Help - Search - Members - Calendar
Full Version: Trojan.Vundo.H?
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Walter
Apr 15 2009, 11:20 PM
Hello.

I'm new, I think I've got a Trojan. I am not experienced with computer technology. I would appreciate your help.
Please step by step, because I am an amateur.

I downloaded nrun.mbam.exe: Malwarebytes' Anti-Malware 1.36
Database versie: 1987
Windows 5.1.2600 Service Pack 2

16-4-2009 0:20:07
mbam-log-2009-04-16 (00-20-07).txt

Scan type: Snelle Scan
Objecten gescand: 102325
Verstreken tijd: 7 minute(s), 39 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 9
Registerwaarden geïnfecteerd: 3
Registerdata bestanden geïnfecteerd: 1
Mappen geïnfecteerd: 11
Bestanden geïnfecteerd: 8

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbfb1805-0571-4f3e-81e3-c3679c99b318} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbfb1805-0571-4f3e-81e3-c3679c99b318} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys (Rootkit.Safemode.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\runtime2.sys (Rootkit.Safemode.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime2 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME (Rootkit.Agent) -> Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sefuzovegu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv (Malware.Trace) -> Quarantined and deleted successfully.

Registerdata bestanden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Mappen geïnfecteerd:
C:\Documents and Settings\HenkHeleen\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\HenkHeleen\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lennart Jan\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lennart Jan\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\HenkHeleen\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\HenkHeleen\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\HenkHeleen\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lennart Jan\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lennart Jan\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lydia\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lydia\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Bestanden geïnfecteerd:
C:\Documents and Settings\HenkHeleen\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lennart Jan\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\HenkHeleen\Application Data\RegistrySmart\Log\2008 Apr 23 - 08_50_13 PM_312.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\HenkHeleen\Application Data\RegistrySmart\Log\2008 Apr 23 - 11_39_54 AM_031.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\HenkHeleen\Application Data\RegistrySmart\Registry Backups\2008-04-19_09-51-04.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lennart Jan\Application Data\RegistrySmart\Log\2008 Apr 23 - 02_04_41 PM_140.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lydia\Application Data\RegistrySmart\Log\2008 Apr 22 - 05_22_13 PM_234.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3_exception.nls (Trojan.Tibs) -> Quarantined and deleted successfully.


this is from rsit.exe the info text:

Ainfo.txt logfile of random's system information tool 1.06 2009-04-16 00:55:22

======Uninstall list======

-->"C:\Program Files\InstallShield Installation Information\{3AD59E07-5D54-4142-8505-62889FEDFA59}\setup.exe" REMOVEALL
-->C:\WINDOWS\IsUn0413.exe -fC:\WINDOWS\orun32.isu
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA7621DC-7144-4A24-973C-B9BC0E945628}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Aangifte vennootschapsbelasting 2007-->C:\Program Files\Belastingdienst\Aangifte vennootschapsbelasting\2007\vb2007u.exe
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9 - Nederlands-->MsiExec.exe /I{AC76BA86-7AD7-1043-7B44-A90000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
ArcSoft Camera Suite-->C:\WINDOWS\IsUn0413.exe -f"C:\Program Files\ArcSoft\Camera Suite\Uninst.isu"
ATI Catalyst Control Center-->MsiExec.exe /I{9CDC20C8-AFBE-4A2E-B001-929E1D7C28F3}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Beveiligingsupdate for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB900930)-->"C:\WINDOWS\$NtUninstallKB900930$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
CompuServe 6.0-->C:\Program Files\Common Files\csshare\CSunins_nl.exe
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EA SPORTS online 2005-->C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
FinePixViewer Ver.4.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE"
FUJIFILM EX-10/EX-20 Digital Camera-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E9E1E060-F909-4CCF-BFF1-990858B41974}
FUJIFILM EX-10/EX-20 Memory Browser TWAIN Driver V1.00-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\coachMB.inf
FUJIFILM USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hitman Pro-->"C:\Program Files\Hitman Pro\unins000.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB889527)-->"C:\WINDOWS\$NtUninstallKB889527$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB893357)-->"C:\WINDOWS\$NtUninstallKB893357$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB896256)-->"C:\WINDOWS\$NtUninstallKB896256$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB898900)-->"C:\WINDOWS\$NtUninstallKB898900$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB903234)-->"C:\WINDOWS\$NtUninstallKB903234$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB904412)-->"C:\WINDOWS\$NtUninstallKB904412$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB906569)-->"C:\WINDOWS\$NtUninstallKB906569$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB907865)-->"C:\WINDOWS\$NtUninstallKB907865$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB910728)-->"C:\WINDOWS\$NtUninstallKB910728$\spuninst\spuninst.exe"
InterVideo MediaOne Gallery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34F0D55F-C386-4195-9A5B-961D3F6ACD46}\setup.exe" REMOVEALL REMOVEALL
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
KB888111: High Definition Audio-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
KONICA MINOLTA magicolor 2430DL-->MUINST_U.EXE /PRN:"KONICA MINOLTA magicolor 2430DL"
Kruidvat - Fotoservice-->"C:\Program Files\Kruidvat - Fotoservice\unins000.exe"
LEGO Chess-->C:\WINDOWS\unin0413.exe -f"C:\Program Files\LEGO Media\Games\LEGO Chess\DeIsL1.isu"
LEGO Eiland 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\LEGO Media\LEGO Eiland 2\Setup.exe"
LEGO Racers-->C:\WINDOWS\IsUn0413.exe -f"C:\Program Files\LEGO Media\Games\LEGO Racers\Uninst.isu"
Lexmark Faxoplossingen-->C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe
Macromedia Flash Player 8-->MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McDonald's Fairies-->C:\Program Files\McDonaldsFairies\uninstall.exe
Microsoft .NET Framework 1.1 Hotfix (KB886903)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Excel MUI (Dutch) 2007-->MsiExec.exe /X{90120000-0016-0413-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Dutch) 2007-->MsiExec.exe /X{90120000-00A1-0413-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Dutch) 2007-->MsiExec.exe /X{90120000-0018-0413-0000-0000000FF1CE}
Microsoft Office Proof (Dutch) 2007-->MsiExec.exe /X{90120000-001F-0413-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proofing (Dutch) 2007-->MsiExec.exe /X{90120000-002C-0413-0000-0000000FF1CE}
Microsoft Office Shared MUI (Dutch) 2007-->MsiExec.exe /X{90120000-006E-0413-0000-0000000FF1CE}
Microsoft Office Word MUI (Dutch) 2007-->MsiExec.exe /X{90120000-001B-0413-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Thunderbird (1.5)-->C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5 (nl)"
OpenOffice.org 2.0-->MsiExec.exe /I{CC843847-921E-4446-B538-FA9C4E7B423C}
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
RedCat Super Karts-->C:\Program Files\Davilex\Shared\UNINST32.EXE C:\PROGRA~1\Davilex\REDCAT~1\Install.Log
Spy Sweeper-->"C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.0-->C:\Program Files\Spyware Doctor\unins000.exe
SpywareBlaster v3.5.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Teach2000 8.22-->"C:\Program Files\Teach2000\Uninstall\unins000.exe"
Uno™ CD-Rom-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9416484D-7002-4CDF-8B46-8748962DF3CF}\setup.exe"
Update voor Windows XP (KB896427)-->"C:\WINDOWS\$NtUninstallKB896427$\spuninst\spuninst.exe"
Update voor Windows XP (KB897663)-->"C:\WINDOWS\$NtUninstallKB897663$\spuninst\spuninst.exe"
Update voor Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update voor Windows XP (KB908521)-->"C:\WINDOWS\$NtUninstallKB908521$\spuninst\spuninst.exe"
Update voor Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Vodafone Mobile Connect Lite-->MsiExec.exe /X{B5761811-28F3-4257-B537-815C5EEF472C}
Webpagina's tabsgewijs weergeven-->MsiExec.exe /X{14E3FD72-800B-494D-8957-C6642B96462A}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{9816B8B8-4B53-4D3D-9235-AD931252001D}
Windows Live Sign-in Assistant-->MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Live Toolbar Feed Detector-->MsiExec.exe /X{F1222BC7-4132-40E0-94FA-21C144AEC134}
Windows Live Toolbar MSN Extension-->MsiExec.exe /X{2ED4D368-C117-4A8D-BDC7-C13034B576CD}
Windows Live Toolbar-->C:\Program Files\Windows Live Toolbar\UnInstall.exe {5A22BEFC-7A0F-45AB-97EA-6F5E7D5FB02C}
Windows Live Toolbar-->MsiExec.exe /X{5A22BEFC-7A0F-45AB-97EA-6F5E7D5FB02C}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 10 Hotfix - KB888656-->"C:\WINDOWS\$NtUninstallKB888656$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB883667-->C:\WINDOWS\$NtUninstallKB883667$\spuninst\spuninst.exe
Windows XP Hotfix - KB884575-->C:\WINDOWS\$NtUninstallKB884575$\spuninst\spuninst.exe
Windows XP Hotfix - KB884883-->"C:\WINDOWS\$NtUninstallKB884883$\spuninst\spuninst.exe"
Windows XP Hotfix - KB885523-->C:\WINDOWS\$NtUninstallKB885523$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885855-->C:\WINDOWS\$NtUninstallKB885855$\spuninst\spuninst.exe
Windows XP Hotfix - KB885894-->C:\WINDOWS\$NtUninstallKB885894$\spuninst\spuninst.exe
Windows XP Hotfix - KB886677-->C:\WINDOWS\$NtUninstallKB886677$\spuninst\spuninst.exe
Windows XP Hotfix - KB886716-->"C:\WINDOWS\$NtUninstallKB886716$\spuninst\spuninst.exe"
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB887797-->C:\WINDOWS\$NtUninstallKB887797$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB888402-->C:\WINDOWS\$NtUninstallKB888402$\spuninst\spuninst.exe
Windows XP Hotfix - KB889016-->C:\WINDOWS\$NtUninstallKB889016$\spuninst\spuninst.exe
Windows XP Hotfix - KB889673-->C:\WINDOWS\$NtUninstallKB889673$\spuninst\spuninst.exe
Windows XP Hotfix - KB890831-->C:\WINDOWS\$NtUninstallKB890831$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB892627-->C:\WINDOWS\$NtUninstallKB892627$\spuninst\spuninst.exe
Windows XP Hotfix - KB893056-->C:\WINDOWS\$NtUninstallKB893056$\spuninst\spuninst.exe
Windows XP Hotfix - KB896626-->"C:\WINDOWS\$NtUninstallKB896626$\spuninst\spuninst.exe"

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27686
Source Name: Service Control Manager
Time Written: 20090415063002.000000+120
Event Type: Fout
User:

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27685
Source Name: Service Control Manager
Time Written: 20090415062952.000000+120
Event Type: Fout
User:

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27684
Source Name: Service Control Manager
Time Written: 20090415062947.000000+120
Event Type: Fout
User:

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27683
Source Name: Service Control Manager
Time Written: 20090415062922.000000+120
Event Type: Fout
User:

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27682
Source Name: Service Control Manager
Time Written: 20090415062912.000000+120
Event Type: Fout
User:

=====Application event log=====

Computer Name: REITSMA
Event Code: 302
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine heeft de herstelstappen uitgevoerd.

