Problems with a.bat zapchast.reg trojan

maud138 · 03-13-2009, 08:43 AM

Hi,
McAfee finds everytime I start the computer ZapChast.reg trojan. McAfee deletes it everytime, but when I start the computer again, it is there again.
The computer with ZapChast.reg isn't able to see the other computers in the network, but internet works. I find this very strange. I have a feeling both problems are related but I'm not sure.

We have a home-network with a router. Two windows-Xp desktops and one laptop.

I did all the steps that are mentioned in your "first steps". Here is the content of DDS.txt
DDS (Ver_09-02-01.01) - NTFSx86
Run by maud at 9:11:39,64 on vr 13-03-2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.1022.435 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nod6441.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Nike+ Utility\Nike+ Utility.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\maud.KEES\Local Settings\Temporary Internet Files\Content.IE5\BMLV9H3A\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.thepolice.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [H/PC Connection Agent] "c:\progra~1\micros~4\wcescomm.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [<NO NAME>]
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ctfmon] nod6441.exe
mRunServices: [ctfmon] nod6441.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\nike_u~1.lnk - c:\program files\nike+ utility\Nike+ Utility.exe
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: thepolice.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196268370562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\maud~1.kee\applic~1\mozilla\firefox\profiles\3eo8irgd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/|http://www.google.nl/firefox?client=...la:nl:official
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-12-26 207656]
R2 IBG_gds_db;InterBase 7.5 Guardian gds_db;c:\program files\borland\interbase\bin\ibguard.exe -i "c:\program files\borland\interbase" -p gds_db --> c:\program files\borland\interbase\bin\ibguard.exe -i c:\program files\borland\InterBase [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-12 198432]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-12 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-12-26 144704]
R3 IBS_gds_db;InterBase 7.5 Server gds_db;c:\program files\borland\interbase\bin\ibserver.exe -i "c:\program files\borland\interbase" -p gds_db --> c:\program files\borland\interbase\bin\ibserver.exe -i c:\program files\borland\InterBase [?]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-12-26 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-12-26 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-12-26 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-12-26 34152]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-12-26 40488]
S2 gupdate1c997ea796e5e6c;Google Update Service (gupdate1c997ea796e5e6c);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S3 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2009-2-9 355840]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\lavalys\everest ultimate edition\kerneld.wnt --> c:\program files\lavalys\everest ultimate edition\kerneld.wnt [?]

=============== Created Last 30 ================

2009-03-12 18:03 <DIR> --d----- c:\program files\Hijack
2009-03-12 09:13 7,575 a------- c:\windows\system32\Config.MPF
2009-03-11 22:03 5,376 a------- c:\windows\system32\drivers\MS1000.sys
2009-03-11 22:01 <DIR> --d----- c:\program files\The Cleaner Demo
2009-03-05 12:55 <DIR> --d----- c:\program files\Microsoft Games
2009-02-26 17:17 <DIR> --d----- c:\docume~1\maud~1.kee\applic~1\GrabIt
2009-02-26 14:18 <DIR> --d----- c:\program files\GrabIt
2009-02-21 15:51 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-16 19:23 25,088 a------- C:\gummy bear.doc
2009-02-16 19:09 25,600 a------- C:\Carl Douglas Kung Fu Fighting Lyrics.doc
2009-02-16 08:56 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-03-08 10:39 180,608 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1043.dat
2009-01-14 18:52 842 a------- c:\docume~1\maud~1.kee\applic~1\filterclsid.dat
2008-12-21 00:03 826,368 a------- c:\windows\system32\wininet.dll
2008-12-18 13:56 6,553,600 a------- c:\windows\system32\ubc3815.dll
2008-11-04 07:50 28,688 a------- c:\docume~1\maud~1.kee\applic~1\GDIPFONTCACHEV1.DAT
2007-06-13 14:24 1,030,717 ---shr-- c:\windows\system32\nod6441.exe

============= FINISH: 9:12:48,42 ===============

The ark.txt and attach.txt files are attached. I hope you can help me.
Thanks
Maud

Billy O'Neal · 03-13-2009, 08:26 PM

Hello, maud138
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

In the meantime, please refrain from making any changes to your computer.
Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
Finally, please reply using the button in the lower left hand corner of your screen.
Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
If prompted with a legal dialog, accept the warning.
Click and then on "Advanced Mode"
You may be presented with a warning dialog. If so, press
Click on
Click on
Uncheck this checkbox:
Close/Exit Spybot Search and Destroy

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author:

How to run ComboFix:

Please download ComboFix from one of the following mirrors, and save it to your desktop.
Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
Double click on your desktop.
Read and accept (Press Yes) to the disclaimer.
For Windows XP Systems: Install the Recovery Console:
- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA, press OK.
- Accept Microsoft's EULA (Press Yes).
- When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
ComboFix will run. Simply wait for it to finish.
When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)

NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
ComboFix.txt

Billy3

maud138 · 03-14-2009, 02:09 AM

Hi Billy,
Thank you very much for your help. What a great forum!

Yesterday McAfee didn't find the trojan anymore. However there is still something wrong. The computer is very slow and he still can't see the other computers. I didn't use any cleaning programs yesterday. I just read some emails, look at some websites and my boys played a game. The only thing that can be of any influence is maybe spybot. I want to remove it completely from my computer. Is that alright? I can always install it again after everything is solved.
I did uncheck the box "Resident". There wasn't a box "Resident "teatimer" (protection of over-all system setting) active". Spybot still gives a lot of warnings and most of the time I'm not sure to accept them or deny them.

Here is the log from ComboFix:

ComboFix 09-03-13.02 - maud 2009-03-14 8:43:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1022.409 [GMT 1:00]
Gestart vanuit: c:\documents and settings\maud.KEES\Bureaublad\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((( Bestanden Gemaakt van 2009-02-14 to 2009-03-14 ))))))))))))))))))))))))))))))
.

