[Jasperbak nl]

Hello everyone,

I did spend many many hours trying to kill Trojan.vundo.h (virtumonde) but i find it inpossible to delete

Scanned with many anti virus software that did not do the complete job:

hijackthis
malwarebytes
vundofix
spybot s & d
Comodo antivirus + firewall
spyware docter
ad-aware
zone alarm
nod32

Can anybody plz help me fighting against this trojan ?

[evilfantasy]

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
• Please post the contents of both logs in the next reply.

[Jasperbak nl]

first of all i want to thank you for helping me with this

The log.txt and the info.txt are in the attachment

A few days ago i learned that this virus had installed itself with a bug in an old version of java.. Now i realize how important it is to keep all things up-to-date

And another thing:
I wanted to make a Combofix log for this forum but the combofix run stuck at trying to create a log, so i closed it.

Now when i want to run comboFix again, it will show a loadbar but after that it crashes and a blue window will not appear.

[evilfantasy]

Please only run tools I ask for. Running ComboFix at the wrong time can have bad consequences.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [CPM33bc7b1c] Rundll32.exe \"c:\windows\system32\yivilaje.dll\",a
- O4 - HKLM\..\Run: [308f4880] rundll32.exe \"C:\WINDOWS\system32\yofamoyu.dll\",b

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"CPM33bc7b1c"=-
"308f4880"=-

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

COMODO Internet Security includes about everything you need and there are way too many security programs installed.

Go to Add/Remove Programs and uninstall::

• Ad-Aware SE Personal
• Ad-Aware
• Exterminate It!
  
• Hitman Pro
• Java(TM) 6 Update 2
• Spyware Doctor 6.0
  
• ZoneAlarm Spy Blocker Toolbar
• ZoneAlarm

----------

Download and install SUPERAntiSpyware Free for Home Users

• Start SuperAntiSpyware and click Check for updates

If you encounter any problems while downloading the updates, manually download and unzip them from here

• Once the update is finished, on the main screen, click Scan your computer
• Check Perform Complete Scan
• Click Next to start the scan.

When finished Superantispyware will list all the infections found.
Make sure everything found has a check next to it and press Next
Then click Finish

It is possible that the Superantispyware asks to reboot the PC in order to delete some files.

Locate the SuperAntiSpyware log as follows:

• Click: Preferences
• Click the Statistics/Logs tab
• Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Post the SuperAntiSpyware log in your reply along with a new RSIT log.

[Jasperbak nl]

It added it to the registery with succes.

iam now scanning the computer with superantispyware

i will post a next reply after scan

[Jasperbak nl]

uninstalled everything befor the scans...

Scanning is complete

here are the logs in a zip

hope you can solve the problem

grtz, jasper

[evilfantasy]

Looks better than I thought it would.

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it yourself.

----------

Delete the copy of ComboFix you have (if you still have it) and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[Jasperbak nl]

Did all things with succes.
Here is the combofix log

No error occur when running combofix. it did not reboot.

as i see the 2 virus dll's visible with hijackthis are gone and i see no infection while running malwarebytes for 30 seconds.
befor this all the malwarebytes showed 2 infections in the first 10 seconds.

am i clean now? or are ther still hidden files?

its too late for me now but tomorrow i will have enough time.

ComboFix 09-01-19.03 - Bakker 2009-01-20 2:01:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.895.546 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Bakker\Bureaublad\ComboFix.exe
AV: COMODO Antivirus *On-access scanning enabled* (Updated)
FW: COMODO Firewall *disabled*
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((( Bestanden Gemaakt van 2008-12-20 to 2009-01-20 ))))))))))))))))))))))))))))))
.

