Link to this message
|
|
Good, that should have been the last of the lurks.
Are you having any problems now?
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
iceroyale
Newbie
|
7. August 2008 @ 06:19 |
Link to this message
|
|
nope none at all, it runs as good as the day I got it :)
thanks for your help!
|
AfterDawn Addict
|
7. August 2008 @ 06:32 |
Link to this message
|
Congratulations iceroyale, your log looks CLEAN 
There are a few things you must do once you are completely clean:
1. Time for some housekeeping
Please download the OTMoveIt2 by OldTimer
? Save it to your desktop.
? Run the tool by clicking on the icon.
? Click the Cleanup button.
? The tools that we used as well as this one will be removed from your system.
2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
3. Now Set a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
? Go to Start > Programs > Accessories > System Tools and click "System Restore".
? Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
? Then go to Start > Run and type: Cleanmgr
? Click "OK"
Select the drive you want to clean usually C:
Click OK
When it completes the scan:
? Click the "More Options" Tab.
? Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
4. Defragment your Hard Drive
1.Open My Computer.
2.Right-click the local disk volume that you want to defragment, and then click Properties.
3.On the Tools tab, click Defragment Now.
4.Click Defragment.
And here are some tips to reduce the potential for spyware infection in the future:
It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall
I have recently changed my firewall to Comodo, love it and highly recommend it..
Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
I strongly recommend installing the following applications:
? Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Go to these sites and read about these you may decide to use them, I do, because they work.
? Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Malware, Cookies etc) from the sites listed, although you will still be able to connect to the sites.
? MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
And also see TonyKlein's good advice
So how did I get infected in the first place?
Enjoy your clean computer. Any questions?
The oldgeek knows how to get the bugs out?. Oops, missed one..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
iceroyale
Newbie
|
7. August 2008 @ 13:39 |
Link to this message
|
i have ZoneAlarm Pro installed. would you say it is any good?
|
|
Advertisement
|
|
|
|
iceroyale
Newbie
|
7. August 2008 @ 13:50 |
Link to this message
|
|
oh and by the way, starting tomorrow, I'll be on vacation for the next 2 weeks, so I might not be able to check back here.
|
|
