Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Member
    Join Date
    Jun 2006
    Posts
    28
    Points
    0

    Default Personal Shield Pro 2.20 spyrware please help :(

    Hi guys

    I'm stuck with this thing I cant get it removed it always comes back after a while... I just dont know what to do... below there is a hijack this log

    please help

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:08:42, on 9/07/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Xfire\xfire.exe
    C:\Program Files\Microsoft Virtual PC\Virtual PC.exe
    C:\Program Files\Opera\opera.exe
    C:\Documents and Settings\Kristof Doclot\Mijn documenten\Kristof\pc format\nieuwe pc\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = eBay - eine der größten deutschen Shopping-Websites
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
    O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
    O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
    O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\RunOnce: [gD02300DkMfO02300] C:\Documents and Settings\All Users\Application Data\gD02300DkMfO02300\gD02300DkMfO02300.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab...i_4.1.71.0.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - http://srtest-cdn.systemrequirements...qlabdetect.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1260965387151
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1258185273296
    O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab...i_4.4.21.0.cab
    O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: DES2 Service for Energy Saving. (DES2 Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver2\des2svr.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update-service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Smart TimeLock Service (Smart TimeLock) - Gigabyte Technology CO., LTD. - C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 11638 bytes

  2. #2
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello soundwave12,
    • Welcome to Help2Go.
    • My name is fireman4it and I will be helping you with your Malware problem.

      Please take note of some guidelines for this fix:
    • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
    • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
    • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".


    • Finally, please reply using the SUBMIT REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


    1.
    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
    Be sure to download TDSSKiller.exe (v2.5.6.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.5.6.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C.
    • Copy and paste the contents of that file in your next reply.



    2.
    Install Recovery Console and Run ComboFix

    This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

    Download Combofix from any of the links below, and save it to your desktop.

    Link 1
    Link 2
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
    • Close any open windows, including this one.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • If you did not have it installed, you will see the prompt below. Choose YES.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
    should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
    Leave your computer alone while ComboFix is running.
    ComboFix will restart your computer if malware is found; allow it to do so.


    Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


    Things to include in your next reply::
    TDSSKILLER log
    Combofix.txt
    How is your machine running now?
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  3. #3
    Member
    Join Date
    Jun 2006
    Posts
    28
    Points
    0

    Default

    Hi thank you for the reply, here is the combofix report.tdsskiller gave 1 threat but I could only choose skip, delete or copy to quarantine. (skip was checked automatically)