Record Number: 17650
Source Name: ESENT
Time Written: 20090126211222.000000+060
Event Type: Gegevens
User:

Computer Name: REITSMA
Event Code: 301
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine is begonnen met het opnieuw afspelen van logboekbestand \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\fsr.log.

Record Number: 17649
Source Name: ESENT
Time Written: 20090126211221.000000+060
Event Type: Gegevens
User:

Computer Name: REITSMA
Event Code: 301
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine is begonnen met het opnieuw afspelen van logboekbestand \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\fsr000BC.log.

Record Number: 17648
Source Name: ESENT
Time Written: 20090126211220.000000+060
Event Type: Gegevens
User:

Computer Name: REITSMA
Event Code: 301
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine is begonnen met het opnieuw afspelen van logboekbestand \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\fsr000BB.log.

Record Number: 17647
Source Name: ESENT
Time Written: 20090126211220.000000+060
Event Type: Gegevens
User:

Computer Name: REITSMA
Event Code: 301
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine is begonnen met het opnieuw afspelen van logboekbestand \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\fsr000BA.log.

Record Number: 17646
Source Name: ESENT
Time Written: 20090126211219.000000+060
Event Type: Gegevens
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

This is Log.txt:
Ainfo.txt logfile of random's system information tool 1.06 2009-04-16 00:55:22

======Uninstall list======

-->"C:\Program Files\InstallShield Installation Information\{3AD59E07-5D54-4142-8505-62889FEDFA59}\setup.exe" REMOVEALL
-->C:\WINDOWS\IsUn0413.exe -fC:\WINDOWS\orun32.isu
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA7621DC-7144-4A24-973C-B9BC0E945628}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Aangifte vennootschapsbelasting 2007-->C:\Program Files\Belastingdienst\Aangifte vennootschapsbelasting\2007\vb2007u.exe
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9 - Nederlands-->MsiExec.exe /I{AC76BA86-7AD7-1043-7B44-A90000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
ArcSoft Camera Suite-->C:\WINDOWS\IsUn0413.exe -f"C:\Program Files\ArcSoft\Camera Suite\Uninst.isu"
ATI Catalyst Control Center-->MsiExec.exe /I{9CDC20C8-AFBE-4A2E-B001-929E1D7C28F3}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Beveiligingsupdate for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB900930)-->"C:\WINDOWS\$NtUninstallKB900930$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Beveiligingsupdate voor Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
CompuServe 6.0-->C:\Program Files\Common Files\csshare\CSunins_nl.exe
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EA SPORTS online 2005-->C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
FinePixViewer Ver.4.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE"
FUJIFILM EX-10/EX-20 Digital Camera-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E9E1E060-F909-4CCF-BFF1-990858B41974}
FUJIFILM EX-10/EX-20 Memory Browser TWAIN Driver V1.00-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\coachMB.inf
FUJIFILM USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hitman Pro-->"C:\Program Files\Hitman Pro\unins000.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB889527)-->"C:\WINDOWS\$NtUninstallKB889527$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB893357)-->"C:\WINDOWS\$NtUninstallKB893357$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB896256)-->"C:\WINDOWS\$NtUninstallKB896256$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB898900)-->"C:\WINDOWS\$NtUninstallKB898900$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB903234)-->"C:\WINDOWS\$NtUninstallKB903234$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB904412)-->"C:\WINDOWS\$NtUninstallKB904412$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB906569)-->"C:\WINDOWS\$NtUninstallKB906569$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB907865)-->"C:\WINDOWS\$NtUninstallKB907865$\spuninst\spuninst.exe"
Hotfix voor Windows XP (KB910728)-->"C:\WINDOWS\$NtUninstallKB910728$\spuninst\spuninst.exe"
InterVideo MediaOne Gallery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34F0D55F-C386-4195-9A5B-961D3F6ACD46}\setup.exe" REMOVEALL REMOVEALL
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
KB888111: High Definition Audio-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
KONICA MINOLTA magicolor 2430DL-->MUINST_U.EXE /PRN:"KONICA MINOLTA magicolor 2430DL"
Kruidvat - Fotoservice-->"C:\Program Files\Kruidvat - Fotoservice\unins000.exe"
LEGO Chess-->C:\WINDOWS\unin0413.exe -f"C:\Program Files\LEGO Media\Games\LEGO Chess\DeIsL1.isu"
LEGO Eiland 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\LEGO Media\LEGO Eiland 2\Setup.exe"
LEGO Racers-->C:\WINDOWS\IsUn0413.exe -f"C:\Program Files\LEGO Media\Games\LEGO Racers\Uninst.isu"
Lexmark Faxoplossingen-->C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe
Macromedia Flash Player 8-->MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McDonald's Fairies-->C:\Program Files\McDonaldsFairies\uninstall.exe
Microsoft .NET Framework 1.1 Hotfix (KB886903)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Excel MUI (Dutch) 2007-->MsiExec.exe /X{90120000-0016-0413-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Dutch) 2007-->MsiExec.exe /X{90120000-00A1-0413-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Dutch) 2007-->MsiExec.exe /X{90120000-0018-0413-0000-0000000FF1CE}
Microsoft Office Proof (Dutch) 2007-->MsiExec.exe /X{90120000-001F-0413-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proofing (Dutch) 2007-->MsiExec.exe /X{90120000-002C-0413-0000-0000000FF1CE}
Microsoft Office Shared MUI (Dutch) 2007-->MsiExec.exe /X{90120000-006E-0413-0000-0000000FF1CE}
Microsoft Office Word MUI (Dutch) 2007-->MsiExec.exe /X{90120000-001B-0413-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Thunderbird (1.5)-->C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5 (nl)"
OpenOffice.org 2.0-->MsiExec.exe /I{CC843847-921E-4446-B538-FA9C4E7B423C}
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
RedCat Super Karts-->C:\Program Files\Davilex\Shared\UNINST32.EXE C:\PROGRA~1\Davilex\REDCAT~1\Install.Log
Spy Sweeper-->"C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.0-->C:\Program Files\Spyware Doctor\unins000.exe
SpywareBlaster v3.5.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Teach2000 8.22-->"C:\Program Files\Teach2000\Uninstall\unins000.exe"
Uno™ CD-Rom-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9416484D-7002-4CDF-8B46-8748962DF3CF}\setup.exe"
Update voor Windows XP (KB896427)-->"C:\WINDOWS\$NtUninstallKB896427$\spuninst\spuninst.exe"
Update voor Windows XP (KB897663)-->"C:\WINDOWS\$NtUninstallKB897663$\spuninst\spuninst.exe"
Update voor Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update voor Windows XP (KB908521)-->"C:\WINDOWS\$NtUninstallKB908521$\spuninst\spuninst.exe"
Update voor Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Vodafone Mobile Connect Lite-->MsiExec.exe /X{B5761811-28F3-4257-B537-815C5EEF472C}
Webpagina's tabsgewijs weergeven-->MsiExec.exe /X{14E3FD72-800B-494D-8957-C6642B96462A}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{9816B8B8-4B53-4D3D-9235-AD931252001D}
Windows Live Sign-in Assistant-->MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Live Toolbar Feed Detector-->MsiExec.exe /X{F1222BC7-4132-40E0-94FA-21C144AEC134}
Windows Live Toolbar MSN Extension-->MsiExec.exe /X{2ED4D368-C117-4A8D-BDC7-C13034B576CD}
Windows Live Toolbar-->C:\Program Files\Windows Live Toolbar\UnInstall.exe {5A22BEFC-7A0F-45AB-97EA-6F5E7D5FB02C}
Windows Live Toolbar-->MsiExec.exe /X{5A22BEFC-7A0F-45AB-97EA-6F5E7D5FB02C}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 10 Hotfix - KB888656-->"C:\WINDOWS\$NtUninstallKB888656$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB883667-->C:\WINDOWS\$NtUninstallKB883667$\spuninst\spuninst.exe
Windows XP Hotfix - KB884575-->C:\WINDOWS\$NtUninstallKB884575$\spuninst\spuninst.exe
Windows XP Hotfix - KB884883-->"C:\WINDOWS\$NtUninstallKB884883$\spuninst\spuninst.exe"
Windows XP Hotfix - KB885523-->C:\WINDOWS\$NtUninstallKB885523$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB885855-->C:\WINDOWS\$NtUninstallKB885855$\spuninst\spuninst.exe
Windows XP Hotfix - KB885894-->C:\WINDOWS\$NtUninstallKB885894$\spuninst\spuninst.exe
Windows XP Hotfix - KB886677-->C:\WINDOWS\$NtUninstallKB886677$\spuninst\spuninst.exe
Windows XP Hotfix - KB886716-->"C:\WINDOWS\$NtUninstallKB886716$\spuninst\spuninst.exe"
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB887797-->C:\WINDOWS\$NtUninstallKB887797$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB888402-->C:\WINDOWS\$NtUninstallKB888402$\spuninst\spuninst.exe
Windows XP Hotfix - KB889016-->C:\WINDOWS\$NtUninstallKB889016$\spuninst\spuninst.exe
Windows XP Hotfix - KB889673-->C:\WINDOWS\$NtUninstallKB889673$\spuninst\spuninst.exe
Windows XP Hotfix - KB890831-->C:\WINDOWS\$NtUninstallKB890831$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB892627-->C:\WINDOWS\$NtUninstallKB892627$\spuninst\spuninst.exe
Windows XP Hotfix - KB893056-->C:\WINDOWS\$NtUninstallKB893056$\spuninst\spuninst.exe
Windows XP Hotfix - KB896626-->"C:\WINDOWS\$NtUninstallKB896626$\spuninst\spuninst.exe"

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27686
Source Name: Service Control Manager
Time Written: 20090415063002.000000+120
Event Type: Fout
User:

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27685
Source Name: Service Control Manager
Time Written: 20090415062952.000000+120
Event Type: Fout
User:

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27684
Source Name: Service Control Manager
Time Written: 20090415062947.000000+120
Event Type: Fout
User:

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27683
Source Name: Service Control Manager
Time Written: 20090415062922.000000+120
Event Type: Fout
User:

Computer Name: REITSMA
Event Code: 7028
Message: De registersleutel wuauserv heeft de toegang tot SYSTEM-accountprogramma's geweigerd. Servicebesturingsbeheer is daarom nu de eigenaar van de registersleutel.

