Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Trojan BHO NTLDR

juisterr
30 antwoorden
  • Het begon 3 dagen geleden.
    Na een herstart verscheen er een ballon met een beveiligingsschild met de melding dat mijn register geinfecteerd zou zijn.
    Zogenaamd van windows.
    Na enig speuren kon ik in de processen 2x tcpipmon.exe vinden en de structuur beeindigen waarna het schildje verdween.
    Ook op mijn c: komen er telkens 4 of 5 exe bestanden te staan, die ik hierna wel kan verwijderen.

    Ik heb geprobeerd met xoftspy, spybot, ewido en bps spyware remover om het hele proces te verwijderen, zonder resultaat.
    Ook in veilige modus kan bv msnetax.dll niet verwijdert worden.
    Wie kan mijn log even bekijken en eventueel helpen?

    Logfile of HijackThis v1.98.2
    Scan saved at 17:27:58, on 15-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\wmiprsv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    F:\uTorrent\utorrent.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ricardo\Bureaublad\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.home.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
  • Je gebruikt een oude versie van HJT.

    Download [b:729b688cae]Rustbfix[/color:729b688cae][/b:729b688cae].
    Sla het op je Bureaublad op.
    Download [b:729b688cae]hijackthissetup[/b:729b688cae] naar je Bureaublad.[list:729b688cae]Dubbelklikken op [b:729b688cae]hijackthissetup.exe[/b:729b688cae]
    Volg de instructies en klik op [b:729b688cae]Install[/b:729b688cae]
    Er zal een snelkoppeling verschijnen op je Bureaublad met de naam [i:729b688cae]Hijack This[/i:729b688cae]
    Dubbelklikken op de snelkoppeling om Hijackthis te starten.[/list:u:729b688cae]


    Dubbelklik op [b:729b688cae]rustbfix.exe[/b:729b688cae] om de tool te starten.
    Indien een Rustock.b-infection wordt gevonden, zul je kort daarna gevraagd worden om je PC te herstarten.
    De reboot zal waarschijnlijk enige tijd duren, en mogelijk zal een 2° reboot nodig zijn.
    Deze gebeurt automatisch.
    Na de reboot(s) zullen 2 logfiles openen (C:\[b:729b688cae]avenger.txt[/b:729b688cae] & C:\rustbfix\[b:729b688cae]pelog.txt[/b:729b688cae]).
    Post de inhoud van deze logfiles.


    Download SDFix en klik op "uitvoeren".
    Versie 1.40 en hoger zal de uitgepakte SDFix map automatisch naar je systeemdrive verplaatsen (waarschijnlijk: C:\SDFix).

    Herstart de pc in de veilige modus.
    Safe mode for Windows XP
    Herstart de computer
    Zodra uw computer klaar is met het laden van de BIOS (zwarte scherm en witte letters, of een ander beginscherm)en vlak voordat Windows wordt geladen
    Tap op de F8-toets (of de F5)-toets totdat u in het Windows option-menu terechtkomt
    Kies hier voor opstarten in veilige modus (Safe mode) door het gebruik van de pijltjestoetsen en daarna Enter

    Dubbelklik de map SDFix en dubbelklik op RunThis.bat om het script te starten.
    Typ Y en klik enter om het schoonmaakproces te starten.
    Er zullen Trojan Services en/of Registry Entries worden verwijderd als ze worden gevonden en je zult een toets voor herstart moeten indrukken.
    De computer zal dan herstarten; dit duurt langer dan gewoonlijk.
    De Fixtool zal opnieuw gaan werken en het verwijderingproces vervolgen, dan wordt Finished, getoond, wacht geduldig af totdat je weer een toets moeten indrukken om het script te beëindigen en je bureaubladiconen weer te laden.
    Zodra je bureaublad weer normaal is zal het SDFix report openen en ook te vinden zijn in de SDFix folder als Report.txt.
    Copy/paste de inhoud van dit report Report.txt in je volgende antwoord hier samen met een nieuw HijackThis log

    Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:
    [b:729b688cae]
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    [/b:729b688cae]
    Sluit alle vensters behalve Hijackthis
    Klik op 'Fix checked' om de items te verwijderen.

    plaats de gevraagde logjes aub.
    Juisterr
  • Log hijack vóór rustbfix:

    Logfile of HijackThis v1.99.1
    Scan saved at 21:04:12, on 15-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\wmiprsv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.home.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe



    Rustbfix:

    ************************* Rustock.b-fix – By ejvindh *************************
    do 15-03-2007 21:04:53,89

    No Rustock.b-rootkits found

    ******************************* End of Logfile ********************************






    SDFix: Version 1.72

    Run by Ricardo - do 15-03-2007 / 21:11:47,93

    Microsoft Windows XP [versie 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    kprof
    poof

    \??\C:\WINDOWS\system32\kprof
    \??\C:\WINDOWS\system32\poof

    kprof Deleted
    poof Deleted


    Killing PID 232 'smss.exe'
    Killing PID 304 'winlogon.exe'

    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting…

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\WINDOWS\lsass16.exe - Deleted
    C:\WINDOWS\system32\calc32.exe - Deleted
    C:\WINDOWS\system32\koos.exe - Deleted
    C:\WINDOWS\system32\kprof - Deleted
    C:\WINDOWS\system32\max1d1641.exe - Deleted
    C:\WINDOWS\system32\poof - Deleted
    C:\WINDOWS\system32\rpcc.dll - Deleted
    C:\WINDOWS\system32\tcpipmon.exe - Deleted
    C:\WINDOWS\system32\winsvcup.exe - Deleted
    C:\WINDOWS\system32\winupsvc.exe - Deleted
    C:\WINDOWS\Temp\ma1x1dd1.game - Deleted

    Could Not Remove C:\WINDOWS\system32\instcat.dll


    ADS Check:

    C:\WINDOWS\system32
    No streams found.


    Final Check:

    Remaining Services:
    ——————



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "F:\\uTorrent\\utorrent.exe"="F:\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
    "C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


    Remaining Files:
    —————
    C:\WINDOWS\system32\instcat.dll Found
    C:\WINDOWS\system32\max1d1641.exe Found
    C:\WINDOWS\system32\rpcc.dll Found
    C:\WINDOWS\system32\tcpipmon.exe Found
    C:\WINDOWS\Temp\ma1x1dd1.game Found

    Backups Folder: - C:\SDFix\backups\backups.zip

    Checking For Files with Hidden Attributes :

    C:\Program Files\BulletProofSoft.com\SpywareRemover\Help\Thumbs.db
    C:\Program Files\BulletProofSoft.com\SpywareRemover\LSPLang\Thumbs.db
    C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll
    C:\Program Files\eRightSoft\SUPER\cygwin1.dll
    C:\Program Files\eRightSoft\SUPER\cygz.dll
    C:\Program Files\eRightSoft\SUPER\_Setup.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll
    C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll
    C:\WINDOWS\system32\flvDX.dll
    C:\Program Files\eRightSoft\SUPER\Setup.exe
    C:\WINDOWS\wmiprsv.exe
    C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
    C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\afef19942bf45d5b7386efdd6944dce6\BIT87.tmp

    Finished




    En de laatste hijack:

    Logfile of HijackThis v1.99.1
    Scan saved at 21:20:19, on 15-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\wmiprsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\WINDOWS\system32
    otepad.exe
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.home.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe





    Er worden nog steeds 5 toepassingen en 1 bestand op de c: aangemaakt:

    qljtvns.exe
    tlrftvj.exe
    ufugob.exe
    bhapcqiw.exe
    jljy.exe
    -1542339326

    Ook nog 2x tcpipmon in processen.


    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    Deze stond er niet tussen, kreeg ook een winlogon fout bij restarten.
  • Download [b:9a93f3013c]Dr.Web CureIt[/b:9a93f3013c] naar je bureaublad:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

    Dubbelklik [b:9a93f3013c]drweb-cureit.exe[/b:9a93f3013c] en sta het toe om de express scan te starten.
    Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt, klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
    Eenmaal de korte scan is beeïndigd, Klik [b:9a93f3013c]Options[/b:9a93f3013c] > Change Settings
    Kies de "Scan"-tab en verwijder het vinkje bij "Heuristic analyse"
    Terug in het hoofdvenster kan je de drives selecteren die je wilt laten scannen.
    Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
    Klik daarna de [b:9a93f3013c]groene pijl[/b:9a93f3013c] rechts om de scan te starten.
    Klik 'Yes to all' wanneer er gevraagd wordt om cure of move uit te voeren.
    Wanneer de scan gedaan is, kijk of je volgende icoontje kan aanklikken dat staat naast hetgeen gevonden werd: [img:9a93f3013c]http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif[/img:9a93f3013c]
    Indien wel, klik erop en daarna klik op het icoontje er net onder en kies: [b:9a93f3013c]Move incurable[/b:9a93f3013c] zoals je zal zien in volgende afbeelding:
    [img:9a93f3013c]http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif[/img:9a93f3013c]
    Dit zal de bestanden verplaatsen naar volgende map %userprofile%\DoctorWeb\quarantaine-folder indien het niet gedesinfecteerd kan worden. (dit in het geval dat we samples nodig hebben)
    Na bovenstaande te selecteren, in het menu bovenaan van Dr.Web CureIt, klik [b:9a93f3013c]file[/b:9a93f3013c] en kies [b:9a93f3013c]save report list[/b:9a93f3013c]. Bewaar de log op je bureaublad.
    Sluit daarna Dr.Web Cureit.