2009-01-19 18:56 . 2009-01-20 01:39 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-19 18:56 . 2009-01-19 18:56 <DIR> d-------- c:\documents and settings\Bakker\Application Data\SUPERAntiSpyware.com
2009-01-19 18:56 . 2009-01-19 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-19 18:55 . 2009-01-19 18:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-19 01:03 . 2009-01-19 01:03 <DIR> d-------- c:\program files\MWSnap
2009-01-18 23:24 . 2009-01-18 23:26 <DIR> d-------- c:\program files\McAfee
2009-01-18 23:24 . 2009-01-18 23:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-18 23:16 . 2009-01-18 23:16 <DIR> d-------- c:\documents and settings\Bakker\Application Data\WinPatrol
2009-01-18 23:15 . 2009-01-18 23:15 <DIR> d-------- c:\program files\BillP Studios
2009-01-18 16:16 . 2009-01-20 01:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\_comodo_
2009-01-18 14:55 . 2009-01-18 14:55 <DIR> d-------- c:\program files\COMODO
2009-01-18 14:55 . 2009-01-18 16:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2009-01-18 14:55 . 2009-01-18 14:55 147,192 --a------ c:\windows\system32\guard32.dll
2009-01-18 14:55 . 2009-01-18 14:55 101,776 --a------ c:\windows\system32\drivers\cmdguard.sys
2009-01-18 14:55 . 2009-01-18 14:55 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2009-01-18 14:48 . 2009-01-18 22:38 <DIR> d-------- c:\program files\Windows Defender
2009-01-17 20:24 . 2009-01-17 20:24 <DIR> d-------- c:\program files\CubicExplorer
2009-01-17 18:03 . 2009-01-19 18:31 <DIR> d-------- c:\program files\Exterminate It!
2009-01-17 17:52 . 2009-01-17 17:52 <DIR> d-------- c:\program files\Online Solutions
2009-01-17 17:52 . 2009-01-17 17:52 <DIR> d-------- c:\program files\Common Files\Online Solutions Shared
2009-01-16 23:25 . 2009-01-16 23:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-16 23:22 . 2008-01-17 20:38 <DIR> d--h----- c:\documents and settings\Administrator\Sjablonen
2009-01-16 23:22 . 2008-01-17 21:15 <DIR> d--h----- c:\documents and settings\Administrator\Onlangs geopend
2009-01-16 23:22 . 2008-01-17 21:15 <DIR> d--h----- c:\documents and settings\Administrator\Netwerkprinteromgeving
2009-01-16 23:22 . 2008-01-17 21:15 <DIR> d-------- c:\documents and settings\Administrator\Mijn documenten
2009-01-16 23:22 . 2008-01-17 21:15 <DIR> dr------- c:\documents and settings\Administrator\Menu Start
2009-01-16 23:22 . 2008-01-17 21:15 <DIR> d-------- c:\documents and settings\Administrator\Favorieten
2009-01-16 23:22 . 2008-01-17 21:15 <DIR> d-------- c:\documents and settings\Administrator\Bureaublad
2009-01-16 23:22 . 2009-01-16 23:22 <DIR> d-------- c:\documents and settings\Administrator
2009-01-16 22:45 . 2009-01-16 22:45 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-16 18:54 . 2009-01-16 19:02 <DIR> d-------- c:\program files\Trojan Remover
2009-01-15 14:13 . 2009-01-15 14:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-15 14:13 . 2009-01-15 14:13 <DIR> d-------- c:\documents and settings\Bakker\Application Data\Malwarebytes
2009-01-15 14:13 . 2009-01-15 14:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-15 14:13 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-15 14:13 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-15 13:45 . 2009-01-15 13:45 <DIR> d-------- c:\program files\Trend Micro
2009-01-12 17:00 . 2009-01-12 17:00 0 --a------ c:\windows\nsreg.dat
2009-01-12 10:00 . 2009-01-12 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-12 09:39 . 2009-01-12 09:39 <DIR> d-------- c:\program files\Google
2008-12-30 23:02 . 2008-12-30 23:02 <DIR> dr------- c:\documents and settings\Bakker\Favorieten
2008-12-25 18:12 . 2009-01-19 23:59 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-25 18:12 . 2009-01-19 18:44 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 18:11 . 2008-12-25 18:11 164 --a------ C:\install.dat
2008-12-25 18:11 . 2008-12-25 18:11 0 --a------ c:\windows\system32\mapisvc.inf
2008-12-25 18:04 . 2008-12-30 00:09 <DIR> d-------- C:\Temp
2008-12-25 18:04 . 2009-01-19 02:21 <DIR> d-------- c:\program files\ESET
2008-12-25 17:24 . 2009-01-19 02:28 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-25 17:24 . 2009-01-19 02:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-25 16:30 . 2009-01-19 18:27 <DIR> d-------- c:\program files\Lavasoft
2008-12-25 16:30 . 2009-01-19 18:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-01-19 17:40 --------- d-----w c:\program files\Java
2009-01-19 17:38 --------- d-----w c:\program files\Hitman Pro
2009-01-02 17:34 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-09 13:33 7,676,458 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-10-27 16:42 62,939 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_10_27_15_29_38_small.dmp.zi p
2008-10-23 13:02 283,648 ----a-w c:\windows\system32\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-17 486856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-22 39264]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth II\\game.dat"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Documents and Settings\\Bakker\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe"=
"c:\\Program Files\\SnelStart\\v850\\SnelStart.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-01-18 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-01-18 31504]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-01-17 36864]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
S4 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{28e76ba7-c5c6-11dc-aa84-001e8c3890ac}]
\Shell\AutoRun\command - F:\Autoplay.exe -auto
.
Inhoud van de 'Gedeelde Taken' map

2009-01-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe []
.
- - - - ORPHANS VERWIJDERD - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
Notify-WRNotifier - (no file)


.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bakker\Application Data\Mozilla\Firefox\Profiles\f89rpxu8.default\
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 02:02:37
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

************************************************** ************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Installer\UserData\LocalSystem\Componen ts\Ø•€|ÿÿÿÿ•€|ù•9~*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\s ystem32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Voltooingstijd: 2009-01-20 2:03:56
ComboFix-quarantined-files.txt 2009-01-20 01:03:54

Pre-Run: 62,383,489,024 bytes beschikbaar
Post-Run: 62,373,113,856 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

175 --- E O F --- 2009-01-19 02:03:19

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:08, on 2009-01-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200663636441
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1209381850828
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

--
End of file - 7681 bytes

[Jasperbak nl]

oh and the strange file names like zepepewa.dll.tmp (many more) are still in the computer when i checked with winpatrol hidden files

[evilfantasy]

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e76ba7-c5c6-11dc-aa84-001e8c3890ac}]

:files
c:\program files\Exterminate It!

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.