Pesky malware popups

[Zekko]

Been getting lots of Windows warnings and Internet Explorer popups about malware like every 30 seconds, fake virusscanners and the likes. I first thought it might be the Vundo virus, but I tried VundoFix.exe and the likes, they all said Vundo couldn't be found.

I did find a process constantly running called "iebtm.exe" and also "iebtmm.exe". I also found them in the registery, but I could neither end the process nor remove the registery entry.

I ran Deckard's System Scanner, and it asked me for HijackThis. I let it finish it's scan without using HijackThis, closed the resulting logs, installed HijackThis and ran it again, but this time it only gave me a main.txt file, no extra.txt. I tried uninstalling HijackThis and rebooting, but it wouldn't give me an extra.txt file.

I've been having another problem for about a month now, maybe more. At startup, when the desktop loads, the taskbar freezes for about a minute. After that, it's fine. I couldn't find a solution on the internet so I always just waited for it. I don't expect it to have anything to do with the popups, though.

Help, please?


Deckard's System Scanner v20071014.68
Run by Jeroen Delcour on 2008-08-01 23:29:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jeroen Delcour.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:29:58, on 1-8-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Applications\wcs.exe
C:\Program Files\Applications\iebtm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Applications\wcm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Applications\iebtmm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeroen Delcour\Bureaublad\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JEROEN~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} - C:\Program Files\Applications\iebt.dll
O3 - Toolbar: Internet Service - {38BF827A-D7C5-46E1-A9A2-47B1B5BB5438} - C:\Program Files\Applications\iebr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Applications\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5305 bytes

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 23:24:36 0 d-------- C:\Program Files\Trend Micro
2008-08-01 22:47:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-08-01 22:29:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-08-01 22:29:35 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Mijn documenten
2008-08-01 22:29:35 0 dr------- C:\Documents and Settings\Administrator\Menu Start
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Favorieten
2008-08-01 22:29:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-08-01 22:29:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-01 22:29:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-01 22:29:26 0 d--hs---- C:\WINDOWS\CSC
2008-08-01 22:20:26 0 d-------- C:\VundoFix Backups
2008-08-01 21:03:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 20:00:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 18:43:44 0 d-------- C:\Program Files\Applications
2008-07-25 11:55:01 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\EVEMon
2008-07-20 13:22:51 0 d-------- C:\Documents and Settings\All Users\Application Data\CCP
2008-07-04 14:38:53 0 d-------- C:\Program Files\MSXML 4.0


-- Find3M Report ---------------------------------------------------------------

2008-08-01 23:16:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 22:26:08 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\uTorrent
2008-08-01 16:51:09 0 d-------- C:\Program Files\Xfire
2008-07-25 15:08:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 18:43:41 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Xfire
2008-07-09 14:44:45 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Hamachi
2008-07-02 08:35:34 1838 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-28 12:29:48 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Ulead Systems
2008-06-28 12:24:34 0 d-------- C:\Program Files\Windows Media Components
2008-06-28 12:24:22 0 d-------- C:\Program Files\Ulead Systems
2008-06-28 12:22:37 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-06-28 12:22:35 0 d-------- C:\Program Files\Common Files
2008-06-27 14:13:04 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-06-23 22:08:49 60812 --a------ C:\WINDOWS\War3Unin.dat
2008-06-23 21:57:09 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-06-23 21:57:09 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-06-22 17:07:38 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-18 15:55:52 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\SPORE Creature Creator
2008-06-18 14:29:39 0 d-------- C:\Program Files\MSN Messenger
2008-06-18 14:28:47 0 d-------- C:\Program Files\Windows Live
2008-06-18 12:43:36 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Mozilla
2008-06-14 22:33:22 681 --a------ C:\WINDOWS\mozver.dat
2008-06-11 23:15:13 0 d-------- C:\Program Files\Common Files\BioWare
2008-06-10 21:49:03 455928 --a------ C:\WINDOWS\system32\perfh013.dat
2008-06-10 21:49:03 76816 --a------ C:\WINDOWS\system32\perfc013.dat
2008-05-31 16:44:49 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-31 16:44:49 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-05-31 16:44:49 27427 --a------ C:\WINDOWS\scunin.dat
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}]
01-08-2008 23:27 7680 --a------ C:\Program Files\Applications\iebt.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{38BF827A-D7C5-46E1-A9A2-47B1B5BB5438}"= C:\Program Files\Applications\iebr.dll [01-08-2008 18:43 85504]

