My computer running Windows XP SP2 has been infected with Smitfraud
I scanned my whole drive in SafeMode with SmitRem, Ad-aware and AVG Anti-spyware.
Then I rebooted and scanned with Panda ActiveScan.
I still get popups surfing the net...
These are my reports:
smitRem © log file
version 3.2
by noahdfear
Microsoft Windows XP [versie 5.1.2600]
"IE"="7.0000"
Running from
E:\download\beheer\SmitRem\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Appinitdll check ........ Thank you Grinler!
dumphive.exe (C)2000-2004 Markus Stephany
REGEDIT4
[Windows]
"AppInit_DLLs"=" AMINIT.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
XP Firewall allowed access
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dpmw32.exe"="C:\\WINDOWS\\system32\\dpmw32.exe:*:Enabled:dpmw32"
"C:\\Program Files\\Ceterm\\warftpd\\warftpd.exe"="C:\\Program Files\\Ceterm\\warftpd\\warftpd.exe:*:Enabled:War FTP Daemon for Windows 95 / NT"
"C:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"="C:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE:*:Enabled:FRONTPG.EXE"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"="C:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE:*:Enabled:AClntUsr - AClient Interactive User Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\DOCUME~1\\BEHEER~1\\LOCALS~1\\Temp\\win29D.tmp.exe"="C:\\DOCUME~1\\BEHEER~1\\LOCALS~1\\Temp\\win29D.tmp.exe:*:Enabled:win29D.tmp"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\TEMP\\winAF.tmp.exe"="C:\\WINDOWS\\TEMP\\winAF.tmp.exe:*:Enabled:winAF.tmp"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
checking for drsmartload2 key
drsmartload2 key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
amcompat.tlb
nscompat.tlb
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1004 'explorer.exe'
Killing PID 1004 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
amcompat.tlb
nscompat.tlb
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
wininet.dll is missing!!
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:12:12 22/05/2007
+ Scan result:
C:\Program Files\Bug Doctor -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\BugDoctor.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\BugDoctorLiveUpdate.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\FixedOnThursdayMay042006103713.xml -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\FixedOnWednesdayNovember302005140132.xml -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\PC Power Suite.url -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin.ini -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\LiveUpdate_disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\LiveUpdate_normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\LiveUpdate_pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\LiveUpdate_rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\SubMainDisable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\SubMainNormal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\SubMainPressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\SubMainRollOver.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\bug.swf -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fix_complete-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fix_complete-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fix_complete-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fix_complete-roll_over.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fixing_error-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fixing_error-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fixing_error-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\fixing_error-rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\main_disable.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\main_enable.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\main_pressed.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\main_roll_over.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\mask.bmp -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\mask1.bmp -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan.swf -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan_complete-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan_complete-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan_complete-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scan_complete-roll_over.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scancomplete.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scanning_error-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scanning_error-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scanning_error-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\scanning_error-rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\schedule_disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\schedule_normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\schedule_pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\schedule_rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\skin.ini -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\support_disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\support_normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\support_pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\support_rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\unlock_key-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\unlock_key-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\unlock_key-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\skin\unlock_key-roll_over.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\unins000.dat -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Program Files\Bug Doctor\unins000.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bug Doctor_is1 -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\WINDOWS\b136.exe -> Adware.Softomate : Cleaned with backup (quarantined).
E:\download\labels\avery\averylabelprov3.02.exe/keygen.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
E:\download\labels\avery\patch\install.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
E:\download\labels\avery\patch\crack.exe -> Downloader.Nurech.ak : Cleaned with backup (quarantined).
E:\Mijn ontvangen bestanden\lithium15_en.zip/Lithium 1.5.exe -> Not-A-Virus.HackTool.Win32.VB.at : Ignored.
C:\fslrdr\5\[_B_]PROGRAMFILES[_E_]\Mail PassView\mailpv.exe -> Not-A-Virus.PSWTool.Win32.MailPassView.130 : Ignored.