2009-03-12 18:03 . 2009-03-13 08:53 <DIR> d-------- c:\program files\Hijack
2009-03-12 11:51 . 2009-03-13 17:33 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-03-12 09:13 . 2009-03-14 08:46 7,735 --a------ c:\windows\system32\Config.MPF
2009-03-11 22:03 . 2009-03-11 22:03 5,376 --a------ c:\windows\system32\drivers\MS1000.sys
2009-03-11 22:01 . 2009-03-11 22:03 <DIR> d-------- c:\program files\The Cleaner Demo
2009-03-05 12:55 . 2009-03-05 12:55 <DIR> d-------- c:\program files\Microsoft Games
2009-02-26 17:17 . 2009-03-10 09:29 <DIR> d-------- c:\documents and settings\maud.KEES\Application Data\GrabIt
2009-02-26 14:18 . 2009-02-26 14:18 <DIR> d-------- c:\program files\GrabIt
2009-02-21 15:51 . 2009-02-21 15:51 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-16 19:23 . 2009-02-16 19:23 25,088 --a------ C:\gummy bear.doc
2009-02-16 19:09 . 2009-02-16 19:09 25,600 --a------ C:\Carl Douglas Kung Fu Fighting Lyrics.doc

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 07:31 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-13 21:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-13 11:43 --------- d-----w c:\program files\McAfee
2009-03-13 08:09 --------- d-----w c:\program files\Azureus
2009-03-12 14:44 --------- d-----w c:\program files\Common Files\McAfee
2009-03-12 08:13 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-09 14:04 --------- d-----w c:\program files\Nike+ Utility
2009-03-08 09:35 --------- d-----w c:\documents and settings\maud.KEES\Application Data\LimeWire
2009-03-03 15:29 --------- d-----w c:\documents and settings\maud.KEES\Application Data\dvdcss
2009-02-26 08:16 --------- d-----w c:\program files\Google
2009-02-25 19:28 --------- d-----w c:\program files\Flickr Uploadr
2009-02-25 18:46 --------- d-----w c:\program files\FinePixViewer
2009-02-21 14:51 --------- d-----w c:\program files\Java
2009-02-15 17:36 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-10 16:31 --------- d-----w c:\documents and settings\maud.KEES\Application Data\Corel
2009-02-09 12:05 --------- d-----w c:\program files\CachemanXP
2009-01-30 17:40 --------- d-----w c:\documents and settings\maud.KEES\Application Data\Azureus
2009-01-18 14:30 --------- d-----w c:\program files\Virtualdub
2009-01-14 18:27 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-14 18:27 --------- d-----w c:\program files\Buena Vista Games
2009-01-14 18:27 --------- d-----w c:\documents and settings\All Users\Application Data\Buena Vista Games
2009-01-14 17:52 842 ----a-w c:\documents and settings\maud.KEES\Application Data\filterclsid.dat
2008-11-04 06:50 28,688 ----a-w c:\documents and settings\maud.KEES\Application Data\GDIPFONTCACHEV1.DAT
2007-03-05 18:41 26,320 ----a-w c:\documents and settings\maud\Application Data\GDIPFONTCACHEV1.DAT
2006-12-17 21:05 26,320 ----a-w c:\documents and settings\keessie\Application Data\GDIPFONTCACHEV1.DAT
2007-11-09 14:10 30,288 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-11-09 14:10 79,440 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-11-09 14:10 75,344 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2007-11-09 14:10 140,880 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-11-09 14:10 42,576 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2007-11-09 14:10 50,768 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-11-09 14:10 34,384 ----a-w c:\program files\mozilla firefox\plugins\logging.dll
2007-11-09 14:11 685,648 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-11-09 14:11 30,288 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
2007-06-13 13:24 1,030,717 --sh--r c:\windows\system32\nod6441.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-28 68856]
"H/PC Connection Agent"="c:\progra~1\MICROS~4\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]
"ctfmon"="nod6441.exe" [2007-06-13 c:\windows\system32\nod6441.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ctfmon"="nod6441.exe" [2007-06-13 c:\windows\system32\nod6441.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\keessie\Menu Start\Programma's\Opstarten\
Workrave.lnk - c:\program files\Workrave\lib\Workrave.exe [2006-05-12 2925568]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NX Client for Windows\\nxclient.exe"=
"c:\\Program Files\\NX Client for Windows\\bin\\nxssh.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LEGO Media\\Games\\LEGO Chess\\Lego Chess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"<NO NAME>"= :ctfmon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 IBG_gds_db;InterBase 7.5 Guardian gds_db;c:\program files\Borland\InterBase\bin\ibguard.exe -i "c:\program files\Borland\InterBase" -p gds_db --> c:\program files\Borland\InterBase\bin\ibguard.exe -i c:\program files\Borland\InterBase [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-12 203280]
R3 IBS_gds_db;InterBase 7.5 Server gds_db;c:\program files\Borland\InterBase\bin\ibserver.exe -i "c:\program files\Borland\InterBase" -p gds_db --> c:\program files\Borland\InterBase\bin\ibserver.exe -i c:\program files\Borland\InterBase [?]
S2 gupdate1c997ea796e5e6c;Google Update Service (gupdate1c997ea796e5e6c);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 133104]
S3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2009-02-09 355840]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
.
Inhoud van de 'Gedeelde Taken' map

2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 09:16]

2008-06-14 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-04 13:00]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-03-13 c:\windows\Tasks\SyncBack Kees Privee naar beneden.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]

2009-03-13 c:\windows\Tasks\SyncBack Maud Privee naar beneden.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]
.
- - - - ORPHANS VERWIJDERD - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.thepolice.com/
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: thepolice.com\www
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
FF - ProfilePath - c:\documents and settings\maud.KEES\Application Data\Mozilla\Firefox\Profiles\3eo8irgd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/|http://www.google.nl/firefox?client=...la:nl:official
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 08:52:38
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\relog_ap.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Borland\InterBase\bin\ibguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\Borland\InterBase\bin\ibserver.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Voltooingstijd: 2009-03-14 9:00:11 - machine werd herstart
ComboFix-quarantined-files.txt 2009-03-14 08:00:06

Pre-Run: 229.977.915.392 bytes beschikbaar
Post-Run: 231,163,854,848 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

219 --- E O F --- 2009-02-26 23:07:28

Thanks again!
Maud

Billy O'Neal · 03-14-2009, 05:55 PM

Hello, maud138
We need to re-run ComboFix with some additonal directives.

Please disable any running anti-virus programs.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

file::
c:\windows\system32\nod6441.exe
registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
@=""

Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
ComboFix.txt

Billy3

maud138 · 03-15-2009, 02:28 AM

Hi Billy,
Wow, this worked. My computer is much faster now. It seems like the trojan is gone, but my computer isn't able to see the other computers yet. I used the network-wizard, but that didn't help.
Here is the combofixlog:
Bye Maud

ComboFix 09-03-13.02 - maud 2009-03-15 8:58:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1022.536 [GMT 1:00]
Gestart vanuit: c:\documents and settings\maud.KEES\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\maud.KEES\Bureaublad\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Nieuw herstelpunt werd aangemaakt

FILE ::
c:\windows\system32\nod6441.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nod6441.exe

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-02-15 to 2009-03-15 ))))))))))))))))))))))))))))))
.