[-HKEY_CLASSES_ROOT\CLSID\{38BF827A-D7C5-46E1-A9A2-47B1B5BB5438}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03-05-2008 05:46]
"nwiz"="nwiz.exe" [03-05-2008 05:46 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [21-03-2007 16:49 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03-05-2005 20:43 C:\WINDOWS\Alcmtr.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19-07-2008 16:38]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03-05-2008 05:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28-03-2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30-03-2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04-08-2004 01:15]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 01:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"=C:\Program Files\Applications\wcs.exe
"start"=C:\Program Files\Applications\iebtm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 20-12-2001 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-08-01 23:30:12 ------------

[Zekko]

bump.

[sjb007]

Hi Zekko

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Thanks.

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Please note:
The extra scan from DSS can be found here -> C:\Deckard\System Scanner\extra.txt - please include it as an attachment with your next reply

[Zekko]

The log that ComboFix created is in Dutch, as my PC has the Dutch version of Windows XP installed. I hope that won't be a problem.

ComboFix 08-08-04.01 - Jeroen Delcour 2008-08-05 14:38:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.2898 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Jeroen Delcour\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jeroen Delcour\Mijn documenten\My Documents.url
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\smdat32m.sys

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-07-05 to 2008-08-05 ))))))))))))))))))))))))))))))
.

2008-08-01 23:24 . 2008-08-01 23:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-01 23:12 . 2008-08-01 23:12 <DIR> d-------- C:\Deckard
2008-08-01 22:47 . 2008-08-01 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-01 22:29 . 2008-03-30 18:06 <DIR> d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-08-01 22:29 . 2008-03-30 03:55 <DIR> d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-08-01 22:29 . 2008-03-30 03:55 <DIR> d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-08-01 22:29 . 2008-03-30 03:55 <DIR> d-------- C:\Documents and Settings\Administrator\Mijn documenten
2008-08-01 22:29 . 2008-03-30 03:55 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2008-08-01 22:29 . 2008-03-30 03:55 <DIR> d-------- C:\Documents and Settings\Administrator\Favorieten
2008-08-01 22:29 . 2008-03-30 03:55 <DIR> d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-08-01 22:29 . 2008-08-01 22:29 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-01 22:20 . 2008-08-01 22:20 <DIR> d-------- C:\VundoFix Backups
2008-08-01 21:03 . 2008-08-01 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 20:00 . 2008-08-01 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 18:43 . 2008-08-05 14:17 <DIR> d-------- C:\Program Files\Applications
2008-07-25 11:55 . 2008-07-25 11:55 <DIR> d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\EVEMon
2008-07-22 02:42 . 2008-07-22 02:42 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-07-20 13:22 . 2008-07-20 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CCP

