POP-UP problems and some other IE problems

DaBaZZ · 05-07-2008, 07:34 AM

I've got some problems with Pop-ups. After using several spyware programm's I want to kill this spyware.
Spybot S&D said it is Virtumonde.dll
I removed these .dll's in save modus. But they are back again. So please help me.
My other problem is that when a click on a link in IE the link opens about hundred times.
Please help me with these two problems!

Deckard's System Scanner v20071014.68
Run by Bas Nijssen on 2008-05-07 16:21:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; De bewerking is voltooid.

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).

-- HijackThis (run as Bas Nijssen.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:23:52, on 7-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Bas Nijssen\Local Settings\Temporary Internet Files\Content.IE5\9SCEWGPF\dss[1].exe
E:\HIJACK~1\Bas Nijssen.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {07CE6734-B4AE-494D-B1B6-4E7DC05EB5C7} - (no file)
O2 - BHO: (no name) - {51E85E29-F64C-4C83-8725-13A732820719} - C:\WINDOWS\system32\fccdbXqo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53FE12C2-4429-488F-847B-7B285F8F6778} - C:\WINDOWS\system32\nnnmmNgD.dll
O2 - BHO: (no name) - {66907894-F312-45B7-A9CB-C6D9C75008A2} - C:\WINDOWS\system32\geBqOIAQ.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D85F337C-4C9A-4305-B03F-86E2F06364C3} - C:\WINDOWS\system32\cbXRLdBU.dll (file missing)
O2 - BHO: {c29e0fe6-f24d-4f4a-efe4-5f0db4a982ed} - {de289a4b-d0f5-4efe-a4f4-d42f6ef0e92c} - C:\WINDOWS\system32\vadrxuuh.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Hitman Pro Expiration Helper] "C:\Program Files\Hitman Pro\xphelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM2b536e44] Rundll32.exe "C:\WINDOWS\system32\qlrubdrn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1214440339-73586283-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1214440339-73586283-1801674531-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mijnalbum.nl/skin/v2/syst...eUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O20 - Winlogon Notify: nnnmmNgD - C:\WINDOWS\SYSTEM32\nnnmmNgD.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

--
End of file - 8937 bytes

-- HijackThis Fixed Entries (E:\HIJACK~1\backups\) -----------------------------

backup-20080506-195840-266 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
backup-20080506-195840-340 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
backup-20080506-195840-560 O4 - HKLM\..\Run: [BM2b536e44] Rundll32.exe "C:\WINDOWS\system32\mhkkbihd.dll",s
backup-20080506-195840-577 O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
backup-20080506-195840-776 O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
backup-20080506-195840-800 O4 - HKLM\..\Run: [28605dd8] rundll32.exe "C:\WINDOWS\system32\ttkcatro.dll",b
backup-20080506-195840-903 O4 - HKUS\S-1-5-21-1214440339-73586283-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
backup-20080506-200437-293 O4 - HKUS\S-1-5-18\..\Run: [] (User '?')
backup-20080506-200437-438 O4 - HKUS\S-1-5-21-1214440339-73586283-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
backup-20080506-200437-468 O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
backup-20080507-102821-306 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080507-102821-463 O4 - HKLM\..\Run: [28605dd8] rundll32.exe "C:\WINDOWS\system32\yesiyllj.dll",b
backup-20080507-102821-849 O4 - HKLM\..\Run: [BM2b536e44] Rundll32.exe "C:\WINDOWS\system32\lvwxsngg.dll",s