    [b:9a93f3013c]Herstart[/b:9a93f3013c] je computer!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart.
    Na het herstarten, Kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post.

    Download: [b:9a93f3013c]RemoveVideoActiveXObject.exe[/b:9a93f3013c][/color:9a93f3013c]
    Sla het bestand op je bureaublad op, daarna dubbelklikken.
    Mogelijk start de uninstaller van een rogue scanner op, sluit deze niet af maar laat deze zijn werk doen.

    Daarna de [b:9a93f3013c]PC herstarten[/b:9a93f3013c] en nogmaals RemoveVideoActiveXObject.exe dubbelklikken.
    Post daarna het logje C:\[b:9a93f3013c]RVAXO-results.log[/b:9a93f3013c] in je volgende bericht tesamen met een nieuw logje van HijackThis.

    Bestand downloaden en op je bureaublad opslaan, daarna dubbelklikken.
    Als er een uninstaller actief wordt, deze zijn werk laten doen.
    PC herstarten en daarna nogmaals [b:9a93f3013c]RemoveVideoActiveXObject.exe[/b:9a93f3013c] dubbelklikken.
    Daarna een logje van HijackThis plaatsen
  • mssrs32.exe;c:\program files\common files\system;Probably DLOADER.Trojan;Will be moved after reboot.;
    instcat.dll;c:\windows\system32;Trojan.Proxy.1387;Will be cured after reboot.;
    msnetax.dll;c:\windows\system32;Trojan.Sender;Will be cured after reboot.;
    tcpipmon.exe;c:\windows\system32;Trojan.Fakealert.257;Will be cured after reboot.;
    bhapcqiw.exe;C:\;Trojan.Fakealert.257;Deleted.;
    jljy.exe;C:\;Trojan.DownLoader.19378;Deleted.;
    tlrftvj.exe\data001;C:\tlrftvj.exe;Trojan.Sklog;;
    tlrftvj.exe\data002;C:\tlrftvj.exe;Trojan.NtRootKit.218;;
    tlrftvj.exe\data003;C:\tlrftvj.exe;Trojan.NtRootKit.219;;
    tlrftvj.exe;C:\;Archive contains infected objects;Moved.;
    ufugob.exe;C:\;Trojan.DownLoader.19256;Deleted.;
    Inst.exe;C:\ADCDTEMP;Win32.Parite.2;Cured.;
    REGUPDATE.exe;C:\ADCDTEMP;Win32.Parite.2;Cured.;
    agmjxkuurb[1].txt;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JNS9SUM0;Trojan.DownLoader.19378;Deleted.;
    kqwgtddn[1].htm;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JNS9SUM0;Trojan.Fakealert.257;Deleted.;
    yroln[1].htm;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JNS9SUM0;Win32.HLLM.Bid;Deleted.;
    yroln[2].htm;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JNS9SUM0;Win32.HLLM.Bid;Deleted.;
    zspzmwkg[1].htm\data001;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OV0BC5CT\zspzmwkg[1].htm;Trojan.Sklog;;
    zspzmwkg[1].htm\data002;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OV0BC5CT\zspzmwkg[1].htm;Trojan.NtRootKit.218;;
    zspzmwkg[1].htm\data003;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OV0BC5CT\zspzmwkg[1].htm;Trojan.NtRootKit.219;;
    zspzmwkg[1].htm;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OV0BC5CT;Archive contains infected objects;Moved.;
    hjgddaoxuh[1].htm;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WNIBGH29;Trojan.DownLoader.19256;Deleted.;
    hjgddaoxuh[2].htm;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WNIBGH29;Trojan.DownLoader.19256;Deleted.;
    ose00000.exe;C:\Documents and Settings\Ricardo\Local Settings\Temp;Win32.Parite.2;Cured.;
    Process.exe;C:\SDFix\apps;Tool.Prockill;Moved.;
    A0010063.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Win32.HLLM.Bid;Deleted.;
    A0010066.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Trojan.Fakealert.257;Deleted.;
    A0010067.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Trojan.DownLoader.19378;Deleted.;
    A0010095.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Trojan.Fakealert.257;Deleted.;
    A0010096.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Trojan.DownLoader.19378;Deleted.;
    A0010097.dll;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Win32.HLLM.Bid;Deleted.;
    A0010166.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Trojan.Fakealert.257;Deleted.;
    A0010194.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Trojan.Fakealert.257;Deleted.;
    A0010199.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Trojan.Fakealert.257;Deleted.;
    A0010208.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89;Trojan.Fakealert.257;Deleted.;
    A0010215.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90;Trojan.Fakealert.257;Deleted.;
    A0010216.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90;Trojan.DownLoader.19378;Deleted.;
    A0010225.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90;Trojan.Fakealert.257;Deleted.;
    A0010235.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90;Trojan.Fakealert.257;Deleted.;
    MFEX-2.DAT;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90\snapshot;Trojan.Fakealert.257;Deleted.;