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 21:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 20:26 --------- d-----w C:\Documents and Settings\Jeroen Delcour\Application Data\uTorrent
2008-08-01 14:51 --------- d-----w C:\Program Files\Xfire
2008-07-25 13:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Codemasters
2008-07-25 13:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 16:43 --------- d-----w C:\Documents and Settings\Jeroen Delcour\Application Data\Xfire
2008-07-09 12:44 --------- d-----w C:\Documents and Settings\Jeroen Delcour\Application Data\Hamachi
2008-07-08 08:45 136,888 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-08 08:45 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-07-07 14:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-07-04 12:38 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-02 06:35 1,838 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-28 10:29 --------- d-----w C:\Documents and Settings\Jeroen Delcour\Application Data\Ulead Systems
2008-06-28 10:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-28 10:24 --------- d-----w C:\Program Files\Windows Media Components
2008-06-28 10:24 --------- d-----w C:\Program Files\Ulead Systems
2008-06-28 10:22 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-06-27 12:13 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-06-24 12:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-06-23 19:57 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-06-23 19:57 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-06-22 15:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-18 13:55 --------- d-----w C:\Documents and Settings\Jeroen Delcour\Application Data\SPORE Creature Creator
2008-06-18 12:29 --------- d-----w C:\Program Files\MSN Messenger
2008-06-18 12:28 --------- d-----w C:\Program Files\Windows Live
2008-06-11 21:15 --------- d-----w C:\Program Files\Common Files\BioWare
2008-05-31 14:44 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-05-24 12:26 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-24 12:05 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-04-04 13:41 22,328 ----a-w C:\Documents and Settings\Jeroen Delcour\Application Data\PnkBstrK.sys
2006-06-23 22:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}]
2008-08-05 14:10 7680 --------- C:\Program Files\Applications\iebt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:15 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46 13529088]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-03 05:46 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"nwiz"="nwiz.exe" [2008-05-03 05:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16:49 16126464 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"some"="C:\Program Files\Applications\wcs.exe" [2008-08-01 18:43 15360]
"start"="C:\Program Files\Applications\iebtm.exe" [2008-08-01 18:43 17920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"E:\\eMule\\emule.exe"=
"E:\\Steam\\steamapps\\snuf7\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"E:\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"E:\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"E:\\Steam\\steamapps\\snuf7\\counter-strike source\\hl2.exe"=
"E:\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"E:\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"E:\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"E:\\Aspyr\\Guitar Hero III\\GH3.exe"=
"E:\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"E:\\Steam\\steamapps\\snuf7\\half-life 2 deathmatch\\hl2.exe"=
"E:\\UT2004\\System\\UT2004.exe"=
"E:\\THQ\\Dawn of War\\W40k.exe"=
"E:\\Steam\\steamapps\\snuf7\\source sdk base\\hl2.exe"=
"E:\\Mass Effect\\Binaries\\MassEffect.exe"=
"E:\\Mass Effect\\MassEffectLauncher.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"E:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer-groepering
"3540:UDP"= 3540:UDP:PNRP (Peer Name Resolution Protocol)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 14:12]
S3 p2pgasvc;Groepsverificatie van peer-netwerken;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:03]
S3 p2pimsvc;Identiteitsbeheer van peer-netwerken;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:03]
S3 p2psvc;Peer-netwerken;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:03]
S3 PNRPSvc;Naamomzettingsprotocol van peer-netwerken;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhoud van de 'Gedeelde Taken' map

2008-06-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jeroen Delcour\Application Data\Mozilla\Firefox\Profiles\caxh4v3z.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 14:39:34
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2008-08-05 14:39:58
ComboFix-quarantined-files.txt 2008-08-05 12:39:53

Pre-Run: 23,356,915,712 bytes beschikbaar
Post-Run: 23,483,535,360 bytes beschikbaar