2009-03-12 18:03 . 2009-03-13 08:53 <DIR> d-------- c:\program files\Hijack
2009-03-12 11:51 . 2009-03-13 17:33 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-03-12 09:13 . 2009-03-15 09:04 7,735 --a------ c:\windows\system32\Config.MPF
2009-03-11 22:03 . 2009-03-11 22:03 5,376 --a------ c:\windows\system32\drivers\MS1000.sys
2009-03-11 22:01 . 2009-03-11 22:03 <DIR> d-------- c:\program files\The Cleaner Demo
2009-03-05 12:55 . 2009-03-05 12:55 <DIR> d-------- c:\program files\Microsoft Games
2009-02-26 17:17 . 2009-03-10 09:29 <DIR> d-------- c:\documents and settings\maud.KEES\Application Data\GrabIt
2009-02-26 14:18 . 2009-02-26 14:18 <DIR> d-------- c:\program files\GrabIt
2009-02-21 15:51 . 2009-02-21 15:51 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-16 19:23 . 2009-02-16 19:23 25,088 --a------ C:\gummy bear.doc
2009-02-16 19:09 . 2009-02-16 19:09 25,600 --a------ C:\Carl Douglas Kung Fu Fighting Lyrics.doc

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 07:42 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-14 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-13 11:43 --------- d-----w c:\program files\McAfee
2009-03-13 08:09 --------- d-----w c:\program files\Azureus
2009-03-12 14:44 --------- d-----w c:\program files\Common Files\McAfee
2009-03-12 08:13 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-09 14:04 --------- d-----w c:\program files\Nike+ Utility
2009-03-08 09:35 --------- d-----w c:\documents and settings\maud.KEES\Application Data\LimeWire
2009-03-03 15:29 --------- d-----w c:\documents and settings\maud.KEES\Application Data\dvdcss
2009-02-26 08:16 --------- d-----w c:\program files\Google
2009-02-25 19:28 --------- d-----w c:\program files\Flickr Uploadr
2009-02-25 18:46 --------- d-----w c:\program files\FinePixViewer
2009-02-21 14:51 --------- d-----w c:\program files\Java
2009-02-15 17:36 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-10 16:31 --------- d-----w c:\documents and settings\maud.KEES\Application Data\Corel
2009-02-09 12:05 --------- d-----w c:\program files\CachemanXP
2009-01-30 17:40 --------- d-----w c:\documents and settings\maud.KEES\Application Data\Azureus
2009-01-18 14:30 --------- d-----w c:\program files\Virtualdub
2009-01-14 17:52 842 ----a-w c:\documents and settings\maud.KEES\Application Data\filterclsid.dat
2008-11-04 06:50 28,688 ----a-w c:\documents and settings\maud.KEES\Application Data\GDIPFONTCACHEV1.DAT
2007-03-05 18:41 26,320 ----a-w c:\documents and settings\maud\Application Data\GDIPFONTCACHEV1.DAT
2006-12-17 21:05 26,320 ----a-w c:\documents and settings\keessie\Application Data\GDIPFONTCACHEV1.DAT
2007-11-09 14:10 30,288 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-11-09 14:10 79,440 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-11-09 14:10 75,344 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2007-11-09 14:10 140,880 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-11-09 14:10 42,576 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2007-11-09 14:10 50,768 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-11-09 14:10 34,384 ----a-w c:\program files\mozilla firefox\plugins\logging.dll
2007-11-09 14:11 685,648 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-11-09 14:11 30,288 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 8.59.21.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\ARPPRODUCTICON.exe
+ 2009-03-14 18:46:46 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\ARPPRODUCTICON.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut10_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:46 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut10_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut101_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut101_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 40,960 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut11_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:46 40,960 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut11_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut2_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:46 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut2_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut21_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut21_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 75,064 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut3_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:46 75,064 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut3_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut31_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut31_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut4_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut4_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut41_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut41_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut5_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut5_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut51_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:48 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut51_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 40,960 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut6_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:47 40,960 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut6_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut8_C6D8480B43444BC6BEC4AD791DB8CA25_1.exe
+ 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut8_C6D8480B43444BC6BEC4AD791DB8CA25_1.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut81_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:48 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut81_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut9_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut9_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut91_C6D8480B43444BC6BEC4AD791DB8CA25.exe
+ 2009-03-14 18:46:48 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut91_C6D8480B43444BC6BEC4AD791DB8CA25.exe
- 2009-03-14 07:26:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-15 07:46:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-14 07:26:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2009-03-15 07:46:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2009-03-15 08:09:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6b0.dat
+ 2009-03-14 18:45:48 1,233,920 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
.
-- Snapshot teruggezet naar huidige datum --
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-28 68856]
"H/PC Connection Agent"="c:\progra~1\MICROS~4\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\keessie\Menu Start\Programma's\Opstarten\
Workrave.lnk - c:\program files\Workrave\lib\Workrave.exe [2006-05-12 2925568]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NX Client for Windows\\nxclient.exe"=
"c:\\Program Files\\NX Client for Windows\\bin\\nxssh.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LEGO Media\\Games\\LEGO Chess\\Lego Chess.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 IBG_gds_db;InterBase 7.5 Guardian gds_db;c:\program files\Borland\InterBase\bin\ibguard.exe -i "c:\program files\Borland\InterBase" -p gds_db --> c:\program files\Borland\InterBase\bin\ibguard.exe -i c:\program files\Borland\InterBase [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-12 203280]
R3 IBS_gds_db;InterBase 7.5 Server gds_db;c:\program files\Borland\InterBase\bin\ibserver.exe -i "c:\program files\Borland\InterBase" -p gds_db --> c:\program files\Borland\InterBase\bin\ibserver.exe -i c:\program files\Borland\InterBase [?]
S2 gupdate1c997ea796e5e6c;Google Update Service (gupdate1c997ea796e5e6c);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 133104]
S3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2009-02-09 355840]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
.
Inhoud van de 'Gedeelde Taken' map

2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 09:16]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-04 13:00]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2009-03-14 c:\windows\Tasks\SyncBack Kees Privee naar beneden.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]

2009-03-14 c:\windows\Tasks\SyncBack Maud Privee naar beneden.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]
.
- - - - ORPHANS VERWIJDERD - - - -