Record Number: 27682
Source Name: Service Control Manager
Time Written: 20090415062912.000000+120
Event Type: Fout
User:

=====Application event log=====

Computer Name: REITSMA
Event Code: 302
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine heeft de herstelstappen uitgevoerd.

Record Number: 17650
Source Name: ESENT
Time Written: 20090126211222.000000+060
Event Type: Gegevens
User:

Computer Name: REITSMA
Event Code: 301
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine is begonnen met het opnieuw afspelen van logboekbestand \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\fsr.log.

Record Number: 17649
Source Name: ESENT
Time Written: 20090126211221.000000+060
Event Type: Gegevens
User:

Computer Name: REITSMA
Event Code: 301
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine is begonnen met het opnieuw afspelen van logboekbestand \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\fsr000BC.log.

Record Number: 17648
Source Name: ESENT
Time Written: 20090126211220.000000+060
Event Type: Gegevens
User:

Computer Name: REITSMA
Event Code: 301
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine is begonnen met het opnieuw afspelen van logboekbestand \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\fsr000BB.log.

Record Number: 17647
Source Name: ESENT
Time Written: 20090126211220.000000+060
Event Type: Gegevens
User:

Computer Name: REITSMA
Event Code: 301
Message: MsnMsgr (452) \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\dfsr.db: De database-engine is begonnen met het opnieuw afspelen van logboekbestand \\.\C:\Documents and Settings\HenkHeleen\Local Settings\Application Data\Microsoft\Messenger\lj_asc@live.nl\SharingMetadata\Working\database_6674_F21_740E_F419\fsr000BA.log.

Record Number: 17646
Source Name: ESENT
Time Written: 20090126211219.000000+060
Event Type: Gegevens
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Kind regards,
Walter

Walter
Apr 15 2009, 11:36 PM
Hello.

I'm new, I think I've got a Trojan. I am not experienced with computer technology. I would appreciate your help.
Please step by step, because I am an amateur. I made a mistake. Here is the real log.txt.

Logfile of random's system information tool 1.06 (written by random/random)
Run by HenkHeleen at 2009-04-16 00:41:29
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 174 GB (91%) free of 191 GB
Total RAM: 1023 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:55:20, on 16-4-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE

kind regards,
Walter
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CompuServe 6.0a\cstray.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\PackethSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\HenkHeleen\Bureaublad\RSIT.exe
C:\Program Files\trend micro\HenkHeleen.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.speeleiland.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0 .lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: CompuServe 6.0-werkbalkpictogram.lnk = C:\Program Files\CompuServe 6.0a\cstray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Openen in een nieuwe achtergrondtab - res://C:\Program Files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/229?5825dc4c93ca40a5a5d044854f61a7a1
O8 - Extra context menu item: Openen in een nieuwe voorgrondtab - res://C:\Program Files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/230?5825dc4c93ca40a5a5d044854f61a7a1
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C4954F9-58DB-4814-9D3F-F608AE16CC63}: NameServer = 192.168.1.254
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\fetijonu.dll
O20 - Winlogon Notify: arm32reg - C:\Documents and Settings\All Users\Documenten\Settings\arm32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intelligente achtergrondsoverdrachtservice (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Automatische updates (wuauserv) - Unknown owner - C:\WINDOWS\
O24 - Desktop Component 0: (no name) - http://tbn0.google.com/images?q=tbn:z8t7RO.../logos/ajax.jpg

--
End of file - 8260 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\RegistrySmart Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ca2f312-6f6e-4b53-a66e-4e65e497c8c0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-04-15 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 853672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 324416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a057a204-bacc-4d26-9990-79a187e2698e}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-04-15 1968920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2009-02-20 2423872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2009-02-25 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live Toolbar\msntb.dll [2006-07-07 493856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar - C:\Program Files\Windows Live Toolbar\msntb.dll [2006-07-07 493856]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2009-02-20 2423872]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-04-15 1968920]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Snelkoppeling naar eigenschappenvenster voor High Definition Audio"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2006-01-24 86016]
"AlcWzrd"=C:\WINDOWS\ALCWZRD.EXE [2006-01-24 2807808]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2006-01-24 69632]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2005-08-12 45056]
"FaxCenterServer"=C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2005-07-12 299008]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-02-07 282624]
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE [2002-02-04 53248]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2007-09-20 26112]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-04-15 1932568]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe [2007-01-19 5674352]
"ISUSPM"=C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe [2007-03-29 222128]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-02-25 68856]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten
CompuServe 6.0-werkbalkpictogram.lnk - C:\Program Files\CompuServe 6.0a\cstray.exe

C:\Documents and Settings\HenkHeleen\Menu Start\Programma's\Opstarten
OpenOffice.org 2.0 .lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\fetijonu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\arm32reg]
C:\Documents and Settings\All Users\Documenten\Settings\arm32.dll [2007-06-21 12579]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-01-24 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-04-15 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
C:\WINDOWS\system32\WRLogonNTF.dll [2007-03-01 233024]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\fetijonu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e94-2ce6-11dd-bdfc-00038a000011}]
shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e95-2ce6-11dd-bdfc-00038a000011}]
shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9768cd79-0020-11de-bf86-00038a000011}]
shell\AutoRun\command - K:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-04-16 00:41:29 ----D---- C:\rsit
2009-04-16 00:41:29 ----D---- C:\Program Files\trend micro
2009-04-16 00:08:50 ----D---- C:\Documents and Settings\HenkHeleen\Application Data\Malwarebytes
2009-04-16 00:08:45 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-16 00:08:45 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-15 22:13:54 ----HD---- C:\$AVG8.VAULT$
2009-04-15 22:10:20 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-04-15 22:10:08 ----D---- C:\Documents and Settings\HenkHeleen\Application Data\AVGTOOLBAR
2009-04-15 22:09:54 ----D---- C:\Program Files\AVG
2009-04-15 22:09:54 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-04-15 19:35:08 ----SH---- C:\WINDOWS\system32\laroheya.exe
2009-04-15 07:35:01 ----SH---- C:\WINDOWS\system32\bulilufu.exe
2009-04-14 19:34:49 ----SH---- C:\WINDOWS\system32\keradebu.exe
2009-04-14 17:15:49 ----A---- C:\msne.exe
2009-04-13 09:20:42 ----SH---- C:\WINDOWS\system32\kafudera.exe
2009-04-12 21:01:08 ----SH---- C:\WINDOWS\system32\ditetiro.exe
2009-04-12 13:51:34 ----A---- C:\rapef.exe
2009-04-11 08:45:41 ----A---- C:\WINDOWS\system32\SelfDel.bat
2009-03-31 20:11:15 ----A---- C:\WINDOWS\system32\CNMLM9E.DLL

======List of files/folders modified in the last 1 months======

2009-04-16 00:45:26 ----RD---- C:\Program Files
2009-04-16 00:37:15 ----D---- C:\WINDOWS\Prefetch
2009-04-16 00:36:41 ----D---- C:\WINDOWS\Temp
2009-04-16 00:28:02 ----D---- C:\Program Files\CompuServe 6.0a
2009-04-16 00:26:31 ----AD---- C:\WINDOWS\system32
2009-04-16 00:26:30 ----D---- C:\WINDOWS\system32\drivers
2009-04-16 00:25:47 ----A---- C:\WINDOWS\win.ini
2009-04-16 00:25:25 ----D---- C:\Documents and Settings\HenkHeleen\Application Data\OpenOffice.org2
2009-04-16 00:25:23 ----D---- C:\WINDOWS
2009-04-16 00:24:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-15 22:09:54 ----SHD---- C:\WINDOWS\Installer
2009-04-15 22:09:53 ----D---- C:\WINDOWS\WinSxS
2009-04-15 22:09:53 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-04-15 20:59:58 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-11 08:30:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-31 20:11:44 ----HD---- C:\WINDOWS\inf
2009-03-29 18:13:15 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgldx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-04-15 325640]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-04-15 27656]
R1 avgtdix;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-04-15 108552]
R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2007-08-14 57672]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2007-08-14 82248]
R1 intelppm;Intel GV3-processorstuurprogramma; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-28 40192]
R1 kbdhid;Stuurprogramma voor toetsenbord-HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2007-09-20 8552]
R3 Arp1394;1394 ARP-clientprotocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-01-24 1410560]
R3 HDAudBus;Microsoft UAA-busstuurprogramma voor High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Microsoft HID Class-stuurprogramma; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-01-24 4123136]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2005-07-26 10368]
R3 mouhid;Stuurprogramma voor muis-HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12288]
R3 NIC1394;1394-stuurprogramma; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-01-18 80512]
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter; C:\WINDOWS\System32\Drivers\sskbfd.sys [2007-03-01 21056]
R3 usbccgp;Microsoft generiek hoofd-USB-stuurprogramma; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Stuurprogramma voor Microsoft USB Standaard-hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbstor;Stuurprogramma voor USB-massaopslag; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 wandrv;WAN Network Driver; C:\WINDOWS\system32\DRIVERS\wandrv.sys [2001-08-09 22608]
S1 smtpdrv;smtpdrv; C:\WINDOWS\System32\DRIVERS\smtpdrv.sys []
S2 CoachCap;FUJIFILM EX-10/EX-20 PC V1.00; C:\WINDOWS\system32\drivers\CoachCap.sys [2002-03-03 93068]
S3 CCDECODE;Closed Caption-decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 HdAudAddService;Microsoft UAA-functiestuurprogramma voor High Definition Audio-service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2007-11-05 101120]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-conversieprogramma; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video-verbinding; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 rtl8139;NT-stuurprogramma voor Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 runtime;runtime; \??\C:\WINDOWS\System32\drivers\runtime.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;Stuurprogramma voor USB-scanner; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 WSTCODEC;World Standard Teletext-codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-01-24 393216]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-04-15 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-04-15 298264]
R2 PackethSvc;Virtual NIC Service; C:\WINDOWS\system32\PackethSvc.exe [2001-08-09 64512]
R2 PackethSvc;Virtual NIC Service; C:\WINDOWS\system32\PackethSvc.exe [2001-08-09 64512]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2004-12-13 49152]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine; C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [2007-03-01 3379264]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 268288]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-20 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\svcntaux.exe [2007-08-14 729416]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\swdsvc.exe [2007-08-14 1407816]
S3 usnjsvc;Messenger USN Journal Reader service voor Gedeelde mappen; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------
LoPhatPhuud
Apr 16 2009, 03:36 PM
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.