163



Deckard's System Scanner v20071014.68
Run by Jeroen Delcour on 2008-08-05 14:52:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jeroen Delcour.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:52:29, on 5-8-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Applications\wcs.exe
C:\Program Files\Applications\iebtm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Applications\wcm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Applications\iebtmm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jeroen Delcour\Bureaublad\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JEROEN~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D46BEAA4-A304-40B3-A9DA-EC7F7F501F25} - C:\Program Files\Applications\iebt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Applications\wcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Applications\iebtm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerclue.com/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5062 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 14:38:26 68096 --a------ C:\WINDOWS\zip.exe
2008-08-05 14:38:26 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-05 14:38:26 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 14:38:26 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-05 14:38:26 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-05 14:38:26 98816 --a------ C:\WINDOWS\sed.exe
2008-08-05 14:38:26 80412 --a------ C:\WINDOWS\grep.exe
2008-08-05 14:38:26 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-05 14:33:53 0 dr-hs---- C:\cmdcons
2008-08-05 14:33:52 0 d-------- C:\WINDOWS\setup.pss
2008-08-05 14:33:35 0 d-------- C:\WINDOWS\setupupd
2008-08-01 23:24:36 0 d-------- C:\Program Files\Trend Micro
2008-08-01 22:47:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-08-01 22:29:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-08-01 22:29:35 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Mijn documenten
2008-08-01 22:29:35 0 dr------- C:\Documents and Settings\Administrator\Menu Start
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Favorieten
2008-08-01 22:29:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-08-01 22:29:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-01 22:29:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-01 22:29:26 0 d--hs---- C:\WINDOWS\CSC
2008-08-01 22:20:26 0 d-------- C:\VundoFix Backups
2008-08-01 21:03:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 20:00:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 18:43:44 0 d-------- C:\Program Files\Applications
2008-07-25 11:55:01 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\EVEMon
2008-07-20 13:22:51 0 d-------- C:\Documents and Settings\All Users\Application Data\CCP


-- Find3M Report ---------------------------------------------------------------

2008-08-05 14:39:14 0 d-------- C:\Program Files\Common Files
2008-08-01 23:16:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 22:26:08 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\uTorrent
2008-08-01 16:51:09 0 d-------- C:\Program Files\Xfire
2008-07-25 15:08:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 18:43:41 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Xfire
2008-07-09 14:44:45 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Hamachi
2008-07-04 14:38:53 0 d-------- C:\Program Files\MSXML 4.0
2008-07-02 08:35:34 1838 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-28 12:29:48 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Ulead Systems
2008-06-28 12:24:34 0 d-------- C:\Program Files\Windows Media Components
2008-06-28 12:24:22 0 d-------- C:\Program Files\Ulead Systems
2008-06-28 12:22:37 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-06-27 14:13:04 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-06-23 22:08:49 60812 --a------ C:\WINDOWS\War3Unin.dat
2008-06-23 21:57:09 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-06-23 21:57:09 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-06-22 17:07:38 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-18 15:55:52 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\SPORE Creature Creator
2008-06-18 14:29:39 0 d-------- C:\Program Files\MSN Messenger
2008-06-18 14:28:47 0 d-------- C:\Program Files\Windows Live
2008-06-18 12:43:36 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Mozilla
2008-06-14 22:33:22 681 --a------ C:\WINDOWS\mozver.dat
2008-06-11 23:15:13 0 d-------- C:\Program Files\Common Files\BioWare
2008-06-10 21:49:03 455928 --a------ C:\WINDOWS\system32\perfh013.dat
2008-06-10 21:49:03 76816 --a------ C:\WINDOWS\system32\perfc013.dat
2008-05-31 16:44:49 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-31 16:44:49 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-05-31 16:44:49 27427 --a------ C:\WINDOWS\scunin.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D46BEAA4-A304-40B3-A9DA-EC7F7F501F25}]
05-08-2008 14:10 7680 --------- C:\Program Files\Applications\iebt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03-05-2008 05:46]
"nwiz"="nwiz.exe" [03-05-2008 05:46 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [21-03-2007 16:49 C:\WINDOWS\RTHDCPL.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19-07-2008 16:38]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03-05-2008 05:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28-03-2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30-03-2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04-08-2004 01:15]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 01:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"=C:\Program Files\Applications\wcs.exe
"start"=C:\Program Files\Applications\iebtm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 20-12-2001 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-08-05 14:52:41 ------------

[sjb007]

Hi there

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote:

File::
C:\Program Files\Applications\wcs.exe
C:\Program Files\Applications\iebtm.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"=-
"start"=-

- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log

Next.....