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 ADPTEHCD (%ADPT_USBEHCD.DeviceDesc%) - c:\windows\system32\drivers\asusehcd.sys <Not Verified; Asustek; >
2 AUSBD_FilterService (AUSBD Filter Service) - c:\windows\system32\drivers\asususbd.sys <Not Verified; Asustek; >
3 gUSBSTOi - c:\docume~1\basnij~1\locals~1\temp\gusbstoi.sys (file missing)
2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
1 oreans32 - c:\windows\system32\drivers\oreans32.sys
1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
3 TIEHDUSB - c:\windows\system32\drivers\tiehdusb.sys <Not Verified; Texas Instruments Incorporated; Texas Instruments Incorporated Educational Handheld Device>
0 VClone - system32\drivers\vclone.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe
2 SAVAdminService (Sophos Anti-Virus status reporter) - c:\program files\sophos\sophos anti-virus\savadminservice.exe
2 SAVService (Sophos Anti-Virus) - c:\program files\sophos\sophos anti-virus\savservice.exe
2 Sophos Agent - c:\program files\sophos\remote management system\managementagentnt.exe
2 Sophos AutoUpdate Service - c:\program files\sophos\autoupdate\alsvc.exe
2 Sophos Message Router - c:\program files\sophos\remote management system\routernt.exe
3 WLSetupSvc (Windows Live Setup Service) - c:\program files\windows live\installer\wlsetupsvc.exe

-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2007-10-29 18:29:37 434 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A34B8048-9E07-4682-AF30-A0487EB360EB}.job
2006-12-30 15:04:25 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

-- Files created between 2008-04-07 and 2008-05-07 -----------------------------

2008-05-07 15:30:11 106560 --a------ C:\WINDOWS\system32\vadrxuuh.dll
2008-05-07 15:30:09 96832 --a------ C:\WINDOWS\system32\yttcavii.dll
2008-05-07 15:28:03 2112 --a------ C:\WINDOWS\system32\qxtxhecs.exe
2008-05-07 15:27:47 105024 --a------ C:\WINDOWS\system32\qlrubdrn.dll
2008-05-07 15:27:08 188994 --ahs---- C:\WINDOWS\system32\oqXbdccf.ini2
2008-05-07 15:27:03 280576 --a------ C:\WINDOWS\system32\fccdbXqo.dll
2008-05-07 13:35:09 181739 --ahs---- C:\WINDOWS\system32\QAIOqBeg.ini2
2008-05-07 10:03:09 2112 --a------ C:\WINDOWS\system32\elyanukf.exe
2008-05-07 09:59:26 0 d-------- C:\Documents and Settings\Bas Nijssen\.housecall6.6
2008-05-06 16:34:37 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-06 16:34:36 2547 --a------ C:\WINDOWS\unins000.dat
2008-05-06 15:42:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-06 15:41:50 0 d-------- C:\Program Files\SpywareBlaster
2008-05-06 15:39:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-05-05 09:41:57 1394 --ahs---- C:\WINDOWS\system32\UBdLRXbc.ini2
2008-05-05 09:36:42 0 d-------- C:\Documents and Settings\Bas Nijssen\Application Data\Thinstall
2008-05-05 09:36:39 38912 --a------ C:\WINDOWS\system32\nnnmmNgD.dll
2008-04-28 11:29:32 0 d-------- C:\temp
2008-04-28 11:26:43 45056 --a------ C:\WINDOWS\system32\Wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-28 11:26:43 16877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-28 11:26:43 3535 --a------ C:\WINDOWS\system\Wowpost.exe
2008-04-28 11:26:43 4455 --a------ C:\WINDOWS\system\Winaspi.dll
2008-04-19 16:56:10 0 d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-15 20:04:52 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-04-15 20:04:51 0 d-------- C:\Program Files\Encore 4.5.3
2008-04-15 20:04:47 0 d-------- C:\Program Files\Example Files
2008-04-14 14:32:43 0 d-------- C:\Program Files\Easy Icon Maker
2008-04-14 14:17:02 108544 --a------ C:\WINDOWS\IEcheck.exe
2008-04-09 16:24:45 0 d-------- C:\WINDOWS\system32\Adobe

-- Find3M Report ---------------------------------------------------------------

2008-05-07 16:00:10 0 d-------- C:\Program Files\Hitman Pro
2008-05-06 16:08:42 0 d-------- C:\Documents and Settings\Bas Nijssen\Application Data\Lavasoft
2008-05-06 15:42:18 0 d-------- C:\Program Files\Lavasoft
2008-05-05 09:42:49 0 d-------- C:\Documents and Settings\Bas Nijssen\Application Data\LimeWire
2008-04-16 14:57:27 0 d-------- C:\Documents and Settings\Bas Nijssen\Application Data\Help
2008-04-15 20:04:53 10457 --a------ C:\Program Files\uninstal.log
2008-03-22 16:37:05 0 d-------- C:\Program Files\MSN Messenger
2008-03-22 16:37:04 0 d-------- C:\Program Files\Messenger Plus! Live