    ComboFix 11-07-10.03 - Kristof Doclot 10/07/2011 22:11:34.1.4 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.3579.3168 [GMT 2:00]
    Gestart vanuit: c:\documents and settings\Kristof Doclot\Bureaublad\ComboFix.exe
    .
    .
    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\common.data
    c:\documents and settings\Kristof Doclot\WINDOWS
    c:\program files\DivX\DivX Pro Codec\gain_trickler_3202.exe
    c:\windows\IsUn0413.exe
    c:\windows\unin0413.exe
    c:\windows\vb.ini
    .
    .
    (((((((((((((((((((( Bestanden Gemaakt van 2011-06-10 to 2011-07-10 ))))))))))))))))))))))))))))))
    .
    .
    2011-07-09 19:39 . 2011-07-10 19:33 -------- d--h--r- c:\documents and settings\Kristof Doclot\Onlangs geopend
    2011-07-09 19:35 . 2011-07-09 19:53 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2011-07-09 14:15 . 2011-07-09 14:15 110080 ----a-r- c:\documents and settings\Kristof Doclot\Application Data\Microsoft\Installer\{820C0EEB-9B12-4AD5-B39D-D15ED1DBDD06}\IconF7A21AF7.exe
    2011-07-09 14:15 . 2011-07-09 14:15 110080 ----a-r- c:\documents and settings\Kristof Doclot\Application Data\Microsoft\Installer\{820C0EEB-9B12-4AD5-B39D-D15ED1DBDD06}\IconD7F16134.exe
    2011-07-09 14:15 . 2011-07-09 14:15 110080 ----a-r- c:\documents and settings\Kristof Doclot\Application Data\Microsoft\Installer\{820C0EEB-9B12-4AD5-B39D-D15ED1DBDD06}\IconCF33A0CE.exe
    2011-07-09 14:15 . 2011-07-09 14:15 -------- d-----w- C:\sh4ldr
    2011-07-09 14:15 . 2011-07-09 14:15 -------- d-----w- c:\program files\Enigma Software Group
    2011-07-09 09:36 . 2011-07-09 09:36 101376 ----a-w- c:\windows\system32\drivers\rsutiidr.sys
    2011-07-02 14:25 . 2011-07-02 14:25 229208 ----a-w- c:\windows\system32\drivers\VMM.sys
    2011-07-02 14:24 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-10 19:45 . 2009-09-27 08:11 165232 ---ha-w- c:\documents and settings\Kristof Doclot\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
    2011-07-10 19:45 . 2010-12-06 18:22 17488 ----a-w- c:\windows\gdrv.sys
    2011-06-01 20:34 . 2011-06-01 20:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-29 07:11 . 2009-07-29 16:44 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 07:11 . 2009-07-29 16:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-02 15:31 . 2009-07-24 14:15 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2006-03-02 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19 . 2006-03-02 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:05 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:05 . 2006-03-02 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:05 . 2006-03-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2006-03-02 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2006-03-02 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-06-19 19:32 . 2011-04-25 18:21 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-02-17 221184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
    "ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
    "RTHDCPL"="RTHDCPL.EXE" [2010-03-26 19522592]
    "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2010-01-19 1976944]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-25 1753192]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
    "SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-05-17 4706208]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Snelle start.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-6-1 805392]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2008-05-02 00:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    c:\windows\system32\dumprep 0 -u [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-07-13 12:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 17:03 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-05-26 15:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 02:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-07-24 15:14 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    2004-12-20 18:41 33792 ----a-w- c:\program files\Winamp\winampa.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
    "c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Xfire\\xfire.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
    "c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\xrEngine.exe"=
    "c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\dedicated\\xrEngine.exe"=
    "c:\\Program Files\\Shareaza\\Shareaza.exe"=
    "c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
    "c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\CivilizationV.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOps.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\Launcher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOpsMP.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
    .
    R2 DES2 Service;DES2 Service for Energy Saving.;c:\program files\GIGABYTE\EnergySaver2\des2svr.exe [6/12/2010 20:18 68136]
    R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [24/07/2009 18:10 135168]
    R2 Smart TimeLock;Smart TimeLock Service;c:\program files\GIGABYTE\smart6\timelock\TimeMgmtDaemon.exe [6/12/2010 20:18 114688]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/12/2010 20:31 100712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2010 22:08 135664]
    S2 rsutiidr;rsutiidr;c:\windows\system32\drivers\rsutiidr.sys [9/07/2011 11:36 101376]
    S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [17/05/2011 17:45 735648]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/12/2010 20:14 1691480]
    S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2010 22:08 135664]
    S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [6/12/2010 20:27 24944]
    .
    --- Andere Services/Drivers In Geheugen ---
    .
    *NewlyCreated* - 42633902
    *Deregistered* - 42633902
    .
    Inhoud van de 'Gedeelde Taken' map
    .
    2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 20:08]
    .
    2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 20:08]
    .
    2011-07-10 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-07-24 07:04]
    .
    .
    ------- Bijkomende Scan -------
    .
    uStart Page = hxxp://www.ebay.de/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    TCP: DhcpNameServer = 195.130.131.129 192.168.123.254
    FF - ProfilePath - c:\documents and settings\Kristof Doclot\Application Data\Mozilla\Firefox\Profiles\zz1skoin.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.ebay.de/
    FF - prefs.js: network.proxy.type - 2
    .
    - - - - ORPHANS VERWIJDERD - - - -
    .
    SafeBoot-rsutiidr
    MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    MSConfigStartUp-Trickler - c:\program files\divx\divx pro codec\gain_trickler_3202.exe
    AddRemove-ArcSoft PhotoStudio 2000 - c:\windows\IsUn0413.exe
    AddRemove-Canon ScanGear Toolbox 3.0 - c:\windows\IsUn0413.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2011-07-10 22:16
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scannen van verborgen processen ...
    .
    scannen van verborgen autostart items ...
    .
    scannen van verborgen bestanden ...
    .
    Scan succesvol afgerond
    verborgen bestanden: 0
    .
    **************************************************************************
    .
    --------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
    .
    [HKEY_USERS\S-1-5-21-842925246-261903793-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "??"=hex:54,01,23,c5,14,09,28,e3,ca,79,5e,af,89,ee,dc,b1,5e,98,02,6e,b7,2b,f9,
    f8,81,e2,ff,14,d7,00,83,60,0a,34,2c,6d,d2,6f,0e,06,42,e5,ee,34,5a,99,d8,cf,\
    "??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
    .
    [HKEY_USERS\S-1-5-21-842925246-261903793-839522115-1004\Software\SecuROM\License information*]
    "datasecu"=hex:74,5c,0a,b7,d6,b8,0e,71,71,40,53,98,20,8b,4b,7f,b5,13,8e,20,4e,
    e3,dd,01,e1,2f,65,b4,3d,ab,a5,44,eb,ad,27,1f,8f,eb,98,e7,f5,9d,1c,71,d8,38,\
    "rkeysecu"=hex:ee,ba,1b,9b,5f,b7,72,e9,bc,0b,7c,ff,20,31,53,e0
    .
    --------------------- DLLs Geladen Onder Lopende Processen ---------------------
    .
    - - - - - - - > 'winlogon.exe'(916)
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll
    .
    Voltooingstijd: 2011-07-10 22:17:12
    ComboFix-quarantined-files.txt 2011-07-10 20:16
    .
    Pre-Run: 86.727.700.480 bytes beschikbaar
    Post-Run: 88.929.038.336 bytes beschikbaar
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
    .
    - - End Of File - - 8A8823A0474615E3B90676C6E1BCC51A