Download and scan with CCleaner lite
1.Double click the file and install ccleaner

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:

• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:

• Clean all in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Once done.....

Please download Malwarebytes Anti-Malware (MBAM) and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please reboot your computer and generate and fresh DSS log, please post this along with the MBAM results in your next reply

[Zekko]

Thank you. The popups seem to be stopped, though my taskbar still freezes up for about half a minute at startup. The logs you asked for:

Deckard's System Scanner v20071014.68
Run by Jeroen Delcour on 2008-08-05 21:07:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jeroen Delcour.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:08:00, on 5-8-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeroen Delcour\Bureaublad\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JEROEN~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4462 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 20:54:56 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Malwarebytes
2008-08-05 20:54:54 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 20:54:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 20:51:52 0 dr-h----- C:\Documents and Settings\Jeroen Delcour\Onlangs geopend
2008-08-05 20:50:11 0 d-------- C:\Program Files\CCleaner
2008-08-05 14:38:26 68096 --a------ C:\WINDOWS\zip.exe
2008-08-05 14:38:26 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-05 14:38:26 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 14:38:26 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-05 14:38:26 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-05 14:38:26 98816 --a------ C:\WINDOWS\sed.exe
2008-08-05 14:38:26 80412 --a------ C:\WINDOWS\grep.exe
2008-08-05 14:38:26 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-05 14:33:53 0 dr-hs---- C:\cmdcons
2008-08-05 14:33:52 0 d-------- C:\WINDOWS\setup.pss
2008-08-05 14:33:35 0 d-------- C:\WINDOWS\setupupd
2008-08-01 23:24:36 0 d-------- C:\Program Files\Trend Micro
2008-08-01 22:47:02 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Sjablonen
2008-08-01 22:29:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Onlangs geopend
2008-08-01 22:29:35 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Netwerkprinteromgeving
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Mijn documenten
2008-08-01 22:29:35 0 dr------- C:\Documents and Settings\Administrator\Menu Start
2008-08-01 22:29:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Favorieten
2008-08-01 22:29:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-01 22:29:35 0 d-------- C:\Documents and Settings\Administrator\Bureaublad
2008-08-01 22:29:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-01 22:29:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-01 22:29:26 0 d--hs---- C:\WINDOWS\CSC
2008-08-01 22:20:26 0 d-------- C:\VundoFix Backups
2008-08-01 21:03:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-01 20:00:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 18:43:44 0 d-------- C:\Program Files\Applications
2008-07-25 11:55:01 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\EVEMon
2008-07-20 13:22:51 0 d-------- C:\Documents and Settings\All Users\Application Data\CCP


-- Find3M Report ---------------------------------------------------------------

2008-08-05 20:45:58 0 d-------- C:\Program Files\Common Files
2008-08-01 23:16:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 22:26:08 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\uTorrent
2008-08-01 16:51:09 0 d-------- C:\Program Files\Xfire
2008-07-25 15:08:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 18:43:41 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Xfire
2008-07-09 14:44:45 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Hamachi
2008-07-04 14:38:53 0 d-------- C:\Program Files\MSXML 4.0
2008-07-02 08:35:34 1838 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-28 12:29:48 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Ulead Systems
2008-06-28 12:24:34 0 d-------- C:\Program Files\Windows Media Components
2008-06-28 12:24:22 0 d-------- C:\Program Files\Ulead Systems
2008-06-28 12:22:37 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-06-27 14:13:04 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-06-23 22:08:49 60812 --a------ C:\WINDOWS\War3Unin.dat
2008-06-23 21:57:09 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-06-23 21:57:09 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-06-22 17:07:38 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-18 15:55:52 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\SPORE Creature Creator
2008-06-18 14:29:39 0 d-------- C:\Program Files\MSN Messenger
2008-06-18 14:28:47 0 d-------- C:\Program Files\Windows Live
2008-06-18 12:43:36 0 d-------- C:\Documents and Settings\Jeroen Delcour\Application Data\Mozilla
2008-06-14 22:33:22 681 --a------ C:\WINDOWS\mozver.dat
2008-06-11 23:15:13 0 d-------- C:\Program Files\Common Files\BioWare
2008-06-10 21:49:03 455928 --a------ C:\WINDOWS\system32\perfh013.dat
2008-06-10 21:49:03 76816 --a------ C:\WINDOWS\system32\perfc013.dat
2008-05-31 16:44:49 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-31 16:44:49 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-05-31 16:44:49 27427 --a------ C:\WINDOWS\scunin.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03-05-2008 05:46]
"nwiz"="nwiz.exe" [03-05-2008 05:46 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [21-03-2007 16:49 C:\WINDOWS\RTHDCPL.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19-07-2008 16:38]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03-05-2008 05:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28-03-2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30-03-2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04-08-2004 01:15]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 01:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 20-12-2001 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2008-08-05 21:08:13 ------------