E:\download\paswoorden\paswoorden.zip/pspv.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Ignored.
E:\download\paswoorden\pspv.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Ignored.
E:\download\systeem\netwerk\security\pwdump2-orig.zip/pwdump2.exe -> Not-A-Virus.PSWTool.Win32.PWDump.2 : Ignored.
E:\download\systeem\netwerk\security\pwdump2-orig.zip/samdump.dll -> Not-A-Virus.PSWTool.Win32.PWDump.2 : Ignored.
E:\download\systeem\netwerk\security\pwdump2.zip/pwdump2/samdump.dll -> Not-A-Virus.PSWTool.Win32.PWDump2 : Ignored.
C:\Program Files\LogMeIn\LMIinit.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Ignored.
C:\Program Files\LogMeIn\update\2-30-547.bak\LMIinit.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Ignored.
C:\WINDOWS\system32\LMIinit.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Ignored.
C:\WINDOWS\system32\LMIinit.dll.000.bak -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Ignored.
[272] C:\WINDOWS\system32\LMIinit.dll -> Not-A-Virus.RemoteAdmin.Win32.RemotelyAnywhere.a : Ignored.
C:\WINDOWS\system32\drivers\core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\Documents and Settings\cdrom\Cookies\cdrom@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\cdrom\Cookies\cdrom@ads.gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\cdrom\Cookies\cdrom@gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\BIB\Cookies\bib@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\BIB\Cookies\bib@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\BIB\Cookies\bib@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\cdrom\Cookies\cdrom@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\BIB\Cookies\bib@navrcholu[2].txt -> TrackingCookie.Navrcholu : Cleaned.
C:\Documents and Settings\BIB\Cookies\bib@ads.planetactive[1].txt -> TrackingCookie.Planetactive : Cleaned.
C:\Documents and Settings\BIB\Cookies\bib@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\BIB\Local Settings\Temporary Internet Files\Content.IE5\EZAZ292V\q3q99[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\fslrdr\B\S-1-5-21-1292428093-725345543-1801674531-1007\[_B_]CACHE[_E_]\Content.IE5\DB0D5ISW\q3q99[1].exe -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\fslrdr\B\[_B_]WINDIR[_E_]\TEMP\win49E.tmp -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\fslrdr\B\[_B_]WINDIR[_E_]\TEMP\win49F.tmp -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\fslrdr\B\[_B_]WINDIR[_E_]\TEMP\win4A0.tmp -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
C:\fslrdr\B\[_B_]WINDIR[_E_]\TEMP\win4A1.tmp -> Trojan.Dialer.pz : Cleaned with backup (quarantined).
::Report end
Panda Activescan
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\qipuibrj.dll
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\beheerder\Cookies\beheerder@advertising[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\beheerder\Cookies\beheerder@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\beheerder\Cookies\beheerder@mediaplex[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\BIB\Cookies\bib@atwola[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\BIB\Cookies\bib@xiti[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\BIB\Local Settings\Temporary Internet Files\Content.IE5\KLC1EF01\fill[1]
Spyware:Cookie/Beweb Not disinfected C:\Documents and Settings\cdrom\Cookies\cdrom@beweb[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\cdrom\Cookies\cdrom@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\cdrom\Cookies\cdrom@club.cdfreaks[2].txt
Potentially unwanted tool:Application/MailPassView Not disinfected C:\fslrdr\5\[_B_]PROGRAMFILES[_E_]\Mail PassView\mailpv.exe
Security Risk:HackTool/Gendel.A Not disinfected C:\gendel32.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\dxvxjtod.dll
Potentially unwanted tool:Application/Processor Not disinfected E:\download\beheer\SmitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected E:\download\beheer\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Pskill.E Not disinfected E:\download\beheer\win2k\Pstools.zip[pskill.exe]
Potentially unwanted tool:Application/MailPassView Not disinfected E:\download\paswoorden\mailpv_setup.exe[mailpv.exe]
Hacktool:Hacktool/Passview.E Not disinfected E:\download\paswoorden\paswoorden.zip[pspv.zip][pspv.exe]