**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.
Walter
Apr 16 2009, 07:00 PM
Hello,

I hope I did it well. I'm an amateur, so I'm not sure whether this is good. Here is the comboFix.txt:

ComboFix 09-04-17.01 - HenkHeleen 16-04-2009 19:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.1023.608 [GMT 2:00]
Gestart vanuit: c:\documents and settings\HenkHeleen\Bureaublad\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

WA*****UWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HenkHeleen\err.log
c:\documents and settings\HenkHeleen\ResErrors.log
c:\documents and settings\Lennart Jan\err.log
c:\documents and settings\Lennart Jan\ResErrors.log
c:\documents and settings\Lydia\err.log
c:\windows\system32\3_exception.nls
c:\windows\system32\drivers\ip6fw.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER
-------\Legacy_runtime
-------\Legacy_RUNTIME2
-------\Legacy_SMTPDRV
-------\Service_Driver
-------\Service_runtime
-------\Service_runtime2
-------\Service_smtpdrv


(((((((((((((((((((( Bestanden Gemaakt van 2009-03-16 to 2009-04-16 ))))))))))))))))))))))))))))))
.

2009-04-15 22:41 . 2009-04-15 22:55 -------- d-----w C:\rsit
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\Malwarebytes
2009-04-15 22:08 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-15 22:08 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-15 20:13 . 2009-04-15 21:38 -------- d--h--w C:\$AVG8.VAULT$
2009-04-15 20:10 . 2009-04-15 20:10 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-15 20:10 . 2009-04-15 20:10 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-15 20:10 . 2009-04-15 20:10 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-15 20:10 . 2009-04-16 16:33 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-15 20:10 . 2009-04-15 20:34 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\AVGTOOLBAR
2009-04-15 20:09 . 2009-04-16 17:09 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-15 17:35 . 2009-04-15 17:35 2146 --sh--w c:\windows\system32\laroheya.exe
2009-04-15 05:35 . 2009-04-15 05:35 2146 --sh--w c:\windows\system32\bulilufu.exe
2009-04-14 17:34 . 2009-04-14 17:34 2146 --sh--w c:\windows\system32\keradebu.exe
2009-04-14 15:15 . 2009-04-14 16:16 12336 ----a-w C:\msne.exe
2009-04-13 07:20 . 2009-04-13 07:20 2146 --sh--w c:\windows\system32\kafudera.exe
2009-04-12 19:01 . 2009-04-12 19:01 2146 --sh--w c:\windows\system32\ditetiro.exe
2009-04-12 11:51 . 2009-04-12 11:51 290 ----a-w C:\rapef.exe
2009-04-11 06:45 . 2009-04-11 06:45 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-11 06:30 . 2009-04-16 17:35 109010 ----a-w c:\windows\system32\drivers\75a30545.sys
2009-04-10 17:21 . 2009-04-10 17:21 -------- d-----w c:\documents and settings\Lennart Jan\Local Settings\Application Data\Google
2009-03-31 18:11 . 2008-05-26 20:00 230912 ----a-w c:\windows\system32\CNMLM9E.DLL

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 17:32 . 2006-12-15 14:14 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\OpenOffice.org2
2009-04-15 22:55 . 2009-04-15 22:41 -------- d-----w c:\program files\trend micro
2009-04-15 22:28 . 2007-09-20 15:14 -------- d-----w c:\program files\CompuServe 6.0a
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 20:09 . 2009-04-15 20:09 -------- d-----w c:\program files\AVG
2009-04-10 17:22 . 2006-12-20 19:59 268 ---ha-w C:\sqmdata11.sqm
2009-04-10 17:22 . 2006-12-20 19:39 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-10 17:15 . 2006-09-14 15:08 29848 ----a-w c:\documents and settings\Lennart Jan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 12:51 . 2006-12-20 19:53 268 ---ha-w C:\sqmdata10.sqm
2009-04-03 12:51 . 2006-12-20 19:20 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-02 20:09 . 2006-12-20 19:39 268 ---ha-w C:\sqmdata09.sqm
2009-04-02 20:09 . 2006-12-20 18:31 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-02 15:42 . 2006-12-20 19:20 268 ---ha-w C:\sqmdata08.sqm
2009-04-02 15:42 . 2006-12-20 18:30 244 ---ha-w C:\sqmnoopt06.sqm
2009-04-01 18:46 . 2006-12-20 18:31 232 ---ha-w C:\sqmdata07.sqm
2009-04-01 18:46 . 2006-12-20 18:12 244 ---ha-w C:\sqmnoopt05.sqm
2009-04-01 18:08 . 2006-12-20 18:30 232 ---ha-w C:\sqmdata06.sqm
2009-04-01 18:08 . 2006-12-20 18:05 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-29 16:13 . 2006-03-08 09:28 83124 ----a-w c:\windows\system32\perfc013.dat
2009-03-29 16:13 . 2006-03-08 09:28 470086 ----a-w c:\windows\system32\perfh013.dat
2009-03-18 17:45 . 2006-12-20 18:12 268 ---ha-w C:\sqmdata05.sqm
2009-03-18 17:45 . 2006-12-20 17:46 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-17 21:22 . 2006-12-20 18:05 268 ---ha-w C:\sqmdata04.sqm
2009-03-17 21:22 . 2006-12-20 17:46 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-17 20:07 . 2006-12-20 17:46 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-17 20:07 . 2006-12-20 17:46 232 ---ha-w C:\sqmdata02.sqm
2009-03-17 19:46 . 2006-12-20 17:46 232 ---ha-w C:\sqmdata03.sqm
2009-03-17 19:46 . 2006-12-20 16:34 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-17 19:27 . 2006-12-28 14:59 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-17 19:27 . 2006-12-20 17:46 232 ---ha-w C:\sqmdata01.sqm
2009-03-17 19:18 . 2006-12-28 14:57 244 ---ha-w C:\sqmnoopt18.sqm
2009-03-17 19:18 . 2006-12-20 16:34 232 ---ha-w C:\sqmdata00.sqm
2009-03-17 16:42 . 2006-12-28 14:59 232 ---ha-w C:\sqmdata19.sqm
2009-03-17 16:42 . 2006-12-21 18:21 244 ---ha-w C:\sqmnoopt17.sqm
2009-03-11 11:27 . 2006-12-15 14:10 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\U3
2009-03-07 15:16 . 2009-03-07 15:16 -------- d-----w c:\program files\DivX
2009-03-03 17:27 . 2006-10-19 17:20 -------- d-----w c:\program files\EA SPORTS
2009-03-03 16:26 . 2006-12-28 14:57 268 ---ha-w C:\sqmdata18.sqm
2009-03-03 16:26 . 2006-12-21 18:17 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-03 13:28 . 2006-12-21 18:21 232 ---ha-w C:\sqmdata17.sqm
2009-03-03 13:28 . 2006-12-21 18:12 244 ---ha-w C:\sqmnoopt15.sqm
2009-02-21 11:29 . 2009-02-20 14:49 -------- d-----w c:\program files\NOS
2009-02-21 11:29 . 2009-02-20 14:49 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-02-20 15:06 . 2009-02-20 14:50 -------- d-----w c:\program files\Google
2009-02-20 14:55 . 2009-02-20 14:55 -------- d-----w c:\program files\Common Files\Adobe
2009-02-17 12:00 . 2006-12-21 18:17 268 ---ha-w C:\sqmdata16.sqm
2009-02-17 12:00 . 2006-12-21 18:11 244 ---ha-w C:\sqmnoopt14.sqm
2009-02-16 20:21 . 2006-12-21 18:12 232 ---ha-w C:\sqmdata15.sqm
2009-02-16 20:21 . 2006-12-21 18:10 244 ---ha-w C:\sqmnoopt13.sqm
2009-02-16 16:12 . 2006-12-21 18:11 232 ---ha-w C:\sqmdata14.sqm
2009-02-16 16:12 . 2006-12-21 18:07 244 ---ha-w C:\sqmnoopt12.sqm
2009-02-14 17:29 . 2006-12-21 18:10 268 ---ha-w C:\sqmdata13.sqm
2009-02-14 17:29 . 2006-12-20 19:59 244 ---ha-w C:\sqmnoopt11.sqm
2009-02-14 11:45 . 2006-09-09 08:02 29848 ----a-w c:\documents and settings\Reinier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-02 15:17 . 2006-12-21 18:07 268 ---ha-w C:\sqmdata12.sqm
2009-02-02 15:17 . 2006-12-20 19:53 244 ---ha-w C:\sqmnoopt10.sqm
2008-11-08 14:54 . 2006-09-14 17:07 29848 ----a-w c:\documents and settings\HenkHeleen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-04 17:43 . 2006-09-08 14:23 16624 ----a-w c:\documents and settings\Walter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-04-12 08:10 . 2006-09-09 07:08 16624 ----a-w c:\documents and settings\Lydia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-14 17:07 . 2006-09-14 17:07 133 ----a-w c:\documents and settings\HenkHeleen\Local Settings\Application Data\fusioncache.dat
2006-09-14 15:09 . 2006-09-14 15:08 134 ----a-w c:\documents and settings\Lennart Jan\Local Settings\Application Data\fusioncache.dat
2006-09-09 08:02 . 2006-09-09 08:02 130 ----a-w c:\documents and settings\Reinier\Local Settings\Application Data\fusioncache.dat
2006-09-09 07:08 . 2006-09-09 07:08 128 ----a-w c:\documents and settings\Lydia\Local Settings\Application Data\fusioncache.dat
2006-09-08 14:23 . 2006-09-08 14:23 129 ----a-w c:\documents and settings\Walter\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-07 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-09-20 26112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-15 1932568]
"Snelkoppeling naar eigenschappenvenster voor High Definition Audio"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-01-24 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2006-01-24 2807808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Walter\Menu Start\Programma's\Opstarten\
OpenOffice.org 2.0 .lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\HenkHeleen\Menu Start\Programma's\Opstarten\
OpenOffice.org 2.0 .lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
CompuServe 6.0-werkbalkpictogram.lnk - c:\program files\CompuServe 6.0a\cstray.exe [2007-9-20 36935]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arm32reg]
2007-06-21 21:10 12579 --sh--w c:\documents and settings\All Users\Documenten\Settings\arm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-15 20:10 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\fetijonu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= jpegCode.dll
"VIDC.MJPG"= mtkjpeg.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=