  4. #4
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello ,

    Please re run TDSskiller and choose delete then post that log I need to see it.

    Also how is your machine running now?
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  5. #5
    Member
    Join Date
    Jun 2006
    Posts
    28
    Points
    0

    Default

    this morning the trojan was back, I'm going to redo all the steps now and post both logs

  6. #6
    Member
    Join Date
    Jun 2006
    Posts
    28
    Points
    0

    Default

    Here are both new reports. First the tdsskillers report and then combofix


    HKLM\SYSTEM\ControlSet001\services\rsutiidr - will be deleted after reboot
    HKLM\SYSTEM\ControlSet001\control\safeboot\Minimal\rsutiidr - will be deleted after reboot
    HKLM\SYSTEM\ControlSet001\control\safeboot\Network\rsutiidr - will be deleted after reboot
    HKLM\SYSTEM\ControlSet003\services\rsutiidr - will be deleted after reboot
    HKLM\SYSTEM\ControlSet003\control\safeboot\Minimal\rsutiidr - will be deleted after reboot
    HKLM\SYSTEM\ControlSet003\control\safeboot\Network\rsutiidr - will be deleted after reboot
    C:\WINDOWS\system32\drivers\rsutiidr.sys - will be deleted after reboot




    ComboFix 11-07-10.05 - Kristof Doclot 11/07/2011 9:32.2.4 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.3579.3020 [GMT 2:00]
    Gestart vanuit: c:\documents and settings\Kristof Doclot\Bureaublad\ComboFix.exe
    AV: Norton AntiVirus *Disabled/Outdated* {B5510F6F-87E1-47F7-A411-360BC453007C}
    .
    .
    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\common.data
    c:\documents and settings\All Users\Application Data\kJ02300HpLlH02300
    c:\documents and settings\All Users\Application Data\kJ02300HpLlH02300\kJ02300HpLlH02300
    c:\documents and settings\All Users\Application Data\kJ02300HpLlH02300\kJ02300HpLlH02300.exe
    .
    .
    (((((((((((((((((((( Bestanden Gemaakt van 2011-06-11 to 2011-07-11 ))))))))))))))))))))))))))))))
    .
    .
    2011-07-09 19:39 . 2011-07-11 07:26 -------- d--h--r- c:\documents and settings\Kristof Doclot\Onlangs geopend
    2011-07-09 19:35 . 2011-07-09 19:53 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2011-07-09 14:15 . 2011-07-09 14:15 110080 ----a-r- c:\documents and settings\Kristof Doclot\Application Data\Microsoft\Installer\{820C0EEB-9B12-4AD5-B39D-D15ED1DBDD06}\IconF7A21AF7.exe
    2011-07-09 14:15 . 2011-07-09 14:15 110080 ----a-r- c:\documents and settings\Kristof Doclot\Application Data\Microsoft\Installer\{820C0EEB-9B12-4AD5-B39D-D15ED1DBDD06}\IconD7F16134.exe
    2011-07-09 14:15 . 2011-07-09 14:15 110080 ----a-r- c:\documents and settings\Kristof Doclot\Application Data\Microsoft\Installer\{820C0EEB-9B12-4AD5-B39D-D15ED1DBDD06}\IconCF33A0CE.exe
    2011-07-09 14:15 . 2011-07-09 14:15 -------- d-----w- C:\sh4ldr
    2011-07-09 14:15 . 2011-07-09 14:15 -------- d-----w- c:\program files\Enigma Software Group
    2011-07-02 14:25 . 2011-07-02 14:25 229208 ----a-w- c:\windows\system32\drivers\VMM.sys
    2011-07-02 14:24 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-11 07:27 . 2010-12-06 18:22 17488 ----a-w- c:\windows\gdrv.sys
    2011-07-10 19:45 . 2009-09-27 08:11 165232 ---ha-w- c:\documents and settings\Kristof Doclot\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
    2011-06-01 20:34 . 2011-06-01 20:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-29 07:11 . 2009-07-29 16:44 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 07:11 . 2009-07-29 16:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-02 15:31 . 2009-07-24 14:15 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2006-03-02 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19 . 2006-03-02 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:05 . 2006-03-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:05 . 2006-03-02 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:05 . 2006-03-02 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2006-03-02 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2006-03-02 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-06-19 19:32 . 2011-04-25 18:21 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-10_20.16.02 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2006-03-02 12:00 . 2008-04-14 17:02 399872 c:\windows\system32\dllcache\cmd.exe
    + 2006-03-02 12:00 . 2008-04-14 17:02 125952 c:\windows\system32\dllcache\apphelp.dll
    + 2006-03-02 12:00 . 2009-11-21 16:03 471552 c:\windows\system32\dllcache\aclayers.dll
    - 2009-12-09 05:59 . 2009-11-21 16:03 471552 c:\windows\system32\dllcache\aclayers.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-02-17 221184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]
    "ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
    "RTHDCPL"="RTHDCPL.EXE" [2010-03-26 19522592]