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07CE6734-B4AE-494D-B1B6-4E7DC05EB5C7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51E85E29-F64C-4C83-8725-13A732820719}]
07-05-2008 15:27 280576 --a------ C:\WINDOWS\system32\fccdbXqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53FE12C2-4429-488F-847B-7B285F8F6778}]
05-05-2008 09:36 38912 --a------ C:\WINDOWS\system32\nnnmmNgD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66907894-F312-45B7-A9CB-C6D9C75008A2}]
C:\WINDOWS\system32\geBqOIAQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D85F337C-4C9A-4305-B03F-86E2F06364C3}]
C:\WINDOWS\system32\cbXRLdBU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{de289a4b-d0f5-4efe-a4f4-d42f6ef0e92c}]
07-05-2008 15:30 106560 --a------ C:\WINDOWS\system32\vadrxuuh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [29-09-2004 08:15]
"PRISMSVR.EXE"="C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.exe" [26-04-2004 14:26]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29-06-2007 06:24]
"Hitman Pro Expiration Helper"="C:\Program Files\Hitman Pro\xphelper.exe" [30-05-2007 08:28]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [04-08-2004 02:03]
"BM2b536e44"="C:\WINDOWS\system32\qlrubdrn.dll" [07-05-2008 15:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 02:03]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28-01-2008 11:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [22-2-2007 13:35:12]
SpeedTouch 120g Wireless USB Monitor.lnk - C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe [20-5-2004 17:11:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{53FE12C2-4429-488F-847B-7B285F8F6778}"= C:\WINDOWS\system32\nnnmmNgD.dll [05-05-2008 09:36 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmNgD]
nnnmmNgD.dll 05-05-2008 09:36 38912 C:\WINDOWS\system32\nnnmmNgD.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\fccdbXqo

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28605dd8]
rundll32.exe "C:\WINDOWS\system32\yttcavii.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2b536e44]
Rundll32.exe "C:\WINDOWS\system32\qlrubdrn.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IECheck]
C:\WINDOWS\IECheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
"C:\Program Files\Microsoft IntelliType Pro\type32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"28605dd8"=rundll32.exe "C:\WINDOWS\system32\yttcavii.dll",b
"BM2b536e44"=Rundll32.exe "C:\WINDOWS\system32\qlrubdrn.dll",s

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8369 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-05-07 16:24:41 ------------

chemist · 05-07-2008, 05:19 PM

Hello and Welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

chemist · 05-07-2008, 08:15 PM

Hello DaBaZZ.

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If you are experiencing a slow or sluggish system, it is most likely due to low RAM.

Quote:

Total Physical Memory: 256 MiB (512 MiB recommended).
Percentage of Memory in Use: 76%
Physical Memory (total/avail): 255.47 MiB / 60.96 MiB

Please read the following article: http://users.telenet.be/bluepatchy/m...wcomputer.html

For information on what you would need, please visit Crucial where you can either input your model number or download a small application that will tell you exactly the type of RAM you need.

------------------------------------------------------

Quote:

C:\Documents and Settings\Bas Nijssen\Local Settings\Temporary Internet Files\Content.IE5\9SCEWGPF\dss[1].exe

Please note that tools are best run from the desktop. Easier to find and perform specialized functions which may be required. Save to the Desktop and then Run from the Desktop. Thanks.

------------------------------------------------------

Please visit this webpage for instructions on downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Get help here
Please click Yes to continue scanning for malware.

When the tool is finished, it will produce a log for you.

Please post that log, ComboFix.txt along with a new HijackThis log so we may continue cleansing the system.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
new HijackThis log

If you have any questions along the way...STOP and ask them before proceeding.