R2 CoachCap;FUJIFILM EX-10/EX-20 PC V1.00;c:\windows\system32\drivers\CoachCap.sys [2002-03-03 93068]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-08-14 729416]
S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-15 325640]
S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-15 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-15 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-15 298264]
S2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2001-08-09 64512]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e94-2ce6-11dd-bdfc-00038a000011}]
\Shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e95-2ce6-11dd-bdfc-00038a000011}]
\Shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9768cd79-0020-11de-bf86-00038a000011}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Inhoud van de 'Gedeelde Taken' map

2009-04-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-07 16:26]
.
- - - - ORPHANS VERWIJDERD - - - -

HKLM-Run-startdrv - c:\windows\Temp\startdrv.exe


.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.speeleiland.nl/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Openen in een nieuwe achtergrondtab - c:\program files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/229?5825dc4c93ca40a5a5d044854f61a7a1
IE: Openen in een nieuwe voorgrondtab - c:\program files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/230?5825dc4c93ca40a5a5d044854f61a7a1
TCP: {8C4954F9-58DB-4814-9D3F-F608AE16CC63} = 192.168.1.254
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 19:35
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxfxhxidib]
"imagepath"="\systemroot\system32\drivers\ovfsthxarsvdnkb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\75a30545]
"ImagePath"="\SystemRoot\System32\drivers\75a30545.sys"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\documents and settings\All Users\Documenten\Settings\arm32.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(2376)
c:\windows\system32\msi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.NLD
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\OpenOffice.org 2.0\program\soffice.exe
c:\program files\OpenOffice.org 2.0\program\soffice.bin
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2009-04-16 19:36 - machine werd herstart
ComboFix-quarantined-files.txt 2009-04-16 17:36

Pre-Run: 182.455.955.456 bytes beschikbaar
Post-Run: 182.653.988.864 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe

239

kind regards,
Walter
LoPhatPhuud
Apr 17 2009, 04:49 PM
You did fine!


First:
1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
KillAll::

File::
c:\windows\system32\laroheya.exe
c:\windows\system32\bulilufu.exe
c:\windows\system32\keradebu.exe
C:\msne.exe
c:\windows\system32\kafudera.exe
c:\windows\system32\ditetiro.exe
C:\rapef.exe
C:\Documents and Settings\All Users\Documenten\Settings\arm32.dll
c:\windows\system32\fetijonu.dll

Registry::
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\arm32reg]


Save this as CFScript.txt, in the same location as ComboFix.exe


Second:
Please submit the following file(s) to VirusTotal for analysis: http://www.virustotal.com

c:\windows\system32\drivers\75a30545.sys
c:\windows\system32\drivers\ovfsthxarsvdnkb.sys


Be sure to post the results in this thread.
Walter
Apr 20 2009, 06:17 PM
Hi,

c:\windows\system32\drivers\75a30545.sys: file found, BUT not allowed to copy the file to a folder for uploading
c:\windows\system32\drivers\ovfsthxarsvdnkb.sys: file NOT found!
Please tell me what to do with these files, delete?

result of combofix.exe with script:

ComboFix 09-04-21.01 - HenkHeleen 20-04-2009 20:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.1023.607 [GMT 2:00]
Gestart vanuit: c:\documents and settings\HenkHeleen\Bureaublad\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

WA*****UWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((( Bestanden Gemaakt van 2009-03-21 to 2009-04-21 ))))))))))))))))))))))))))))))
.

2009-04-15 22:41 . 2009-04-15 22:55 -------- d-----w C:\rsit
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\Malwarebytes
2009-04-15 22:08 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-15 22:08 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-15 20:13 . 2009-04-17 15:59 -------- d--h--w C:\$AVG8.VAULT$
2009-04-15 20:10 . 2009-04-15 20:10 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-15 20:10 . 2009-04-15 20:10 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-15 20:10 . 2009-04-15 20:10 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-15 20:10 . 2009-04-20 07:43 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-15 20:10 . 2009-04-15 20:34 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\AVGTOOLBAR
2009-04-15 20:09 . 2009-04-17 16:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-15 17:35 . 2009-04-15 17:35 2146 --sh--w c:\windows\system32\laroheya.exe
2009-04-15 05:35 . 2009-04-15 05:35 2146 --sh--w c:\windows\system32\bulilufu.exe
2009-04-14 17:34 . 2009-04-14 17:34 2146 --sh--w c:\windows\system32\keradebu.exe
2009-04-14 15:15 . 2009-04-14 16:16 12336 ----a-w C:\msne.exe
2009-04-13 07:20 . 2009-04-13 07:20 2146 --sh--w c:\windows\system32\kafudera.exe
2009-04-12 19:01 . 2009-04-12 19:01 2146 --sh--w c:\windows\system32\ditetiro.exe
2009-04-12 11:51 . 2009-04-12 11:51 290 ----a-w C:\rapef.exe
2009-04-11 06:45 . 2009-04-11 06:45 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-11 06:30 . 2009-04-20 18:04 109010 ----a-w c:\windows\system32\drivers\75a30545.sys
2009-04-10 17:21 . 2009-04-10 17:21 -------- d-----w c:\documents and settings\Lennart Jan\Local Settings\Application Data\Google
2009-03-31 18:11 . 2008-05-26 20:00 230912 ----a-w c:\windows\system32\CNMLM9E.DLL

