Hi there,

Today, after starting up my pc, i suddenly got the following virus message:

Malware gevonden!

Er is geen reden tot paniek. Tracht het advies en de verwijzingen op te volgen.

Bestandsnaam: c:\windows\system32\winsock32.exe
Malware-naam: Win32:Rootkit-gen [Rtk]
Malware-type: Rootkit
VPS versie: 080421-0, 21-04-2008

What is this virus, does it harm my pc? How did I get it? How do I remove it?
Thanks,
Tom

To know if a file is a virus, please submit it to VirusTotal and let us know the result. Thanks.

Seems a malware…
http://fileinfo.prevx.com/adware/qq90c636839827-WINS16020350/WINSOCK32.EXE.html
http://www.symantec.com/security_response/writeup.jsp?docid=2006-082212-1334-99&tabid=2

Yes it would seem so.

http://www.bleepingcomputer.com/startups/winsock32.exe-15836.html

A hijackthis log would be useful.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Here is my log, I can’t find winsock32.exe in there, but I already put it in the ‘virus kluis’ with avast… Hope you can help me. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:03, on 25-4-2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM..\Run: [Wbutton] “C:\Program Files\Launch Manager\Wbutton.exe”
O4 - HKLM..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [MSConfig] “C:\Windows\system32\msconfig.exe” /auto
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [AlcoholAutomount] “C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” /NoDialog (User ‘SYSTEEM’)
O4 - HKUS.DEFAULT..\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” /NoDialog (User ‘Default user’)
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra ‘Tools’ menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-us.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

–
End of file - 9248 bytes

Hi aTOMik,

De analyse van je logfile kun je vanaf nu gedurende drie opvolgende dagen hier aantreffen:
http://hijackthis.de/logfiles/96b09c4a89ee80549ad76780d2ae667c.html
Hieruit valt nog niet zoveel af te leiden, maar wacht maar waarmee “oldman” op de proppen komt en volg zijn instructies op de voet. Het zou hier om een haxdoor variant kunnen gaan, zie deze link:
http://fileinfo.prevx.com/adware/qq90c636839827-WINS16020350/WINSOCK32.EXE.html
of zoals met rootkit flags vaak gebeurt gaan om een FP (vals positief). Maar wacht maar af…

polonus

It seems to be associated with haxdoor, but may not have been fully installed. No elements are in the HJT log. So we’ll see what else, if anything, came with it.

What symptoms are you experiencing?

After you download this program,to run it, you will need to right click the file you downloaded and select “run as administrator”. This because of being a vista user.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Hi, first part of my combofix log:

ComboFix 08-05-01.3 - fony 2008-05-04 23:01:38.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1043.18.1229 [GMT 2:00]
Gestart vanuit: C:\Users\fony\Desktop\Combo-Fix.exe

• Nieuw herstelpunt werd aangemaakt
  .

(((((((((((((((((((( Bestanden Gemaakt van 2008-04-04 to 2008-05-04 ))))))))))))))))))))))))))))))
.