DaBaZZ · 05-08-2008, 12:13 AM

Heey Chemist,

I just read the instruction for ComboFix at bleedingcomputer.com.
It says this..

Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image.

But when I drag the file on top of the ComboFix icon ComboFix starts to run.

What do I do wrong?

chemist · 05-08-2008, 03:20 AM

Hello again DaBaZZ.

You aren't doing anything wrong. Let ComboFix run.

DaBaZZ · 05-08-2008, 07:26 AM

Ok here are the log files..

ComboFix 08-05-01.3 - Bas Nijssen 2008-05-08 16:11:47.1 - NTFSx86

Gestart vanuit: C:\Documents and Settings\Bas Nijssen\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bas Nijssen\Bureaublad\WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Bas Nijssen\Application Data\macromedia\Flash Player\#SharedObjects\Q8ZC9HEB\iforex.com
C:\Documents and Settings\Bas Nijssen\Application Data\macromedia\Flash Player\#SharedObjects\Q8ZC9HEB\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Bas Nijssen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Bas Nijssen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\OLD9.tmp
C:\WINDOWS\system32\fccdbXqo.dll
C:\WINDOWS\system32\iivactty.ini
C:\WINDOWS\system32\jllyisey.ini
C:\WINDOWS\system32\mkgsvgyd.dll
C:\WINDOWS\system32\nnnmmNgD.dll
C:\WINDOWS\system32\oqXbdccf.ini
C:\WINDOWS\system32\oqXbdccf.ini2
C:\WINDOWS\system32\ortacktt.ini
C:\WINDOWS\system32\QAIOqBeg.ini
C:\WINDOWS\system32\QAIOqBeg.ini2
C:\WINDOWS\system32\qlrubdrn.dll
C:\WINDOWS\system32\qncrperm.dll
C:\WINDOWS\system32\UBdLRXbc.ini
C:\WINDOWS\system32\UBdLRXbc.ini2
C:\WINDOWS\system32\vadrxuuh.dll
C:\WINDOWS\system32\yttcavii.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-04-08 to 2008-05-08 ))))))))))))))))))))))))))))))
.