Malwarebytes' Anti-Malware 1.24
Database version: 1027
Windows 5.1.2600 Service Pack 2

20:58:08 5-8-2008
mbam-log-8-5-2008 (20-58-08).txt

Scan type: Quick Scan
Objects scanned: 40372
Time elapsed: 1 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c96395b8-ab09-46a4-b539-7ddf6e061808} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Applications\iebtm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebtmm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebtu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\wcm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\wcs.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\wcu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Menu Start\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Menu Start\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.

[sjb007]

Hi Zekko

Things are starting to look better, Nexrt I want you to run an online scan with Kaspersky

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post the resulting log back in your next reply, update me on how things are running now.

[Zekko]

Here's the log. The only thing it found is a supposed backdoor virus in a keygen, but if I recall correctly keygens are often mistaken for backdoor virusses. Still, it didn't detect any other backdoors in other keygens.

My taskbar still locks up at startup.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 6, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 06, 2008 08:17:51
Records in database: 1059935
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 79007
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:14:09


File name / Threat name / Threats count
E:\torrents\Warcraft III Reign of Chaos, The Frozen Throne + Update Patch War3TFT_121b_English +CD Key\CDKey\Warcraft III Reign Of Chaos Keygen.exe Infected: Backdoor.Win32.Hupigon.bmoq 1

The selected area was scanned.

[sjb007]

Hi Zekko

Sorry for any delays, I had unexpected business which took me out of town for a couple of days.

Cracked (Illegal) Software & Keygens

This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Before posting for help, uninstall any such applications.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, TSF does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

In accordance with the rules I have every right to stop help from this point, but I do believe that education about the effects that P2P/cracks/keygens have in supporting the role of malware, these outlets are the main cause of malware that we see everyday in logs. The other keygens that you have, even though you say do not appear as trojans themselves, will come from sites that support and promote malware which unknowingly to you, can provide backdoors to your machine and install other malicious items.

I would advise that you delete the reported file as reported by kaspersky by navigating to the following file and deleting it
E:\torrents\Warcraft III Reign of Chaos, The Frozen Throne + Update Patch War3TFT_121b_English +CD Key\CDKey\Warcraft III Reign Of Chaos Keygen.exe

From looking through your recent logs I do not see anymore evidence of malware on your computer, I feel that the problem relating to your taskbar is either a computer related issue or a side effect of the infection. If you have a genuine Windows disc then you can try running sfc /scannow command from a windows prompt and see if that helps resolve the issue.

You should update your version of the Sun Java Platform (JRE) to the latest version:

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

Please go to the start menu select run and type in the following as you see it
ComboFix /u (Note the space between combofix and /u)
This will uninstall combofix and its related files

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there
Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more infomration on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing
Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

Please acknoledge this post one more time so I can class this issue as resolved
Good luck and happy surfing.