    "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2010-01-19 1976944]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-25 1753192]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
    "SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-05-17 4706208]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Snelle start.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-6-1 805392]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2008-05-02 00:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    c:\windows\system32\dumprep 0 -u [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-07-13 12:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 17:03 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-05-26 15:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 02:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-07-24 15:14 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    2004-12-20 18:41 33792 ----a-w- c:\program files\Winamp\winampa.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
    "c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Xfire\\xfire.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
    "c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\xrEngine.exe"=
    "c:\\Program Files\\bitComposer Games\\S.T.A.L.K.E.R. - Call of Pripyat\\bin\\dedicated\\xrEngine.exe"=
    "c:\\Program Files\\Shareaza\\Shareaza.exe"=
    "c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
    "c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\CivilizationV.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOps.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\Launcher.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\common\\call of duty black ops\\BlackOpsMP.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
    "c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
    .
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/12/2010 20:31 100712]
    S2 DES2 Service;DES2 Service for Energy Saving.;c:\program files\GIGABYTE\EnergySaver2\des2svr.exe [6/12/2010 20:18 68136]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2010 22:08 135664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/12/2010 20:14 1691480]
    S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2010 22:08 135664]
    S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [6/12/2010 20:27 24944]
    .
    --- Andere Services/Drivers In Geheugen ---
    .
    *NewlyCreated* - 33895437
    *NewlyCreated* - 65642480
    *Deregistered* - 33895437
    *Deregistered* - 65642480
    .
    Inhoud van de 'Gedeelde Taken' map
    .
    2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 20:08]
    .
    2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 20:08]
    .
    2011-07-11 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-07-24 07:04]
    .
    .
    ------- Bijkomende Scan -------
    .
    uStart Page = hxxp://www.ebay.de/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    TCP: DhcpNameServer = 195.130.131.129 192.168.123.254
    FF - ProfilePath - c:\documents and settings\Kristof Doclot\Application Data\Mozilla\Firefox\Profiles\zz1skoin.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.ebay.de/
    FF - prefs.js: network.proxy.type - 2
    .
    - - - - ORPHANS VERWIJDERD - - - -
    .
    SafeBoot-65642480.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2011-07-11 09:40
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scannen van verborgen processen ...
    .
    scannen van verborgen autostart items ...
    .
    scannen van verborgen bestanden ...
    .
    Scan succesvol afgerond
    verborgen bestanden: 0
    .
    **************************************************************************
    .
    --------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
    .
    [HKEY_USERS\S-1-5-21-842925246-261903793-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "??"=hex:54,01,23,c5,14,09,28,e3,ca,79,5e,af,89,ee,dc,b1,5e,98,02,6e,b7,2b,f9,
    f8,81,e2,ff,14,d7,00,83,60,0a,34,2c,6d,d2,6f,0e,06,42,e5,ee,34,5a,99,d8,cf,\
    "??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
    .
    [HKEY_USERS\S-1-5-21-842925246-261903793-839522115-1004\Software\SecuROM\License information*]
    "datasecu"=hex:74,5c,0a,b7,d6,b8,0e,71,71,40,53,98,20,8b,4b,7f,b5,13,8e,20,4e,
    e3,dd,01,e1,2f,65,b4,3d,ab,a5,44,eb,ad,27,1f,8f,eb,98,e7,f5,9d,1c,71,d8,38,\
    "rkeysecu"=hex:ee,ba,1b,9b,5f,b7,72,e9,bc,0b,7c,ff,20,31,53,e0
    .
    --------------------- DLLs Geladen Onder Lopende Processen ---------------------
    .
    - - - - - - - > 'winlogon.exe'(912)
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll
    .
    Voltooingstijd: 2011-07-11 09:41:44
    ComboFix-quarantined-files.txt 2011-07-11 07:41
    ComboFix2.txt 2011-07-10 20:17
    .
    Pre-Run: 88.845.471.744 bytes beschikbaar
    Post-Run: 88.696.500.224 bytes beschikbaar
    .
    - - End Of File - - 2EC01388CB7E9FE026FF2CF8F710BE43