HKLM-Run-ctfmon - nod6441.exe
HKLM-RunServices-ctfmon - nod6441.exe

.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.thepolice.com/
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: thepolice.com\www
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
FF - ProfilePath - c:\documents and settings\maud.KEES\Application Data\Mozilla\Firefox\Profiles\3eo8irgd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/|http://www.google.nl/firefox?client=...la:nl:official
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 09:10:37
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\relog_ap.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Borland\InterBase\bin\ibguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\Borland\InterBase\bin\ibserver.exe
c:\program files\McAfee.com\Agent\mcagent.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Voltooingstijd: 2009-03-15 9:17:11 - machine werd herstart
ComboFix-quarantined-files.txt 2009-03-15 08:17:08

Pre-Run: 233.800.159.232 bytes beschikbaar
Post-Run: 233,804,992,512 bytes beschikbaar

259 --- E O F --- 2009-02-26 23:07:28

Billy O'Neal · 03-15-2009, 02:57 PM

Hello, maud138

Quote:

Wow, this worked. My computer is much faster now. It seems like the trojan is gone, but my computer isn't able to see the other computers yet.

Got a ways to go yet, but it's good to hear things are running better :)

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
Click the Download button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

I would like us to use ESET (NOD32)'s Online Scanner

Please go to ESET OnlineScan (NOD32)
You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
Now click Start
Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
Click Start
- Note: (the Onlinescanner will now prepare itself for running on your pc)
To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
Press Scan
The Onlinescan will now start and scan your pc (this could take a while)
When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
The Scanresults will now open in Notepad
Click into the text area, right-click and chose "select all" (or use <Control>+A)
Right-click again and chose "Copy" (or <Control>+C)
Close/Exit Notepad
Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista

Click the "Start Menu" (or Windows Orb)
Click "All Programs"
Click "Windows Update"
On the left, choose "Change Settings"
Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
Press OK and accept the UAC prompt.
Note: You shouldn't need to check this checkbox every single time you update, only the first time.
Click "Check for Updates" in the upper left corner.
Follow the instructions to install the latest updates.
Reboot and repeat the "Check for Updates" until there are no more critical updates to install

In your next reply, please include the following:
ESET OnlineScan's Log

Billy3

maud138 · 03-15-2009, 05:37 PM

Hi Billy
I did everything you asked (just working on the last updates for Windows).
The computer today was sometimes very fast, sometimes very slow. The closing down of Windows takes always very long and I got a warning that the virual memory was not sufficient. (That was before I did the Java things and the ESET scan). Here is the scanlog and now I really need to get some sleep :-)
Thanks
Maud
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3937 (20090314)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=73e2c90f296ea94aa397fc53d7fd0554
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-15 10:54:57
# local_time=2009-03-15 11:54:57 (+0100, West-Europa (standaardtijd))
# country="Netherlands"
# osver=5.1.2600 NT Service Pack 2
# scanned=489124
# found=0
# scan_time=4029

Billy O'Neal · 03-15-2009, 08:56 PM

Hello, maud138

Quote:

I did everything you asked (just working on the last updates for Windows).

The main update here is Service Pack 3. Please ensure Windows Update installs SP3, and post a new DDS log. If it fails to install, then let me know and we'll go from there.

Quote:

The computer today was sometimes very fast, sometimes very slow. The closing down of Windows takes always very long and I got a warning that the virual memory was not sufficient. (That was before I did the Java things and the ESET scan). Here is the scanlog and now I really need to get some sleep :-)

It's looking good :)

If you still have virtual memory problems after updating windows, let me know and we can try some things...

Billy3

maud138 · 03-16-2009, 02:09 AM

Hi Billy
There were no problems with Service Pack 3. I did all the updates now. I just woke up, when there are problems today with the virtual memory, I will let you know. Here is the DDS:

DDS (Ver_09-03-16.01) - NTFSx86
Run by maud at 9:00:39,12 on ma 16-03-2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1022.501 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Nike+ Utility\Nike+ Utility.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\maud.KEES\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.thepolice.com/
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [H/PC Connection Agent] "c:\progra~1\micros~4\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\nike_u~1.lnk - c:\program files\nike+ utility\Nike+ Utility.exe
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: thepolice.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196268370562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\maud~1.kee\applic~1\mozilla\firefox\profiles\3eo8irgd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/|http://www.google.nl/firefox?client=...la:nl:official
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-12-26 207656]
R2 IBG_gds_db;InterBase 7.5 Guardian gds_db;c:\program files\borland\interbase\bin\ibguard.exe -i "c:\program files\borland\interbase" -p gds_db --> c:\program files\borland\interbase\bin\ibguard.exe -i c:\program files\borland\InterBase [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-12 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-12 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-12-26 144704]
R3 IBS_gds_db;InterBase 7.5 Server gds_db;c:\program files\borland\interbase\bin\ibserver.exe -i "c:\program files\borland\interbase" -p gds_db --> c:\program files\borland\interbase\bin\ibserver.exe -i c:\program files\borland\InterBase [?]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-12-26 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-12-26 35240]
S2 gupdate1c997ea796e5e6c;Google Update Service (gupdate1c997ea796e5e6c);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-11-28 26488]
S3 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2009-2-9 355840]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\lavalys\everest ultimate edition\kerneld.wnt --> c:\program files\lavalys\everest ultimate edition\kerneld.wnt [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-12-26 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-12-26 40488]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-12-26 605512]