Geen nieuwe bestanden aangemaakt in deze periode

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 20:55 --------- d-----w C:\Users\fony\AppData\Roaming\Skype
2008-05-04 20:49 --------- d-----w C:\Users\fony\AppData\Roaming\skypePM
2008-05-04 20:48 352,615 —ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-04-25 09:50 --------- d-----w C:\Program Files\Trend Micro
2008-04-22 15:05 --------- d-----w C:\Users\fony\AppData\Roaming\Azureus
2008-04-22 12:22 --------- d-----w C:\Users\fony\AppData\Roaming\Nokia Multimedia Player
2008-04-17 09:11 --------- d-----w C:\Program Files\Azureus
2008-04-15 21:04 389,120 ----a-w C:\Windows\Internet Logs\xDBB6EC.tmp
2008-04-15 21:04 1,541,120 ----a-w C:\Windows\Internet Logs\xDBB883.tmp
2008-04-09 13:19 --------- d-----w C:\Program Files\Windows Mail
2008-04-03 19:40 2,962,944 ----a-w C:\Windows\Internet Logs\xDBAD76.tmp
2008-04-02 18:26 --------- d-----w C:\Users\fony\AppData\Roaming\Nokia
2008-04-02 14:13 --------- d-----w C:\Users\fony\AppData\Roaming\PC Suite
2008-04-02 14:11 --------- d-----w C:\ProgramData\PC Suite
2008-04-02 14:07 --------- d-----w C:\Program Files\Nokia
2008-04-02 14:07 --------- d-----w C:\Program Files\DIFX
2008-04-02 14:07 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-02 14:07 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-02 14:05 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-02 13:58 --------- d-----w C:\ProgramData\Installations
2008-04-02 13:18 --------- d-----w C:\Users\fony\AppData\Roaming\Samsung
2008-04-02 12:50 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-04-02 12:50 --------- d-----w C:\Program Files\Samsung
2008-04-01 09:18 --------- d-----w C:\Users\fony\AppData\Roaming\IGN_DLM
2008-04-01 09:17 --------- d-----w C:\Program Files\Download Manager
2008-03-29 17:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-03-24 16:59 1,475,584 ----a-w C:\Windows\Internet Logs\xDBAB72.tmp
2008-03-22 13:12 73,117 ----a-w C:\Windows\Internet Logs\zlclient_2nd_2008_03_21_15_40_20_small.dmp.zip
2008-03-20 10:07 --------- d-----w C:\ProgramData\Last.fm
2008-03-20 10:06 --------- d-----w C:\Program Files\Last.fm
2008-03-18 14:21 --------- d-----w C:\Program Files\LeechFTP
2008-03-18 14:20 18,944 ----a-w C:\Windows\eraser.exe
2008-03-16 13:31 --------- d-----w C:\Program Files\Java
2008-03-15 13:13 --------- d-----w C:\Users\fony\AppData\Roaming\BSplayer
2008-03-15 13:12 --------- d-----w C:\Program Files\Webteh
2008-03-14 13:00 --------- d-----w C:\Program Files\VirtualDJ
2008-03-08 15:09 --------- d-----w C:\Program Files\Gabest
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-26 12:00 155,648 ----a-w C:\Windows\System32\libssl32.dll
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-14 12:33 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-14 12:30 595,456 ----a-w C:\Windows\System32\schedsvc.dll
2008-02-14 12:30 17,408 ----a-w C:\Windows\System32\prflbmsg.dll
2008-02-14 12:27 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-14 12:27 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-14 12:26 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 12:26 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 12:26 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 12:26 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-14 12:26 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-14 12:26 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-14 12:26 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 12:26 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 12:26 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-14 12:26 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-12 11:26 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-02-07 12:47 1,333,248 ----a-w C:\Windows\Internet Logs\xDB9C8E.tmp
2008-01-02 15:10 32 ----a-w C:\Users\All Users\ezsid.dat
2008-01-02 15:10 32 ----a-w C:\ProgramData\ezsid.dat
2007-11-03 18:39 174 --sha-w C:\Program Files\desktop.ini
.

Second part of combofix:

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Nota lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 12:34 5724184]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-02-26 19:15 149040]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-12-07 16:08 21686568]
“AlcoholAutomount”=“C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” [2008-01-26 21:13 4608]
“igndlm.exe”=“C:\Program Files\Download Manager\DLM.exe” [2007-03-05 23:57 1103480]
“WMPNSCFG”=“C:\Program Files\Windows Media Player\WMPNSCFG.exe” [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2007-07-02 08:30 1006264]
“RtHDVCpl”=“RtHDVCpl.exe” [2006-12-29 12:11 4317184 C:\Windows\RtHDVCpl.exe]
“HotkeyApp”=“C:\Program Files\Launch Manager\HotkeyApp.exe” [2006-12-14 16:53 192512]
“Wbutton”=“C:\Program Files\Launch Manager\Wbutton.exe” [2006-11-09 14:37 86016]
“CtrlVol”=“C:\Program Files\Launch Manager\CtrlVol.exe”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-03-29 19:37 79224]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 20:51 39792]
“MSConfig”=“C:\Windows\system32\msconfig.exe” [2006-11-02 11:45 222208]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 05:25 144784]
“snpstd”=“C:\Windows\vsnpstd.exe” [2003-12-31 01:39 40960]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2008-01-09 04:31 959976]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“Nokia.PCSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2007-11-07 17:35 1294336]

C:\Users\fony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-03-20 12:06:46 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“vidc.ffds”= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
–a------ 2007-03-01 00:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
–a------ 2007-02-26 19:15 149040 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
–a------ 2007-09-18 16:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
–a------ 2006-11-02 14:35 125440 C:\Windows\ehome\ehTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
–a------ 2005-07-25 13:36 32768 C:\Program Files\Launch Manager\LaunchAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
–a------ 2006-08-29 09:26 241664 C:\Program Files\Launch Manager\OSDCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrVolOSD]
–a------ 2006-12-26 11:23 180224 C:\Program Files\Launch Manager\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a------ 2007-02-26 20:46 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
–a------ 2008-01-10 14:53 1232896 C:\Program Files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
–a------ 2006-11-10 12:35 90112 c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
–a------ 2006-11-02 14:36 201728 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
“EnableFirewall”= 0 (0x0)