  7. #7
    Member
    Join Date
    Jun 2006
    Posts
    28
    Points
    0

    Default

    I just rebooted now after pasting these logs. Right now the trojan appears gone. But I've had this before. It always showed back up after 5-9 hours

  8. #8
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello,

    Looks like TDSSKiller picked up a bad driver and deleted it. Your logs look good lets do some final checking.

    1.
    Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.

    Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

    • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
      For instructions with screenshots, please refer to this Guide.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself. Press the OK button and continue.
    • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

    • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
    • Click on the Scan button.
    • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked and then click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
    • Exit Malwarebytes' when done.

    Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


    2.
    I'd like us to scan your machine with ESET OnlineScan
    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Under scan settings, check and check Remove found threats
    8. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, push
    11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    12. Push the button.
    13. Push





    Things to include in your next reply::
    MBAM log
    ESET log
    A new HiJackThis log
    How is your machine running now?
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  9. #9
    Member
    Join Date
    Jun 2006
    Posts
    28
    Points
    0

    Default

    hi,

    sorry about the late reply I'll be doing the 2 scans today. The virus hasnt popped back up since monday so it seems to be gone!
    I'll post the logs later today!

    thank you very much for all your help!

  10. #10
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Ok, Thanks
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




Page 1 of 2 12 LastLast