=============== Created Last 30 ================

2009-03-16 08:55 142 a------- c:\windows\system32\spupdsvc.inf
2009-03-16 08:43 1,089,883 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-16 00:53 <DIR> --d----- C:\e9938f8aad3942793807
2009-03-16 00:15 <DIR> --d----- c:\windows\system32\nl
2009-03-16 00:15 <DIR> --d----- c:\windows\system32\bits
2009-03-16 00:15 <DIR> --d----- c:\windows\l2schemas
2009-03-16 00:12 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-15 22:46 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-03-15 22:43 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-14 08:40 <DIR> a-dshr-- C:\cmdcons
2009-03-14 08:38 161,792 a------- c:\windows\SWREG.exe
2009-03-14 08:38 98,816 a------- c:\windows\sed.exe
2009-03-12 18:03 <DIR> --d----- c:\program files\Hijack
2009-03-12 09:13 8,971 a------- c:\windows\system32\Config.MPF
2009-03-11 22:03 5,376 a------- c:\windows\system32\drivers\MS1000.sys
2009-03-11 22:01 <DIR> --d----- c:\program files\The Cleaner Demo
2009-03-05 12:55 <DIR> --d----- c:\program files\Microsoft Games
2009-02-26 17:17 <DIR> --d----- c:\docume~1\maud~1.kee\applic~1\GrabIt
2009-02-26 14:18 <DIR> --d----- c:\program files\GrabIt
2009-02-21 15:51 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-16 19:23 25,088 a------- C:\gummy bear.doc
2009-02-16 19:09 25,600 a------- C:\Carl Douglas Kung Fu Fighting Lyrics.doc
2009-02-16 08:56 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-03-16 00:58 508,910 a------- c:\windows\system32\perfh013.dat
2009-03-16 00:58 90,586 a------- c:\windows\system32\perfc013.dat
2009-03-16 00:18 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 15:08 1,846,912 a------- c:\windows\system32\win32k.sys
2009-01-14 18:52 842 a------- c:\docume~1\maud~1.kee\applic~1\filterclsid.dat
2008-12-21 00:03 826,368 a------- c:\windows\system32\wininet.dll
2008-12-18 13:56 6,553,600 a------- c:\windows\system32\ubc3815.dll
2008-11-04 07:50 28,688 a------- c:\docume~1\maud~1.kee\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 9:01:04,40 ===============

Bye
Maud

Billy O'Neal · 03-16-2009, 01:23 PM

Please disable TeaTimer once more and run ComboFix again.

TeaTimer didn't allow Java to uninstall itself right. (*Bill is not such a huge fan of TeaTimer :P)

ComboFix will repair what's leftover.

Billy3

maud138 · 03-16-2009, 03:21 PM

Hi Billy,
I removed Spybot completely. Sometimes the computer is still very slow. I believe it has something to do with the Internet Explorer. Do you have any idea for the network-problem?
The ComboFix log is too long. I will attach it.

Maud

Billy O'Neal · 03-16-2009, 04:31 PM

Hello, maud138

Quote:

Sometimes the computer is still very slow. I believe it has something to do with the Internet Explorer.

Not as far as I can tell from your logs.
There are only 4 components being auto-loaded by IE at this point:
Java
McAffee Scriptproxy/Siteadvisor
Google Toolbar
Google Gears
All of which are very legitimate programs.

Quote:

you have any idea for the network-problem?

Honestly I don't. It appears to be a DNS related issue, but I have no idea how to diagnose your network topoligy. Perhaps disabling McAfee Firewall will help?

Congratulations! You now appear clean!

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix

Please go to Start -> Run
Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
Press OK (Or hit enter).
Allow ComboFix to remove itself.

We Need to Clean Up Our Mess

Please download OTCleanIt from one of the following mirrors and save it to your desktop:
- Mirror 1
- Mirror A
Double click the icon.
Push the large "Cleanup" button.
Allow your system to reboot.

Recommendations
Below are some recommendations to lower your chances of (re)infection.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.
Install the MVPs hosts file, and update it regularly
You can use the HostMan host file manager to do this automaticly if you wish.
For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
Install an Anti-Spyware program, and update it regularly
Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SUPERAntiSpyware is another good scanner with high detection and removal rates.
Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
Keep Windows (and your other Microsoft software) up to date!
I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
1. Click the "Start Menu" (or Windows Orb)
2. Click "All Programs"
3. Click "Windows Update"
4. On the left, choose "Change Settings"
5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
6. Press OK and accept the UAC prompt.
  Note: You shouldn't need to check this checkbox every single time you update, only the first time.
7. Click "Check for Updates" in the upper left corner.
8. Follow the instructions to install the latest updates.
9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
Stay up to date!
The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Billy3

maud138 · 03-17-2009, 12:33 PM

Billy: I'm very gratefull! It's a pity you don't live nearby. We could go to the pub and I could buy you a beer ;-)

I've cleaned up my Internet Explorer and now it's working fine. I've started with downloading the program-suggestions you've made. I'll make sure to keep everything updated.

I even solved the networkproblem. In another forum I found someone with exactly the same problem as I: zapchast.reg with networkproblem. He used winsockxpfix after the trojan was removed. I tried it and it worked.
Thank you very much!
Maud

Billy O'Neal · 03-17-2009, 02:41 PM

Hello, maud138

Quote:

It's a pity you don't live nearby. We could go to the pub and I could buy you a beer ;-)

I'd have to turn 21 first lol! Thanks! Glad to hear you're all good :D

Since this issue appears resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

Billy3

03-13-2009, 08:26 PM	#2 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,693 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with a.bat zapchast.reg trojan Hello, maud138 Welcome to TSF My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.) Please give me some time to look over your computer's log(s). Please take note of the following: In the meantime, please refrain from making any changes to your computer. Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :) If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken. Finally, please reply using the button in the lower left hand corner of your screen. Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" . We need to disable Spybot S&D's "TeaTimer" TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running. In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy. If prompted with a legal dialog, accept the warning. Click and then on "Advanced Mode" You may be presented with a warning dialog. If so, press Click on Click on Uncheck this checkbox: Close/Exit Spybot Search and Destroy We Need to Run ComboFix Note to readers of this post other than the starter of this thread: ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert. If this tool helped you, please consider a donation to it's author: How to run ComboFix: Please download ComboFix from one of the following mirrors, and save it to your desktop. This is a mirror. This is another mirror. This is yet another mirror. Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix. Double click on your desktop. Read and accept (Press Yes) to the disclaimer. For Windows XP Systems: Install the Recovery Console: If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted. When prompted to accept the EULA, press OK. Accept Microsoft's EULA (Press Yes). When you are told that the RC is installed correctly, please press YES to continue scanning for malware. ComboFix will run. Simply wait for it to finish. When it finishes, ComboFix will produce a log. Please post that log in your next reply here :) NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again! In your next reply, please include the following: ComboFix.txt Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy..... Last edited by Billy O'Neal; 03-13-2009 at 08:26 PM. Reason: Forgot TeaTimer