2008-05-08 16:06 . 2008-05-08 16:06 2,112 --a------ C:\WINDOWS\system32\mtoqdwhk.exe
2008-05-07 16:21 . 2008-05-07 16:21 <DIR> d-------- C:\Deckard
2008-05-07 15:28 . 2008-05-07 15:28 2,112 --a------ C:\WINDOWS\system32\qxtxhecs.exe
2008-05-07 12:18 . 2008-05-07 14:19 501 --a------ C:\WINDOWS\wininit.ini
2008-05-07 10:03 . 2008-05-07 10:03 2,112 --a------ C:\WINDOWS\system32\elyanukf.exe
2008-05-07 10:01 . 2008-05-07 09:59 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-07 09:59 . 2008-05-07 10:12 <DIR> d-------- C:\Documents and Settings\Bas Nijssen\.housecall6.6
2008-05-06 16:34 . 2008-05-06 15:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-06 16:34 . 2008-05-06 16:34 2,547 --a------ C:\WINDOWS\unins000.dat
2008-05-06 15:42 . 2008-05-07 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-06 15:41 . 2008-05-06 17:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-06 15:40 . 2008-05-07 11:17 <DIR> d-------- C:\Program Files\ESET
2008-05-06 15:39 . 2008-05-06 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-05-05 21:45 . 2008-05-08 16:06 109,709 --a------ C:\WINDOWS\BM2b536e44.xml
2008-05-05 09:37 . 2008-05-05 09:37 <DIR> d-------- C:\Documents and Settings\Admin
2008-05-05 09:36 . 2008-05-05 09:36 <DIR> d-------- C:\Documents and Settings\Bas Nijssen\Application Data\Thinstall
2008-04-28 11:29 . 2008-05-06 17:06 <DIR> d-------- C:\temp
2008-04-28 11:27 . 2008-04-28 11:29 78 --a------ C:\WINDOWS\DVDRipper.INI
2008-04-28 11:26 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2008-04-28 11:26 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2008-04-28 11:26 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2008-04-28 11:26 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
2008-04-19 16:56 . 2008-05-02 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-15 20:04 . 2008-04-15 20:04 <DIR> d-------- C:\Program Files\Example Files
2008-04-15 20:04 . 2008-04-15 20:21 <DIR> d-------- C:\Program Files\Encore 4.5.3
2008-04-15 20:04 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-04-14 14:32 . 2008-04-14 14:37 <DIR> d-------- C:\Program Files\Easy Icon Maker
2008-04-14 14:17 . 2008-01-16 16:11 108,544 --a------ C:\WINDOWS\IEcheck.exe
2008-04-09 16:24 . 2008-04-09 16:24 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 14:17 --------- d-----w C:\Program Files\Hitman Pro
2008-05-07 09:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-06 14:08 --------- d-----w C:\Documents and Settings\Bas Nijssen\Application Data\Lavasoft
2008-05-06 13:42 --------- d-----w C:\Program Files\Lavasoft
2008-05-05 07:42 --------- d-----w C:\Documents and Settings\Bas Nijssen\Application Data\LimeWire
2008-04-15 18:04 10,457 ----a-w C:\Program Files\uninstal.log
2008-03-22 14:37 --------- d-----w C:\Program Files\MSN Messenger
2008-03-22 14:37 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-04-24 14:35 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\1doc2pdf.dll
2002-12-11 12:17 13,366,265 --s-a-w C:\Program Files\Encore Manual.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66907894-F312-45B7-A9CB-C6D9C75008A2}]
C:\WINDOWS\system32\geBqOIAQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D85F337C-4C9A-4305-B03F-86E2F06364C3}]
C:\WINDOWS\system32\cbXRLdBU.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 08:15 344064]
"PRISMSVR.EXE"="C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.exe" [2004-04-26 14:26 295001]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Hitman Pro Expiration Helper"="C:\Program Files\Hitman Pro\xphelper.exe" [2007-05-30 08:28 596760]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:03 160256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-09-29 11:37 28672]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-02-22 13:35:12 245760]
SpeedTouch 120g Wireless USB Monitor.lnk - C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe [2004-05-20 17:11:02 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmNgD]
nnnmmNgD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28605dd8]
C:\WINDOWS\system32\yttcavii.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2004-09-29 11:37 28672 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2b536e44]
C:\WINDOWS\system32\qlrubdrn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-ra------ 2002-07-12 17:33 1581056 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:03 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IECheck]
--a------ 2008-01-16 16:11 108544 C:\WINDOWS\IECheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a------ 2003-05-16 01:45 114688 C:\Program Files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"28605dd8"=rundll32.exe "C:\WINDOWS\system32\yttcavii.dll",b
"BM2b536e44"=Rundll32.exe "C:\WINDOWS\system32\qlrubdrn.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"E:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

.
Inhoud van de 'Gedeelde Taken' map
"2006-12-30 13:04:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-29 16:29:37 C:\WINDOWS\Tasks\User_Feed_Synchronization-{A34B8048-9E07-4682-AF30-A0487EB360EB}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 16:17:22
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 27

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\ati2evxx.exe
.
**************************************************************************
.
Voltooingstijd: 2008-05-08 16:20:13 - machine was rebooted [Bas Nijssen]
ComboFix-quarantined-files.txt 2008-05-08 14:20:09

Pre-Run: 8,951,230,464 bytes beschikbaar
Post-Run: 8,873,132,032 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

189 --- E O F --- 2008-05-07 13:57:52

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:22:41, on 8-5-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {66907894-F312-45B7-A9CB-C6D9C75008A2} - C:\WINDOWS\system32\geBqOIAQ.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D85F337C-4C9A-4305-B03F-86E2F06364C3} - C:\WINDOWS\system32\cbXRLdBU.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Hitman Pro Expiration Helper] "C:\Program Files\Hitman Pro\xphelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1214440339-73586283-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mijnalbum.nl/skin/v2/syst...eUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O20 - Winlogon Notify: nnnmmNgD - nnnmmNgD.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

--
End of file - 7691 bytes

DaBaZZ · 05-08-2008, 07:59 AM

I think the pop-ups are gone now..
But Spybot S&D also killed them (only in savemode), but after a restart the pop-ups were back again..
So I don't want to reset my PC till you have taken at look a the log:P

chemist · 05-08-2008, 07:34 PM

Hello again, DaBaZZ.