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 15:50 . 2006-12-15 14:14 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\OpenOffice.org2
2009-04-20 15:30 . 2006-12-28 14:57 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-20 15:30 . 2006-12-20 16:34 268 ---ha-w C:\sqmdata00.sqm
2009-04-20 15:28 . 2007-09-20 15:14 -------- d-----w c:\program files\CompuServe 6.0a
2009-04-20 15:24 . 2006-12-28 14:59 268 ---ha-w C:\sqmdata19.sqm
2009-04-20 15:24 . 2006-12-21 18:21 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-20 14:06 . 2006-12-28 14:57 268 ---ha-w C:\sqmdata18.sqm
2009-04-20 14:06 . 2006-12-21 18:17 244 ---ha-w C:\sqmnoopt16.sqm
2009-04-19 17:19 . 2006-12-21 18:21 268 ---ha-w C:\sqmdata17.sqm
2009-04-19 17:19 . 2006-12-21 18:12 244 ---ha-w C:\sqmnoopt15.sqm
2009-04-19 12:44 . 2006-12-21 18:17 268 ---ha-w C:\sqmdata16.sqm
2009-04-19 12:44 . 2006-12-21 18:11 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-19 11:07 . 2006-12-21 18:12 268 ---ha-w C:\sqmdata15.sqm
2009-04-19 11:07 . 2006-12-21 18:10 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-17 19:26 . 2006-12-21 18:11 268 ---ha-w C:\sqmdata14.sqm
2009-04-17 19:26 . 2006-12-21 18:07 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-17 17:39 . 2006-12-21 18:10 268 ---ha-w C:\sqmdata13.sqm
2009-04-17 17:39 . 2006-12-20 19:59 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-17 16:39 . 2006-12-21 18:07 268 ---ha-w C:\sqmdata12.sqm
2009-04-17 16:39 . 2006-12-20 19:53 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-16 17:37 . 2006-03-08 09:28 83124 ----a-w c:\windows\system32\perfc013.dat
2009-04-16 17:37 . 2006-03-08 09:28 470086 ----a-w c:\windows\system32\perfh013.dat
2009-04-15 22:55 . 2009-04-15 22:41 -------- d-----w c:\program files\trend micro
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 20:09 . 2009-04-15 20:09 -------- d-----w c:\program files\AVG
2009-04-10 17:22 . 2006-12-20 19:59 268 ---ha-w C:\sqmdata11.sqm
2009-04-10 17:22 . 2006-12-20 19:39 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-10 17:15 . 2006-09-14 15:08 29848 ----a-w c:\documents and settings\Lennart Jan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 12:51 . 2006-12-20 19:53 268 ---ha-w C:\sqmdata10.sqm
2009-04-03 12:51 . 2006-12-20 19:20 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-02 20:09 . 2006-12-20 19:39 268 ---ha-w C:\sqmdata09.sqm
2009-04-02 20:09 . 2006-12-20 18:31 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-02 15:42 . 2006-12-20 19:20 268 ---ha-w C:\sqmdata08.sqm
2009-04-02 15:42 . 2006-12-20 18:30 244 ---ha-w C:\sqmnoopt06.sqm
2009-04-01 18:46 . 2006-12-20 18:31 232 ---ha-w C:\sqmdata07.sqm
2009-04-01 18:46 . 2006-12-20 18:12 244 ---ha-w C:\sqmnoopt05.sqm
2009-04-01 18:08 . 2006-12-20 18:30 232 ---ha-w C:\sqmdata06.sqm
2009-04-01 18:08 . 2006-12-20 18:05 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-18 17:45 . 2006-12-20 18:12 268 ---ha-w C:\sqmdata05.sqm
2009-03-18 17:45 . 2006-12-20 17:46 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-17 21:22 . 2006-12-20 18:05 268 ---ha-w C:\sqmdata04.sqm
2009-03-17 21:22 . 2006-12-20 17:46 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-17 20:07 . 2006-12-20 17:46 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-17 20:07 . 2006-12-20 17:46 232 ---ha-w C:\sqmdata02.sqm
2009-03-17 19:46 . 2006-12-20 17:46 232 ---ha-w C:\sqmdata03.sqm
2009-03-17 19:46 . 2006-12-20 16:34 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-17 19:27 . 2006-12-28 14:59 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-17 19:27 . 2006-12-20 17:46 232 ---ha-w C:\sqmdata01.sqm
2009-03-11 11:27 . 2006-12-15 14:10 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\U3
2009-03-07 15:16 . 2009-03-07 15:16 -------- d-----w c:\program files\DivX
2009-03-03 17:27 . 2006-10-19 17:20 -------- d-----w c:\program files\EA SPORTS
2009-02-21 11:29 . 2009-02-20 14:49 -------- d-----w c:\program files\NOS
2009-02-21 11:29 . 2009-02-20 14:49 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-02-20 15:06 . 2009-02-20 14:50 -------- d-----w c:\program files\Google
2009-02-20 14:55 . 2009-02-20 14:55 -------- d-----w c:\program files\Common Files\Adobe
2009-02-14 11:45 . 2006-09-09 08:02 29848 ----a-w c:\documents and settings\Reinier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-11-08 14:54 . 2006-09-14 17:07 29848 ----a-w c:\documents and settings\HenkHeleen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-04 17:43 . 2006-09-08 14:23 16624 ----a-w c:\documents and settings\Walter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-04-12 08:10 . 2006-09-09 07:08 16624 ----a-w c:\documents and settings\Lydia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-14 17:07 . 2006-09-14 17:07 133 ----a-w c:\documents and settings\HenkHeleen\Local Settings\Application Data\fusioncache.dat
2006-09-14 15:09 . 2006-09-14 15:08 134 ----a-w c:\documents and settings\Lennart Jan\Local Settings\Application Data\fusioncache.dat
2006-09-09 08:02 . 2006-09-09 08:02 130 ----a-w c:\documents and settings\Reinier\Local Settings\Application Data\fusioncache.dat
2006-09-09 07:08 . 2006-09-09 07:08 128 ----a-w c:\documents and settings\Lydia\Local Settings\Application Data\fusioncache.dat
2006-09-08 14:23 . 2006-09-08 14:23 129 ----a-w c:\documents and settings\Walter\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_17.35.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-03-08 09:28 . 2009-03-29 16:13 63860 c:\windows\system32\perfc009.dat
+ 2006-03-08 09:28 . 2009-04-16 17:37 63860 c:\windows\system32\perfc009.dat
+ 2006-03-08 16:00 . 2009-04-20 15:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-03-08 16:00 . 2009-04-16 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-03-08 16:00 . 2009-04-20 15:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
- 2006-03-08 16:00 . 2009-04-16 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2006-03-08 16:00 . 2009-04-20 15:50 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-08 16:00 . 2009-04-16 17:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-03-08 09:28 . 2009-04-16 17:37 405310 c:\windows\system32\perfh009.dat
- 2006-03-08 09:28 . 2009-03-29 16:13 405310 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-07 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-09-20 26112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-15 1932568]
"Snelkoppeling naar eigenschappenvenster voor High Definition Audio"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-01-24 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2006-01-24 2807808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Walter\Menu Start\Programma's\Opstarten\
OpenOffice.org 2.0 .lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\HenkHeleen\Menu Start\Programma's\Opstarten\
OpenOffice.org 2.0 .lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
CompuServe 6.0-werkbalkpictogram.lnk - c:\program files\CompuServe 6.0a\cstray.exe [2007-9-20 36935]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arm32reg]
2007-06-21 21:10 12579 --sh--w c:\documents and settings\All Users\Documenten\Settings\arm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-15 20:10 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\fetijonu.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=

R2 CoachCap;FUJIFILM EX-10/EX-20 PC V1.00;c:\windows\system32\drivers\CoachCap.sys [2002-03-03 93068]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-08-14 729416]
S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-15 325640]
S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-15 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-15 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-15 298264]
S2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2001-08-09 64512]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e94-2ce6-11dd-bdfc-00038a000011}]
\Shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e95-2ce6-11dd-bdfc-00038a000011}]
\Shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9768cd79-0020-11de-bf86-00038a000011}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Inhoud van de 'Gedeelde Taken' map

2009-04-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-07 16:26]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.speeleiland.nl/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Openen in een nieuwe achtergrondtab - c:\program files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/229?5825dc4c93ca40a5a5d044854f61a7a1
IE: Openen in een nieuwe voorgrondtab - c:\program files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/230?5825dc4c93ca40a5a5d044854f61a7a1
TCP: {8C4954F9-58DB-4814-9D3F-F608AE16CC63} = 192.168.1.254
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 20:04
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...


c:\windows\system32\drivers\ovfsthxarsvdnkb.sys 84480 bytes executable
c:\docume~1\HENKHE~1\LOCALS~1\Temp\ovfsthxfxhxidib000 0 bytes
c:\windows\system32\ovfsthxeewypfhq.dat 163075 bytes
c:\windows\system32\ovfsthxfmbsipwo.dat 43 bytes
c:\windows\system32\ovfsthxfpyvfdiv.dll 18944 bytes executable
c:\windows\system32\ovfsthxkumtagov.dll 18432 bytes executable
c:\windows\system32\ovfsthxwqwerxri.dll 60928 bytes executable

Scan succesvol afgerond
verborgen bestanden: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxfxhxidib]
"imagepath"="\systemroot\system32\drivers\ovfsthxarsvdnkb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\75a30545]
"ImagePath"="\SystemRoot\System32\drivers\75a30545.sys"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\documents and settings\All Users\Documenten\Settings\arm32.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(2936)
c:\windows\system32\msi.dll
.
Voltooingstijd: 2009-04-20 20:05
ComboFix-quarantined-files.txt 2009-04-20 18:05
ComboFix2.txt 2009-04-16 17:36

Pre-Run: 182.279.467.008 bytes beschikbaar
Post-Run: 182.601.924.608 bytes beschikbaar

215



kind regards
Walter

LoPhatPhuud
Apr 21 2009, 02:42 PM
1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
KillAll::

File::
c:\windows\system32\laroheya.exe
c:\windows\system32\bulilufu.exe
c:\windows\system32\keradebu.exe
C:\msne.exe
c:\windows\system32\kafudera.exe
c:\windows\system32\ditetiro.exe
C:\rapef.exe
C:\Documents and Settings\All Users\Documenten\Settings\arm32.dll
c:\windows\system32\fetijonu.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\arm32reg]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Walter
Apr 21 2009, 06:35 PM
OK, thanks!

Here is the log.txt:

ComboFix 09-04-21.A8 - HenkHeleen 21-04-2009 20:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.1023.616 [GMT 2:00]
Gestart vanuit: c:\documents and settings\HenkHeleen\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\HenkHeleen\Bureaublad\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::
c:\documents and settings\All Users\Documenten\Settings\arm32.dll
C:\msne.exe
C:\rapef.exe
c:\windows\system32\bulilufu.exe
c:\windows\system32\ditetiro.exe
c:\windows\system32\fetijonu.dll
c:\windows\system32\kafudera.exe
c:\windows\system32\keradebu.exe
c:\windows\system32\laroheya.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documenten\Settings\arm32.dll
C:\msne.exe
C:\rapef.exe
c:\windows\system32\bulilufu.exe
c:\windows\system32\ditetiro.exe
c:\windows\system32\kafudera.exe
c:\windows\system32\keradebu.exe
c:\windows\system32\laroheya.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-03-21 to 2009-04-21 ))))))))))))))))))))))))))))))
.

2009-04-15 22:41 . 2009-04-15 22:55 -------- d-----w C:\rsit
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\Malwarebytes
2009-04-15 22:08 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-15 22:08 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-15 20:13 . 2009-04-21 14:34 -------- d--h--w C:\$AVG8.VAULT$
2009-04-15 20:10 . 2009-04-15 20:10 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-15 20:10 . 2009-04-15 20:10 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-15 20:10 . 2009-04-15 20:10 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-15 20:10 . 2009-04-21 16:43 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-15 20:10 . 2009-04-21 15:00 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\AVGTOOLBAR
2009-04-15 20:09 . 2009-04-17 16:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 06:45 . 2009-04-11 06:45 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-11 06:30 . 2009-04-21 18:29 109010 ----a-w c:\windows\system32\drivers\75a30545.sys
2009-04-10 17:21 . 2009-04-10 17:21 -------- d-----w c:\documents and settings\Lennart Jan\Local Settings\Application Data\Google
2009-03-31 18:11 . 2008-05-26 20:00 230912 ----a-w c:\windows\system32\CNMLM9E.DLL