Third (last) part of combofix:

[HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
“{CEF0DE92-D0D0-4E58-85DB-8FFC83B89E4C}”= UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
“{3D18D38E-B65C-42BC-8D73-6FDB98210EA8}”= TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
“{154C14BC-8400-4B9D-B174-1FC5C87D8F98}”= UDP:C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Civilization4.exe:Sid Meier’s Civilization 4
“{89A674E4-ABA2-4BC5-A9D9-5AFF9C1E9FEE}”= TCP:C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Civilization4.exe:Sid Meier’s Civilization 4
“{20D87FE1-649C-4573-A3D3-2CAD5F2DD199}”= UDP:C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier’s Civilization 4 Warlords
“{91F99B66-1E13-4773-A934-05AE1AA7845D}”= TCP:C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier’s Civilization 4 Warlords
“{7ED20C6A-2894-413A-89C8-40712F480A9F}”= UDP:C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier’s Civilization 4 Pitboss
“{48F7EBFF-CD16-4DCD-A3DA-3A4E2B3413BA}”= TCP:C:\Program Files\Firaxis Games\Sid Meier’s Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier’s Civilization 4 Pitboss
“TCP Query User{28D98880-CA1C-4D29-830B-9B63EFDCA0B2}C:\program files\azureus\azureus.exe”= UDP:C:\program files\azureus\azureus.exe:Azureus
“UDP Query User{BC807BEB-3ABB-4DAD-AF2A-FAD5A1E12A03}C:\program files\azureus\azureus.exe”= TCP:C:\program files\azureus\azureus.exe:Azureus
“TCP Query User{691A96F5-D638-4687-8A3D-322C352B6894}C:\program files\limewire\limewire.exe”= UDP:C:\program files\limewire\limewire.exe:LimeWire
“UDP Query User{7EFD2A95-6AB2-4110-9B4C-BFEAE50A519B}C:\program files\limewire\limewire.exe”= TCP:C:\program files\limewire\limewire.exe:LimeWire
“TCP Query User{349E2BDA-9B4F-46ED-BFC1-7140DD742EEC}C:\program files\skype\phone\skype.exe”= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
“UDP Query User{B5F42FAC-03BB-4F1A-AA3E-0E3E366B606F}C:\program files\skype\phone\skype.exe”= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
“TCP Query User{44B28D62-8C1A-45E1-8D44-B609C40C4ACE}C:\program files\intervideo\dvd8\windvd.exe”= UDP:C:\program files\intervideo\dvd8\windvd.exe:WinDVD
“UDP Query User{335E507C-6103-4790-80CD-2DC42CA87E57}C:\program files\intervideo\dvd8\windvd.exe”= TCP:C:\program files\intervideo\dvd8\windvd.exe:WinDVD
“TCP Query User{5811240B-E106-4817-BC94-ED4869EB7D4D}C:\program files\ea games\mohaa\mohaa.exe”= UDP:C:\program files\ea games\mohaa\mohaa.exe:Medal of Honor Allied Assault
“UDP Query User{63DB06B9-F4A6-494C-94D9-7EB3E2A08A06}C:\program files\ea games\mohaa\mohaa.exe”= TCP:C:\program files\ea games\mohaa\mohaa.exe:Medal of Honor Allied Assault
“TCP Query User{BA26CE7C-60CA-45CA-AEB0-96F42FE21BA1}C:\program files\internet explorer\iexplore.exe”= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
“UDP Query User{E63DE474-EB47-4B66-B89E-EBC7C97EE04C}C:\program files\internet explorer\iexplore.exe”= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
“{384B3E27-AB83-4556-AD89-E6FA77D6A36E}”= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
“TCP Query User{95777526-2F63-42D8-9DF7-8E63061F4E43}C:\unrealtournament\system\unrealtournament.exe”= UDP:C:\unrealtournament\system\unrealtournament.exe:UnrealTournament
“UDP Query User{B857819E-286C-45B5-A60E-05AFACCB4AF3}C:\unrealtournament\system\unrealtournament.exe”= TCP:C:\unrealtournament\system\unrealtournament.exe:UnrealTournament
“TCP Query User{834DDB88-EFCD-4238-A4D5-12810F378D26}C:\program files\leechftp\leechftp.exe”= UDP:C:\program files\leechftp\leechftp.exe:LeechFTP
“UDP Query User{43A424EC-BDDC-4D7C-A916-89EC071087CA}C:\program files\leechftp\leechftp.exe”= TCP:C:\program files\leechftp\leechftp.exe:LeechFTP