03-14-2009, 02:09 AM	#3 (permalink)
maud138 Registered User Join Date: Mar 2009 Posts: 7 OS: windows xp pro 2002 sp2	Re: Problems with a.bat zapchast.reg trojan Hi Billy, Thank you very much for your help. What a great forum! Yesterday McAfee didn't find the trojan anymore. However there is still something wrong. The computer is very slow and he still can't see the other computers. I didn't use any cleaning programs yesterday. I just read some emails, look at some websites and my boys played a game. The only thing that can be of any influence is maybe spybot. I want to remove it completely from my computer. Is that alright? I can always install it again after everything is solved. I did uncheck the box "Resident". There wasn't a box "Resident "teatimer" (protection of over-all system setting) active". Spybot still gives a lot of warnings and most of the time I'm not sure to accept them or deny them. Here is the log from ComboFix: ComboFix 09-03-13.02 - maud 2009-03-14 8:43:56.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1022.409 [GMT 1:00] Gestart vanuit: c:\documents and settings\maud.KEES\Bureaublad\ComboFix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall disabled * Nieuw herstelpunt werd aangemaakt . (((((((((((((((((((( Bestanden Gemaakt van 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))) . 2009-03-12 18:03 . 2009-03-13 08:53 <DIR> d-------- c:\program files\Hijack 2009-03-12 11:51 . 2009-03-13 17:33 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore 2009-03-12 09:13 . 2009-03-14 08:46 7,735 --a------ c:\windows\system32\Config.MPF 2009-03-11 22:03 . 2009-03-11 22:03 5,376 --a------ c:\windows\system32\drivers\MS1000.sys 2009-03-11 22:01 . 2009-03-11 22:03 <DIR> d-------- c:\program files\The Cleaner Demo 2009-03-05 12:55 . 2009-03-05 12:55 <DIR> d-------- c:\program files\Microsoft Games 2009-02-26 17:17 . 2009-03-10 09:29 <DIR> d-------- c:\documents and settings\maud.KEES\Application Data\GrabIt 2009-02-26 14:18 . 2009-02-26 14:18 <DIR> d-------- c:\program files\GrabIt 2009-02-21 15:51 . 2009-02-21 15:51 410,984 --a------ c:\windows\system32\deploytk.dll 2009-02-16 19:23 . 2009-02-16 19:23 25,088 --a------ C:\gummy bear.doc 2009-02-16 19:09 . 2009-02-16 19:09 25,600 --a------ C:\Carl Douglas Kung Fu Fighting Lyrics.doc . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-14 07:31 --------- d-----w c:\program files\Mozilla Thunderbird 2009-03-13 21:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-03-13 11:43 --------- d-----w c:\program files\McAfee 2009-03-13 08:09 --------- d-----w c:\program files\Azureus 2009-03-12 14:44 --------- d-----w c:\program files\Common Files\McAfee 2009-03-12 08:13 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2009-03-09 14:04 --------- d-----w c:\program files\Nike+ Utility 2009-03-08 09:35 --------- d-----w c:\documents and settings\maud.KEES\Application Data\LimeWire 2009-03-03 15:29 --------- d-----w c:\documents and settings\maud.KEES\Application Data\dvdcss 2009-02-26 08:16 --------- d-----w c:\program files\Google 2009-02-25 19:28 --------- d-----w c:\program files\Flickr Uploadr 2009-02-25 18:46 --------- d-----w c:\program files\FinePixViewer 2009-02-21 14:51 --------- d-----w c:\program files\Java 2009-02-15 17:36 --------- d-----w c:\program files\Microsoft ActiveSync 2009-02-10 16:31 --------- d-----w c:\documents and settings\maud.KEES\Application Data\Corel 2009-02-09 12:05 --------- d-----w c:\program files\CachemanXP 2009-01-30 17:40 --------- d-----w c:\documents and settings\maud.KEES\Application Data\Azureus 2009-01-18 14:30 --------- d-----w c:\program files\Virtualdub 2009-01-14 18:27 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-14 18:27 --------- d-----w c:\program files\Buena Vista Games 2009-01-14 18:27 --------- d-----w c:\documents and settings\All Users\Application Data\Buena Vista Games 2009-01-14 17:52 842 ----a-w c:\documents and settings\maud.KEES\Application Data\filterclsid.dat 2008-11-04 06:50 28,688 ----a-w c:\documents and settings\maud.KEES\Application Data\GDIPFONTCACHEV1.DAT 2007-03-05 18:41 26,320 ----a-w c:\documents and settings\maud\Application Data\GDIPFONTCACHEV1.DAT 2006-12-17 21:05 26,320 ----a-w c:\documents and settings\keessie\Application Data\GDIPFONTCACHEV1.DAT 2007-11-09 14:10 30,288 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll 2007-11-09 14:10 79,440 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll 2007-11-09 14:10 75,344 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll 2007-11-09 14:10 140,880 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll 2007-11-09 14:10 42,576 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll 2007-11-09 14:10 50,768 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll 2007-11-09 14:10 34,384 ----a-w c:\program files\mozilla firefox\plugins\logging.dll 2007-11-09 14:11 685,648 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2007-11-09 14:11 30,288 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll 2007-06-13 13:24 1,030,717 --sh--r c:\windows\system32\nod6441.exe . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . Nota lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-28 68856] "H/PC Connection Agent"="c:\progra~1\MICROS~4\wcescomm.exe" [2006-11-13 1289000] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe] "nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe] "ctfmon"="nod6441.exe" [2007-06-13 c:\windows\system32\nod6441.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "ctfmon"="nod6441.exe" [2007-06-13 c:\windows\system32\nod6441.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\keessie\Menu Start\Programma's\Opstarten\ Workrave.lnk - c:\program files\Workrave\lib\Workrave.exe [2006-05-12 2925568] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NX Client for Windows\\nxclient.exe"= "c:\\Program Files\\NX Client for Windows\\bin\\nxssh.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\LEGO Media\\Games\\LEGO Chess\\Lego Chess.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "<NO NAME>"= :ctfmon [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R2 IBG_gds_db;InterBase 7.5 Guardian gds_db;c:\program files\Borland\InterBase\bin\ibguard.exe -i "c:\program files\Borland\InterBase" -p gds_db --> c:\program files\Borland\InterBase\bin\ibguard.exe -i c:\program files\Borland\InterBase [?] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-12 203280] R3 IBS_gds_db;InterBase 7.5 Server gds_db;c:\program files\Borland\InterBase\bin\ibserver.exe -i "c:\program files\Borland\InterBase" -p gds_db --> c:\program files\Borland\InterBase\bin\ibserver.exe -i c:\program files\Borland\InterBase [?] S2 gupdate1c997ea796e5e6c;Google Update Service (gupdate1c997ea796e5e6c);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 133104] S3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2009-02-09 355840] S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?] . Inhoud van de 'Gedeelde Taken' map 2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-14 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 09:16] 2008-06-14 c:\windows\Tasks\McDefragTask.job - c:\windows\system32\defrag.exe [2004-08-04 13:00] 2009-03-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10] 2009-03-13 c:\windows\Tasks\SyncBack Kees Privee naar beneden.job - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00] 2009-03-13 c:\windows\Tasks\SyncBack Maud Privee naar beneden.job - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00] . - - - - ORPHANS VERWIJDERD - - - - HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.thepolice.com/ IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: thepolice.com\www DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab FF - ProfilePath - c:\documents and settings\maud.KEES\Application Data\Mozilla\Firefox\Profiles\3eo8irgd.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/\|http://www.google.nl/firefox?client=...la:nl:official FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-14 08:52:38 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'lsass.exe'(820) c:\windows\system32\relog_ap.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\bgsvcgen.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\program files\Borland\InterBase\bin\ibguard.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe c:\program files\Borland\InterBase\bin\ibserver.exe c:\progra~1\McAfee.com\Agent\mcagent.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\rundll32.exe c:\progra~1\MICROS~4\rapimgr.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe . ************************************************************************ . Voltooingstijd: 2009-03-14 9:00:11 - machine werd herstart ComboFix-quarantined-files.txt 2009-03-14 08:00:06 Pre-Run: 229.977.915.392 bytes beschikbaar Post-Run: 231,163,854,848 bytes beschikbaar WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 219 --- E O F --- 2009-02-26 23:07:28 Thanks again! Maud