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 18:27 . 2006-12-15 14:14 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\OpenOffice.org2
2009-04-21 17:25 . 2006-12-28 14:59 244 ---ha-w C:\sqmnoopt19.sqm
2009-04-21 17:25 . 2006-12-20 17:46 268 ---ha-w C:\sqmdata01.sqm
2009-04-21 14:47 . 2007-09-20 15:14 -------- d-----w c:\program files\CompuServe 6.0a
2009-04-20 15:30 . 2006-12-28 14:57 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-20 15:30 . 2006-12-20 16:34 268 ---ha-w C:\sqmdata00.sqm
2009-04-20 15:24 . 2006-12-28 14:59 268 ---ha-w C:\sqmdata19.sqm
2009-04-20 15:24 . 2006-12-21 18:21 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-20 14:06 . 2006-12-28 14:57 268 ---ha-w C:\sqmdata18.sqm
2009-04-20 14:06 . 2006-12-21 18:17 244 ---ha-w C:\sqmnoopt16.sqm
2009-04-19 17:19 . 2006-12-21 18:21 268 ---ha-w C:\sqmdata17.sqm
2009-04-19 17:19 . 2006-12-21 18:12 244 ---ha-w C:\sqmnoopt15.sqm
2009-04-19 12:44 . 2006-12-21 18:17 268 ---ha-w C:\sqmdata16.sqm
2009-04-19 12:44 . 2006-12-21 18:11 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-19 11:07 . 2006-12-21 18:12 268 ---ha-w C:\sqmdata15.sqm
2009-04-19 11:07 . 2006-12-21 18:10 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-17 19:26 . 2006-12-21 18:11 268 ---ha-w C:\sqmdata14.sqm
2009-04-17 19:26 . 2006-12-21 18:07 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-17 17:39 . 2006-12-21 18:10 268 ---ha-w C:\sqmdata13.sqm
2009-04-17 17:39 . 2006-12-20 19:59 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-17 16:39 . 2006-12-21 18:07 268 ---ha-w C:\sqmdata12.sqm
2009-04-17 16:39 . 2006-12-20 19:53 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-16 17:37 . 2006-03-08 09:28 83124 ----a-w c:\windows\system32\perfc013.dat
2009-04-16 17:37 . 2006-03-08 09:28 470086 ----a-w c:\windows\system32\perfh013.dat
2009-04-15 22:55 . 2009-04-15 22:41 -------- d-----w c:\program files\trend micro
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 20:09 . 2009-04-15 20:09 -------- d-----w c:\program files\AVG
2009-04-10 17:22 . 2006-12-20 19:59 268 ---ha-w C:\sqmdata11.sqm
2009-04-10 17:22 . 2006-12-20 19:39 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-10 17:15 . 2006-09-14 15:08 29848 ----a-w c:\documents and settings\Lennart Jan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 12:51 . 2006-12-20 19:53 268 ---ha-w C:\sqmdata10.sqm
2009-04-03 12:51 . 2006-12-20 19:20 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-02 20:09 . 2006-12-20 19:39 268 ---ha-w C:\sqmdata09.sqm
2009-04-02 20:09 . 2006-12-20 18:31 244 ---ha-w C:\sqmnoopt07.sqm
2009-04-02 15:42 . 2006-12-20 19:20 268 ---ha-w C:\sqmdata08.sqm
2009-04-02 15:42 . 2006-12-20 18:30 244 ---ha-w C:\sqmnoopt06.sqm
2009-04-01 18:46 . 2006-12-20 18:31 232 ---ha-w C:\sqmdata07.sqm
2009-04-01 18:46 . 2006-12-20 18:12 244 ---ha-w C:\sqmnoopt05.sqm
2009-04-01 18:08 . 2006-12-20 18:30 232 ---ha-w C:\sqmdata06.sqm
2009-04-01 18:08 . 2006-12-20 18:05 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-18 17:45 . 2006-12-20 18:12 268 ---ha-w C:\sqmdata05.sqm
2009-03-18 17:45 . 2006-12-20 17:46 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-17 21:22 . 2006-12-20 18:05 268 ---ha-w C:\sqmdata04.sqm
2009-03-17 21:22 . 2006-12-20 17:46 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-17 20:07 . 2006-12-20 17:46 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-17 20:07 . 2006-12-20 17:46 232 ---ha-w C:\sqmdata02.sqm
2009-03-17 19:46 . 2006-12-20 17:46 232 ---ha-w C:\sqmdata03.sqm
2009-03-17 19:46 . 2006-12-20 16:34 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-11 11:27 . 2006-12-15 14:10 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\U3
2009-03-07 15:16 . 2009-03-07 15:16 -------- d-----w c:\program files\DivX
2009-03-03 17:27 . 2006-10-19 17:20 -------- d-----w c:\program files\EA SPORTS
2009-02-21 11:29 . 2009-02-20 14:49 -------- d-----w c:\program files\NOS
2009-02-21 11:29 . 2009-02-20 14:49 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-02-14 11:45 . 2006-09-09 08:02 29848 ----a-w c:\documents and settings\Reinier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-11-08 14:54 . 2006-09-14 17:07 29848 ----a-w c:\documents and settings\HenkHeleen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-04 17:43 . 2006-09-08 14:23 16624 ----a-w c:\documents and settings\Walter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-04-12 08:10 . 2006-09-09 07:08 16624 ----a-w c:\documents and settings\Lydia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-14 17:07 . 2006-09-14 17:07 133 ----a-w c:\documents and settings\HenkHeleen\Local Settings\Application Data\fusioncache.dat
2006-09-14 15:09 . 2006-09-14 15:08 134 ----a-w c:\documents and settings\Lennart Jan\Local Settings\Application Data\fusioncache.dat
2006-09-09 08:02 . 2006-09-09 08:02 130 ----a-w c:\documents and settings\Reinier\Local Settings\Application Data\fusioncache.dat
2006-09-09 07:08 . 2006-09-09 07:08 128 ----a-w c:\documents and settings\Lydia\Local Settings\Application Data\fusioncache.dat
2006-09-08 14:23 . 2006-09-08 14:23 129 ----a-w c:\documents and settings\Walter\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_17.35.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-03-08 09:28 . 2009-03-29 16:13 63860 c:\windows\system32\perfc009.dat
+ 2006-03-08 09:28 . 2009-04-16 17:37 63860 c:\windows\system32\perfc009.dat
+ 2006-03-08 16:00 . 2009-04-21 18:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-03-08 16:00 . 2009-04-16 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-03-08 16:00 . 2009-04-21 18:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
- 2006-03-08 16:00 . 2009-04-16 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2006-03-08 16:00 . 2009-04-21 18:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-08 16:00 . 2009-04-16 17:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-03-08 09:28 . 2009-04-16 17:37 405310 c:\windows\system32\perfh009.dat
- 2006-03-08 09:28 . 2009-03-29 16:13 405310 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-07 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-09-20 26112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-15 1932568]
"Snelkoppeling naar eigenschappenvenster voor High Definition Audio"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-01-24 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2006-01-24 2807808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Walter\Menu Start\Programma's\Opstarten\
OpenOffice.org 2.0 .lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\HenkHeleen\Menu Start\Programma's\Opstarten\
OpenOffice.org 2.0 .lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
CompuServe 6.0-werkbalkpictogram.lnk - c:\program files\CompuServe 6.0a\cstray.exe [2007-9-20 36935]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-15 20:10 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\fetijonu.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=

R2 CoachCap;FUJIFILM EX-10/EX-20 PC V1.00;c:\windows\system32\drivers\CoachCap.sys [2002-03-03 93068]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-08-14 729416]
S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-15 325640]
S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-15 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-15 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-15 298264]
S2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2001-08-09 64512]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e94-2ce6-11dd-bdfc-00038a000011}]
\Shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e95-2ce6-11dd-bdfc-00038a000011}]
\Shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9768cd79-0020-11de-bf86-00038a000011}]
\shell\autorun\command - F:\LaunchU3.exe -a
.
Inhoud van de 'Gedeelde Taken' map

2009-04-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-07 16:26]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.speeleiland.nl/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Openen in een nieuwe achtergrondtab - c:\program files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/229?5825dc4c93ca40a5a5d044854f61a7a1
IE: Openen in een nieuwe voorgrondtab - c:\program files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/230?5825dc4c93ca40a5a5d044854f61a7a1
TCP: {8C4954F9-58DB-4814-9D3F-F608AE16CC63} = 192.168.1.254
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 20:28
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...


c:\windows\system32\drivers\ovfsthxarsvdnkb.sys 84480 bytes executable
c:\docume~1\HENKHE~1\LOCALS~1\Temp\ovfsthxfxhxidib000 0 bytes
c:\windows\system32\ovfsthxeewypfhq.dat 200362 bytes
c:\windows\system32\ovfsthxfmbsipwo.dat 43 bytes
c:\windows\system32\ovfsthxfpyvfdiv.dll 18944 bytes executable
c:\windows\system32\ovfsthxkumtagov.dll 18432 bytes executable
c:\windows\system32\ovfsthxwqwerxri.dll 60928 bytes executable

Scan succesvol afgerond
verborgen bestanden: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxfxhxidib]
"imagepath"="\systemroot\system32\drivers\ovfsthxarsvdnkb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\75a30545]
"ImagePath"="\SystemRoot\System32\drivers\75a30545.sys"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(3064)
c:\windows\system32\msi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\OpenOffice.org 2.0\program\soffice.exe
c:\program files\OpenOffice.org 2.0\program\soffice.bin
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2009-04-21 20:30 - machine werd herstart
ComboFix-quarantined-files.txt 2009-04-21 18:30
ComboFix2.txt 2009-04-20 18:05
ComboFix3.txt 2009-04-16 17:36

Pre-Run: 182.288.760.832 bytes beschikbaar
Post-Run: 182.581.563.392 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

249

kind regards,
Walter Reitsma
LoPhatPhuud
Apr 22 2009, 03:16 PM
I want to check out the possible rootkits before continuing..