Potentially unwanted tool:Application/MailPassView Not disinfected E:\download\paswoorden\paswoorden.zip[mailpv_setup.exe][mailpv.exe]
Hacktool:Hacktool/MSNPass.F Not disinfected E:\download\paswoorden\paswoorden.zip[mspass_setup.exe][mspass.exe]
Hacktool:Hacktool/Passview.E Not disinfected E:\download\paswoorden\pspv.zip[pspv.exe]
Hacktool:HackTool/Samdump Not disinfected E:\download\systeem\netwerk\security\pwdump2.zip[pwdump2/pwdump2.exe]
Hacktool:HackTool/Samdump Not disinfected E:\download\systeem\netwerk\security\pwdump2.zip[pwdump2/samdump.dll]
Hacktool:HackTool Program.VA Not disinfected E:\Mijn ontvangen bestanden\lithium15_en.zip[Lithium 1.5.exe]
Hacktool:Exploit/iFrame Not disinfected Lokale mappen\Archief\2003\Reactie vanop website
Hacktool:Hacktool/RegPatch.A Not disinfected Lokale mappen\Verzonden items\2003\Alcohol Software is DVD - CD burning software. CD & DVD burner, recorder and ri\Alcohol_120%_v1[1].4.6_build_711.zip[REGPATCH.EXE]
Logfile of HijackThis v1.99.1
Scan saved at 11:33:33, on 22/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\WeatherBug.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ceterm\warftpd\warftpd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Ultra Recall - {C501607C-4A98-4f5e-B9AF-425E6BBD5186} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Google Kladblok - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-998656871.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\qipuibrj.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherBug] C:\Program Files\AWS\WeatherBug\WeatherBug.exe
O4 - HKCU\..\Run: [C:\Program Files\qliner\quotes\quotes.exe] C:\Program Files\qliner\quotes\quotes.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum Suite\UIWatcher.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: warftpd.lnk = C:\Program Files\Ceterm\warftpd\warftpd.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Deze pagina noteren (Google Kladblok) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-998656871.dll/gn_menu1.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Formulieren opslaan - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Invul Formulieren - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Menu aanpassen - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Noteren (Google Kladblok) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-998656871.dll/gn_menu2.html
O8 - Extra context menu item: RoboForm Werkbalk - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Send To &Ultra Recall (copy) - C:\Program Files\UltraRecall\Integration\StoreFromIE.html
O8 - Extra context menu item: Send To Ultra &Recall (link) - C:\Program Files\UltraRecall\Integration\LinkFromIE.html
O8 - Extra context menu item: TypePad QuickPost - https://www.typepad.com/t/app?__mode=re ... height=540
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Copy to Ultra Recall - {24187A0F-0FDD-411b-80C6-F1F22F2ED10E} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll
O9 - Extra button: Formulier Invullen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Invul Formulieren - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Formulieren opslaan - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Werkbalk - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Link to Ultra Recall - {FD1FF307-68BC-462f-8718-AAEDB6DB7EA2} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll
O9 - Extra button: Copy to Ultra Recall - {24187A0F-0FDD-411b-80C6-F1F22F2ED10E} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll (HKCU)
O9 - Extra button: Link to Ultra Recall - {FD1FF307-68BC-462f-8718-AAEDB6DB7EA2} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = brugge.be
O17 - HKLM\Software\..\Telephony: DomainName = brugge.be
O17 - HKLM\System\CCS\Services\Tcpip\..\{56EC7780-E6FA-4632-8F52-F5CFB7877831}: NameServer = 10.132.69.51,10.132.69.52
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = brugge.be
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = brugge.be
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: AMINIT.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\system32\schdsrvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
Thanks for your help!