03-14-2009, 05:55 PM	#4 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,693 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with a.bat zapchast.reg trojan Hello, maud138 We need to re-run ComboFix with some additonal directives. Please disable any running anti-virus programs. If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the quotebox below into it: Code: file:: c:\windows\system32\nod6441.exe registry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] @="" Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. In your next reply, please include the following: ComboFix.txt Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-15-2009, 02:28 AM	#5 (permalink)
maud138 Registered User Join Date: Mar 2009 Posts: 7 OS: windows xp pro 2002 sp2	Re: Problems with a.bat zapchast.reg trojan Hi Billy, Wow, this worked. My computer is much faster now. It seems like the trojan is gone, but my computer isn't able to see the other computers yet. I used the network-wizard, but that didn't help. Here is the combofixlog: Bye Maud ComboFix 09-03-13.02 - maud 2009-03-15 8:58:44.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.1022.536 [GMT 1:00] Gestart vanuit: c:\documents and settings\maud.KEES\Bureaublad\ComboFix.exe gebruikte Opdracht switches :: c:\documents and settings\maud.KEES\Bureaublad\CFScript.txt AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall disabled * Nieuw herstelpunt werd aangemaakt FILE :: c:\windows\system32\nod6441.exe . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\nod6441.exe . (((((((((((((((((((( Bestanden Gemaakt van 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))) . 2009-03-12 18:03 . 2009-03-13 08:53 <DIR> d-------- c:\program files\Hijack 2009-03-12 11:51 . 2009-03-13 17:33 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore 2009-03-12 09:13 . 2009-03-15 09:04 7,735 --a------ c:\windows\system32\Config.MPF 2009-03-11 22:03 . 2009-03-11 22:03 5,376 --a------ c:\windows\system32\drivers\MS1000.sys 2009-03-11 22:01 . 2009-03-11 22:03 <DIR> d-------- c:\program files\The Cleaner Demo 2009-03-05 12:55 . 2009-03-05 12:55 <DIR> d-------- c:\program files\Microsoft Games 2009-02-26 17:17 . 2009-03-10 09:29 <DIR> d-------- c:\documents and settings\maud.KEES\Application Data\GrabIt 2009-02-26 14:18 . 2009-02-26 14:18 <DIR> d-------- c:\program files\GrabIt 2009-02-21 15:51 . 2009-02-21 15:51 410,984 --a------ c:\windows\system32\deploytk.dll 2009-02-16 19:23 . 2009-02-16 19:23 25,088 --a------ C:\gummy bear.doc 2009-02-16 19:09 . 2009-02-16 19:09 25,600 --a------ C:\Carl Douglas Kung Fu Fighting Lyrics.doc . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-15 07:42 --------- d-----w c:\program files\Mozilla Thunderbird 2009-03-14 22:04 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-03-13 11:43 --------- d-----w c:\program files\McAfee 2009-03-13 08:09 --------- d-----w c:\program files\Azureus 2009-03-12 14:44 --------- d-----w c:\program files\Common Files\McAfee 2009-03-12 08:13 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2009-03-09 14:04 --------- d-----w c:\program files\Nike+ Utility 2009-03-08 09:35 --------- d-----w c:\documents and settings\maud.KEES\Application Data\LimeWire 2009-03-03 15:29 --------- d-----w c:\documents and settings\maud.KEES\Application Data\dvdcss 2009-02-26 08:16 --------- d-----w c:\program files\Google 2009-02-25 19:28 --------- d-----w c:\program files\Flickr Uploadr 2009-02-25 18:46 --------- d-----w c:\program files\FinePixViewer 2009-02-21 14:51 --------- d-----w c:\program files\Java 2009-02-15 17:36 --------- d-----w c:\program files\Microsoft ActiveSync 2009-02-10 16:31 --------- d-----w c:\documents and settings\maud.KEES\Application Data\Corel 2009-02-09 12:05 --------- d-----w c:\program files\CachemanXP 2009-01-30 17:40 --------- d-----w c:\documents and settings\maud.KEES\Application Data\Azureus 2009-01-18 14:30 --------- d-----w c:\program files\Virtualdub 2009-01-14 17:52 842 ----a-w c:\documents and settings\maud.KEES\Application Data\filterclsid.dat 2008-11-04 06:50 28,688 ----a-w c:\documents and settings\maud.KEES\Application Data\GDIPFONTCACHEV1.DAT 2007-03-05 18:41 26,320 ----a-w c:\documents and settings\maud\Application Data\GDIPFONTCACHEV1.DAT 2006-12-17 21:05 26,320 ----a-w c:\documents and settings\keessie\Application Data\GDIPFONTCACHEV1.DAT 2007-11-09 14:10 30,288 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll 2007-11-09 14:10 79,440 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll 2007-11-09 14:10 75,344 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll 2007-11-09 14:10 140,880 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll 2007-11-09 14:10 42,576 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll 2007-11-09 14:10 50,768 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll 2007-11-09 14:10 34,384 ----a-w c:\program files\mozilla firefox\plugins\logging.dll 2007-11-09 14:11 685,648 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2007-11-09 14:11 30,288 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll . ((((((((((((((((((((((((((((( SnapShot@2009-03-14_ 8.59.21.59 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\ARPPRODUCTICON.exe + 2009-03-14 18:46:46 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\ARPPRODUCTICON.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut10_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:46 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut10_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut101_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut101_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 40,960 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut11_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:46 40,960 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut11_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut2_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:46 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut2_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut21_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut21_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 75,064 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut3_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:46 75,064 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut3_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut31_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut31_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut4_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut4_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut41_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut41_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut5_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut5_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut51_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:48 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut51_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 40,960 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut6_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:47 40,960 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut6_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut8_C6D8480B43444BC6BEC4AD791DB8CA25_1.exe + 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut8_C6D8480B43444BC6BEC4AD791DB8CA25_1.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut81_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:48 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut81_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut9_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:47 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut9_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-02-25 22:10:32 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut91_C6D8480B43444BC6BEC4AD791DB8CA25.exe + 2009-03-14 18:46:48 49,152 ----a-r c:\windows\Installer\{C876ADD8-E4E0-4959-B8D0-DDA07FD8FBF4}\NewShortcut91_C6D8480B43444BC6BEC4AD791DB8CA25.exe - 2009-03-14 07:26:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-03-15 07:46:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-03-14 07:26:34 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat + 2009-03-15 07:46:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat + 2009-03-15 08:09:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6b0.dat + 2009-03-14 18:45:48 1,233,920 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll . -- Snapshot teruggezet naar huidige datum -- . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . Nota lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-28 68856] "H/PC Connection Agent"="c:\progra~1\MICROS~4\wcescomm.exe" [2006-11-13 1289000] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] "Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [BU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 140568] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe] "nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\keessie\Menu Start\Programma's\Opstarten\ Workrave.lnk - c:\program files\Workrave\lib\Workrave.exe [2006-05-12 2925568] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Nike+ Utility.lnk - c:\program files\Nike+ Utility\Nike+ Utility.exe [2008-04-30 1228800] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NX Client for Windows\\nxclient.exe"= "c:\\Program Files\\NX Client for Windows\\bin\\nxssh.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\LEGO Media\\Games\\LEGO Chess\\Lego Chess.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "<NO NAME>"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R2 IBG_gds_db;InterBase 7.5 Guardian gds_db;c:\program files\Borland\InterBase\bin\ibguard.exe -i "c:\program files\Borland\InterBase" -p gds_db --> c:\program files\Borland\InterBase\bin\ibguard.exe -i c:\program files\Borland\InterBase [?] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-12 203280] R3 IBS_gds_db;InterBase 7.5 Server gds_db;c:\program files\Borland\InterBase\bin\ibserver.exe -i "c:\program files\Borland\InterBase" -p gds_db --> c:\program files\Borland\InterBase\bin\ibserver.exe -i c:\program files\Borland\InterBase [?] S2 gupdate1c997ea796e5e6c;Google Update Service (gupdate1c997ea796e5e6c);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 133104] S3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2009-02-09 355840] S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?] . Inhoud van de 'Gedeelde Taken' map 2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 09:16] 2009-03-15 c:\windows\Tasks\McDefragTask.job - c:\windows\system32\defrag.exe [2004-08-04 13:00] 2009-03-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 18:10] 2009-03-14 c:\windows\Tasks\SyncBack Kees Privee naar beneden.job - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00] 2009-03-14 c:\windows\Tasks\SyncBack Maud Privee naar beneden.job - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00] . - - - - ORPHANS VERWIJDERD - - - - HKLM-Run-ctfmon - nod6441.exe HKLM-RunServices-ctfmon - nod6441.exe . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.thepolice.com/ IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: thepolice.com\www DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab FF - ProfilePath - c:\documents and settings\maud.KEES\Application Data\Mozilla\Firefox\Profiles\3eo8irgd.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/\|http://www.google.nl/firefox?client=...la:nl:official FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-15 09:10:37 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'lsass.exe'(820) c:\windows\system32\relog_ap.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\system32\bgsvcgen.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\program files\Borland\InterBase\bin\ibguard.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe c:\program files\Borland\InterBase\bin\ibserver.exe c:\program files\McAfee.com\Agent\mcagent.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\rundll32.exe c:\progra~1\MICROS~4\rapimgr.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe . ************************************************************************ . Voltooingstijd: 2009-03-15 9:17:11 - machine werd herstart ComboFix-quarantined-files.txt 2009-03-15 08:17:08 Pre-Run: 233.800.159.232 bytes beschikbaar Post-Run: 233,804,992,512 bytes beschikbaar 259 --- E O F --- 2009-02-26 23:07:28