Please download RootKitRevealer from here:
http://technet.microsoft.com/en-us/sysinte...s/bb897445.aspx

Unzip it to the desktop, run it, and click Scan.
This will generate a log file; please post the entire contents of the log file here for me to see.
Walter
Apr 23 2009, 05:16 PM
Thanks for your help. Here is the log file:
HKLM\SECURITY\Policy\Secrets\SAC* 8-3-2006 17:14 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8-3-2006 17:14 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\75a30545 23-4-2009 17:37 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\ovfsthxfxhxidib 23-4-2009 17:37 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\75a30545 23-4-2009 17:37 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\ovfsthxfxhxidib 23-4-2009 17:37 0 bytes Hidden from Windows API.
C: 1-1-1601 2:00 0 bytes Error mounting volume

kind regards,
Walter
LoPhatPhuud
Apr 24 2009, 09:00 PM
1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
KillAll::

File::
c:\windows\system32\drivers\75a30545.sys
c:\windows\system32\drivers\ovfsthxarsvdnkb.sys
c:\docume~1\HENKHE~1\LOCALS~1\Temp\ovfsthxfxhxidib000
c:\windows\system32\ovfsthxeewypfhq.dat
c:\windows\system32\ovfsthxfmbsipwo.dat
c:\windows\system32\ovfsthxfpyvfdiv.dll
c:\windows\system32\ovfsthxkumtagov.dll
c:\windows\system32\ovfsthxwqwerxri.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthxfxhxidib]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\75a30545]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Walter
May 1 2009, 09:39 AM
Here's the log.txt:

ComboFix 09-04-30.05 - HenkHeleen 01-05-2009 11:17.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.1023.592 [GMT 2:00]
Gestart vanuit: c:\documents and settings\HenkHeleen\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\HenkHeleen\Bureaublad\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::
c:\docume~1\HENKHE~1\LOCALS~1\Temp\ovfsthxfxhxidib000
c:\windows\system32\drivers\75a30545.sys
c:\windows\system32\drivers\ovfsthxarsvdnkb.sys
c:\windows\system32\ovfsthxeewypfhq.dat
c:\windows\system32\ovfsthxfmbsipwo.dat
c:\windows\system32\ovfsthxfpyvfdiv.dll
c:\windows\system32\ovfsthxkumtagov.dll
c:\windows\system32\ovfsthxwqwerxri.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HENKHE~1\LOCALS~1\Temp\ovfsthxfxhxidib000
c:\windows\system32\drivers\75a30545.sys
c:\windows\system32\drivers\ovfsthxarsvdnkb.sys
c:\windows\system32\ovfsthxeewypfhq.dat
c:\windows\system32\ovfsthxfmbsipwo.dat
c:\windows\system32\ovfsthxfpyvfdiv.dll
c:\windows\system32\ovfsthxkumtagov.dll
c:\windows\system32\ovfsthxwqwerxri.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_75a30545
-------\Service_ovfsthxfxhxidib


(((((((((((((((((((( Bestanden Gemaakt van 2009-04-01 to 2009-05-01 ))))))))))))))))))))))))))))))
.

2009-04-22 15:43 . 2009-04-22 15:43 -------- d-----r c:\documents and settings\LocalService\Mijn documenten
2009-04-22 15:42 . 2009-04-22 15:42 -------- d--h--r c:\documents and settings\LocalService\Onlangs geopend
2009-04-15 22:41 . 2009-04-15 22:55 -------- d-----w c:\program files\trend micro
2009-04-15 22:41 . 2009-04-15 22:55 -------- d-----w C:\rsit
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\Malwarebytes
2009-04-15 22:08 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-15 22:08 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-15 22:08 . 2009-04-15 22:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 20:13 . 2009-04-22 14:35 -------- d--h--w C:\$AVG8.VAULT$
2009-04-15 20:10 . 2009-04-15 20:10 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-15 20:10 . 2009-04-15 20:10 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-15 20:10 . 2009-04-15 20:10 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-15 20:10 . 2009-04-30 21:19 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-15 20:10 . 2009-04-21 15:00 -------- d-----w c:\documents and settings\HenkHeleen\Application Data\AVGTOOLBAR
2009-04-15 20:09 . 2009-04-15 20:09 -------- d-----w c:\program files\AVG
2009-04-15 20:09 . 2009-04-17 16:42 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 06:45 . 2009-04-11 06:45 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-10 17:21 . 2009-04-10 17:21 -------- d-----w c:\documents and settings\Lennart Jan\Local Settings\Application Data\Google

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 07:21 . 2007-09-20 15:14 -------- d-----w c:\program files\CompuServe 6.0a
2009-04-23 13:13 . 2009-02-20 14:50 -------- d-----w c:\program files\Google
2009-04-16 17:37 . 2006-03-08 09:28 83124 ----a-w c:\windows\system32\perfc013.dat
2009-04-16 17:37 . 2006-03-08 09:28 470086 ----a-w c:\windows\system32\perfh013.dat
2009-04-10 17:15 . 2006-09-14 15:08 29848 ----a-w c:\documents and settings\Lennart Jan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-07 15:16 . 2009-03-07 15:16 -------- d-----w c:\program files\DivX
2009-03-03 17:27 . 2006-10-19 17:20 -------- d-----w c:\program files\EA SPORTS
2009-02-14 11:45 . 2006-09-09 08:02 29848 ----a-w c:\documents and settings\Reinier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_17.35.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-03-08 09:28 . 2009-03-29 16:13 63860 c:\windows\system32\perfc009.dat
+ 2006-03-08 09:28 . 2009-04-16 17:37 63860 c:\windows\system32\perfc009.dat
+ 2006-03-08 14:59 . 2004-08-04 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2006-03-08 16:00 . 2009-05-01 05:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-03-08 16:00 . 2009-04-16 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-03-08 16:00 . 2009-05-01 05:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
- 2006-03-08 16:00 . 2009-04-16 17:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2006-03-08 16:00 . 2009-05-01 05:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-08 16:00 . 2009-04-16 17:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-03-08 09:25 . 2004-08-04 12:00 2589 c:\windows\I386\RUNW32.BAT
+ 2006-03-08 09:28 . 2009-04-16 17:37 405310 c:\windows\system32\perfh009.dat
- 2006-03-08 09:28 . 2009-03-29 16:13 405310 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-25 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-07 282624]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-09-20 26112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-15 1932568]
"Snelkoppeling naar eigenschappenvenster voor High Definition Audio"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-01-24 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2006-01-24 2807808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Walter\Menu Start\Programma's\Opstarten\
OpenOffice.org 2.0 .lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\HenkHeleen\Menu Start\Programma's\Opstarten\
OpenOffice.org 2.0 .lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
CompuServe 6.0-werkbalkpictogram.lnk - c:\program files\CompuServe 6.0a\cstray.exe [2007-9-20 36935]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-15 20:10 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e94-2ce6-11dd-bdfc-00038a000011}]
\Shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48e15e95-2ce6-11dd-bdfc-00038a000011}]
\Shell\AutoRun\command - K:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9768cd79-0020-11de-bf86-00038a000011}]
\shell\autorun\command - F:\LaunchU3.exe -a
.
Inhoud van de 'Gedeelde Taken' map

2009-05-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-07 16:26]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Openen in een nieuwe achtergrondtab - c:\program files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/229?5825dc4c93ca40a5a5d044854f61a7a1
IE: Openen in een nieuwe voorgrondtab - c:\program files\Windows Live Toolbar\Components\nl-nl\msntabres.dll.mui/230?5825dc4c93ca40a5a5d044854f61a7a1
TCP: {8C4954F9-58DB-4814-9D3F-F608AE16CC63} = 192.168.1.254
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 11:22
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(656)
c:\windows\system32\msi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\OpenOffice.org 2.0\program\soffice.exe
c:\program files\OpenOffice.org 2.0\program\soffice.bin
c:\windows\system32\PackethSvc.exe
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\AVG\AVG8\avgemc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2009-05-01 11:24 - machine werd herstart
ComboFix-quarantined-files.txt 2009-05-01 09:24
ComboFix2.txt 2009-04-21 18:30
ComboFix3.txt 2009-04-20 18:05
ComboFix4.txt 2009-04-16 17:36

Pre-Run: 181.746.573.312 bytes beschikbaar
Post-Run: 182.586.834.944 bytes beschikbaar

182

kind regards,
Walter
LoPhatPhuud
May 1 2009, 04:34 PM
Looks good from here. Any issues still outstanding?
Walter
May 2 2009, 04:25 PM
Hello,

Thanks, I just scanned my computer with AVG ANTI-VIRUS Free Edition. But it found again 5 Trojan horses and 5 tracking cookies, it healed them too. Do I have a problem? Are there also viruses wich are not scanned? How is this possible? What do I have to do?

Kind Regards,
Walter
LoPhatPhuud
May 2 2009, 04:39 PM
The tracking cookies are of little concern since you can control cookies in your browser. The trojans are another story. Your system was clean at my last post.

If you have the AVG log file, please copy and paste it into your next response. I am conerned whether the same files are back, or if they are new ones.
Walter
May 2 2009, 05:40 PM
Before the scan, were 2 earlier scheduled scans interrupted. Here's the first scheduled scan:

"Scan ""Scheduled scan"" was finished."
"No infection was found during this scan"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"donderdag 23 april 2009, 16:00:01"
"Scan finished:";"donderdag 23 april 2009, 16:14:34 (14 minute(s) 33 second(s))"
"Total object scanned:";"200207"
"User who launched the scan:";"SYSTEM"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@m.webtrends[2].txt";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.976b899a";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.b456e21f";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"

here's the second scheduled scan


"Scan ""Scheduled scan"" was finished."
"Warnings";"7"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"vrijdag 24 april 2009, 16:00:01"
"Scan finished:";"vrijdag 24 april 2009, 16:00:01"
"Total object scanned:";"0"
"User who launched the scan:";"SYSTEM"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.976b899a";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@weborama[1].txt";"Found Tracking cookie.Weborama";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@weborama[1].txt:\weborama.fr.30104bcb";"Found Tracking cookie.Weborama";"Moved to Virus Vault"



Here is the last scan, short time ago (1 hour) with the five trojans:

"Scan ""Scan whole computer"" was finished."
"Infections";"5";"5";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"zaterdag 2 mei 2009, 17:36:03"
"Scan finished:";"zaterdag 2 mei 2009, 18:12:57 (36 minute(s) 54 second(s))"
"Total object scanned:";"333864"
"User who launched the scan:";"HenkHeleen"

"Infections"
"File";"Infection";"Result"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_75a30545_.sys.zip";"Trojan horse BackDoor.Generic11.JKF";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_75a30545_.sys.zip:\75a30545.sys";"Trojan horse BackDoor.Generic11.JKF";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ovfsthxarsvdnkb_.sys.zip";"Trojan horse Rootkit-Pakes.A";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ovfsthxarsvdnkb_.sys.zip:\ovfsthxarsvdnkb.sys";"Trojan horse Rootkit-Pakes.A";"Moved to Virus Vault"
"C:\System Volume Information\_restore{1832CE7B-F4D2-49EB-9527-7020B918F43B}\RP250\A1120554.sys";"Trojan horse BackDoor.Generic11.JKF";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.976b899a";"Found Tracking cookie.Revsci";"Moved to Virus Vault"
"C:\Documents and Settings\HenkHeleen\Cookies\henkheleen@revsci[2].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Moved to Virus Vault"

kind regards,
Walter



LoPhatPhuud
May 3 2009, 04:49 PM
You're ok, It was detecting fiiles in ComboFix's quaratine folder.

You can remove ComboFix with the followng instructions..



Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.