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Quote:

I think the pop-ups are gone now..
But Spybot S&D also killed them (only in savemode), but after a restart the pop-ups were back again..

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Kindly follow my instructions and please do NO fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Please remember to close all other windows, including browsers then click Fix checked.

Please close HijackThis now.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/247310-pop-up-problems-some-other-ie-problems.html#post1473725

File::
C:\WINDOWS\wininit.ini
C:\WINDOWS\BM2b536e44.xml
C:\WINDOWS\system32\drivers\tmcomm.sys

Collect::
C:\WINDOWS\system32\mtoqdwhk.exe
C:\WINDOWS\system32\qxtxhecs.exe
C:\WINDOWS\system32\elyanukf.exe

Folder::
C:\Documents and Settings\Bas Nijssen\.housecall6.6\quarantine
C:\Documents and Settings\Bas Nijssen\Application Data\LimeWire

Driver::
gUSBSTOi

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66907894-F312-45B7-A9CB-C6D9C75008A2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D85F337C-4C9A-4305-B03F-86E2F06364C3}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmNgD]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28605dd8]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2b536e44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"28605dd8"=-
"BM2b536e44"=-

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--Do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

------------------------------------------------------

Please go to: VirusTotal

On the page you'll find a Browse button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following bolded text into the box:

C:\Documents and Settings\All Users\Application Data\1doc2pdf.dll
Then click the Send File button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

Please post the following in your next reply:

C:\ComboFix.txt
VirusTotal results
new HijackThis log

DaBaZZ · 05-08-2008, 11:41 PM

ComboFix 08-05-01.3 - Bas Nijssen 2008-05-09 8:23:11.2 - NTFSx86

Gestart vanuit: C:\Documents and Settings\Bas Nijssen\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bas Nijssen\Bureaublad\CFScript.txt

FILE ::
C:\WINDOWS\BM2b536e44.xml
C:\WINDOWS\system32\drivers\tmcomm.sys
C:\WINDOWS\wininit.ini
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Bas Nijssen\.housecall6.6\quarantine
C:\Documents and Settings\Bas Nijssen\Application Data

05-07-2008, 05:19 PM	#2 (permalink)
chemist Analyst, Security Team Join Date: Oct 2007 Posts: 1,350 OS: XP SP3	Re: POP-UP problems and some other IE problems Hello and Welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription. Please be patient with me during this time. __________________ Our help is free but please donate

05-08-2008, 12:13 AM	#4 (permalink)
DaBaZZ Registered User Join Date: May 2008 Posts: 10 OS: Windows XP Service Pack 2	Re: POP-UP problems and some other IE problems Heey Chemist, I just read the instruction for ComboFix at bleedingcomputer.com. It says this.. Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image. But when I drag the file on top of the ComboFix icon ComboFix starts to run. What do I do wrong?

05-08-2008, 03:20 AM	#5 (permalink)
chemist Analyst, Security Team Join Date: Oct 2007 Posts: 1,350 OS: XP SP3	Re: POP-UP problems and some other IE problems Hello again DaBaZZ. You aren't doing anything wrong. Let ComboFix run. __________________ Our help is free but please donate

05-08-2008, 07:59 AM	#7 (permalink)
DaBaZZ Registered User Join Date: May 2008 Posts: 10 OS: Windows XP Service Pack 2	Re: POP-UP problems and some other IE problems I think the pop-ups are gone now.. But Spybot S&D also killed them (only in savemode), but after a restart the pop-ups were back again.. So I don't want to reset my PC till you have taken at look a the log:P Last edited by DaBaZZ : 05-08-2008 at 08:03 AM.