03-15-2009, 05:37 PM	#7 (permalink)
maud138 Registered User Join Date: Mar 2009 Posts: 7 OS: windows xp pro 2002 sp2	Re: Problems with a.bat zapchast.reg trojan Hi Billy I did everything you asked (just working on the last updates for Windows). The computer today was sometimes very fast, sometimes very slow. The closing down of Windows takes always very long and I got a warning that the virual memory was not sufficient. (That was before I did the Java things and the ESET scan). Here is the scanlog and now I really need to get some sleep :-) Thanks Maud # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3937 (20090314) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=73e2c90f296ea94aa397fc53d7fd0554 # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2009-03-15 10:54:57 # local_time=2009-03-15 11:54:57 (+0100, West-Europa (standaardtijd)) # country="Netherlands" # osver=5.1.2600 NT Service Pack 2 # scanned=489124 # found=0 # scan_time=4029

03-16-2009, 01:23 PM	#10 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,693 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: Problems with a.bat zapchast.reg trojan Please disable TeaTimer once more and run ComboFix again. TeaTimer didn't allow Java to uninstall itself right. (*Bill is not such a huge fan of TeaTimer :P) ComboFix will repair what's leftover. Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-17-2009, 12:33 PM	#13 (permalink)
maud138 Registered User Join Date: Mar 2009 Posts: 7 OS: windows xp pro 2002 sp2	Re: Problems with a.bat zapchast.reg trojan Billy: I'm very gratefull! It's a pity you don't live nearby. We could go to the pub and I could buy you a beer ;-) I've cleaned up my Internet Explorer and now it's working fine. I've started with downloading the program-suggestions you've made. I'll make sure to keep everything updated. I even solved the networkproblem. In another forum I found someone with exactly the same problem as I: zapchast.reg with networkproblem. He used winsockxpfix after the trojan was removed. I tried it and it worked. Thank you very much! Maud