[HKLM~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
“DFSR-1”= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
“EnableFirewall”= 0 (0x0)

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 Hotkey;Hotkey;C:\Windows\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 19:32]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2007-08-31 17:46]
R2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler;C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [2006-12-08 10:52]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-06-19 07:34]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-01-08 13:16]
R3 WisLMSvc;WisLMSvc;“C:\Program Files\Launch Manager\WisLMSvc.exe” [2006-11-17 20:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

Newly Created Service - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {019749A1-F9BC-476C-2614-58D9ED0A6F40} /qb
.
Inhoud van de ‘Gedeelde Taken’ map
“2008-05-04 21:05:07 C:\Windows\Tasks\User_Feed_Synchronization-{8E65F8BA-3D8A-436E-815E-A2D8B3B9A667}.job”

• C:\Windows\system32\msfeedssync.exe
  .

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 23:15:47
Windows 6.0.6000 NTFS

scannen van verborgen processen …

scannen van verborgen autostart items …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CtrlVol = C:\Program Files\Launch Manager\CtrlVol.exe???H?&???&?X3&???w???0???<???|???w???w???3 ?w!??w???&???&?=??w???L???~z?w??&???&??? A???&??? A??]?W=??w???a@?`??? ?A?/??W??? A???@???&??x@???&??]?W??@???&???

scannen van verborgen bestanden …

Scan succesvol afgerond
verborgen bestanden: 0

.
Voltooingstijd: 2008-05-04 23:16:49
ComboFix-quarantined-files.txt 2008-05-04 21:16:29

  Kan het bericht voor berichtnummer 0x2379 niet vinden in berichtenbestand voor Application.
  Kan het bericht voor berichtnummer 0x2379 niet vinden in berichtenbestand voor Application.

215 — E O F — 2008-04-25 09:44:45

And here, my last hijackthis log, thanks for your help!:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:30:08, on 4-5-2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM..\Run: [Wbutton] “C:\Program Files\Launch Manager\Wbutton.exe”
O4 - HKLM..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [MSConfig] “C:\Windows\system32\msconfig.exe” /auto
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [AlcoholAutomount] “C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” /NoDialog (User ‘SYSTEEM’)
O4 - HKUS.DEFAULT..\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” /NoDialog (User ‘Default user’)
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra ‘Tools’ menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-us.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe

–
End of file - 8818 bytes

Hi, I don’t see anything amiss there. I did request another forum member (vista user) to have a peek though.

A couple of things you can update though.

*Go to http://java.sun.com/javase/downloads/index.jsp

Scroll down to “Java Runtime Environment (JRE) 6 Update 6…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

Select the platform (Windows, in your case), mutli language.
Accept the license agreement, click continue.

You do not have to install the Java Web Start ActiveX Control

Scroll down and click on Windows Offline Installation,

Save the file jre-6u6-windows-i586-p.exe to your desktop; do not select Run it. Do not install it yet.

When the download is complete, close your browser.

Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files[b]Java[/b] <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

• Clear the java cache

http://www.java.com/en/download/help/5000020300.xml

Adobe Acrobat

If you have the full version of Adobe

Open Acrobat, Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.

Even if you had the full version of Acrobat or just the reader, download and install Adobe Reader 8.1.2 and use this as the integrated PDF Reader insider your browser.

http://www.adobe.com/products/acrobat/readstep2.html

Select your version of windows from the dropdown menu and click continue. Step 2 is the download.

Oldman, thanks for your help, I installed the updates.
You did request another forum member (vista user) to have a peek, I hope he will give a reaction.
By the way, would you advice to install Windows Vista Service Pack 1 (SP1)?

Sure, no problems at all.

Yep I had a peek and saw nothing amiss - and SP1 seems ok on my system

Thanks guys.

aTOMic, it looks like you are good to go. Essexboy was the member I had asked to have a look.

We’ll remove combofix

Click the start button, click run. In the run box, copy and paste this line, click ok

combofix /u

Hijackthis can also be removed if you wish

Open HJT, click on the misc tools section button. Slide the slider down, click uninstall. You will still have to delete hijackthis.exe.

You should also make a new restore point and clear out the old ones. Info can be found here

http://www.bleepingcomputer.com/tutorials/tutorial143.html

Take care and keep safe.