    A0010275.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP92;Trojan.Fakealert.257;Deleted.;
    A0010340.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93;Trojan.Fakealert.257;Deleted.;
    A0010341.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93;Trojan.Fakealert.257;Deleted.;
    A0010342.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93;Trojan.DownLoader.19378;Deleted.;
    A0010357.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93;Trojan.DownLoader.19378;Deleted.;
    A0010358.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93;Trojan.Fakealert.257;Deleted.;
    A0010375.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93;Trojan.Fakealert.257;Deleted.;
    A0010376.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93;Trojan.DownLoader.19378;Deleted.;
    A0010452.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.Fakealert.257;Deleted.;
    A0010464.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.Fakealert.257;Deleted.;
    A0010465.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.DownLoader.19378;Deleted.;
    A0010466.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.Fakealert.257;Deleted.;
    A0010475.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.Fakealert.257;Deleted.;
    A0010476.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.DownLoader.19378;Deleted.;
    A0010481.dll;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Win32.HLLM.Bid;Deleted.;
    A0010484.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.Fakealert.257;Deleted.;
    A0010494.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.Fakealert.257;Deleted.;
    A0010499.dll;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Win32.HLLM.Bid;Deleted.;
    A0010505.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.Fakealert.257;Deleted.;
    A0010507.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94;Trojan.Fakealert.257;Deleted.;
    A0010536.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP95;Trojan.Fakealert.257;Deleted.;
    A0010542.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP95;Trojan.Fakealert.257;Deleted.;
    A0011687.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;BackDoor.IRC.Sdbot;Deleted.;
    A0011688.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Trojan.DownLoader.15408;Deleted.;
    A0011689.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Trojan.Sklog;Deleted.;
    A0011690.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Dialer.Maxd;Deleted.;
    A0011691.dll;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Win32.HLLM.Bid;Deleted.;
    A0011692.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Trojan.Fakealert.257;Deleted.;
    A0011698.dll;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Trojan.Proxy.1387;Deleted.;
    A0011699.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Trojan.DownLoader.15408;Deleted.;
    A0011700.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Trojan.Sklog;Deleted.;
    A0011701.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;BackDoor.IRC.Sdbot;Deleted.;
    A0011702.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Dialer.Maxd;Deleted.;
    A0011703.dll;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Win32.HLLM.Bid;Deleted.;
    A0011704.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Trojan.Fakealert.257;Deleted.;
    A0011730.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Win32.HLLM.Bid;Deleted.;
    A0011731.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Trojan.DownLoader.19256;Deleted.;
    A0011732.exe\data001;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0011732.exe;Trojan.Sklog;;
    A0011732.exe\data002;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0011732.exe;Trojan.NtRootKit.218;;
    A0011732.exe\data003;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0011732.exe;Trojan.NtRootKit.219;;
    A0011732.exe;C:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96;Archive contains infected objects;Moved.;
    exec1.exe;C:\WINDOWS\system32;Win32.Parite.2;Cured.;
    exec2.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot;Deleted.;
    instcat.dll;C:\WINDOWS\system32;Trojan.Proxy.1387;Will be cured after reboot.;
    max1d1641.exe;C:\WINDOWS\system32;Dialer.Maxd;Deleted.;
    msnetax.dll;C:\WINDOWS\system32;Trojan.Sender;Will be cured after reboot.;
    tcpipmon.exe;C:\WINDOWS\system32;Trojan.Fakealert.257;Will be cured after reboot.;
    ma1x1dd1.game;C:\WINDOWS\Temp;Dialer.Maxd;Deleted.;
    tcpipmon.exe;C:\WINDOWS\Temp;Trojan.Fakealert.257;Deleted.;
    RemoveWGA.exe;D:\eMule\Incoming\Windows XP Pro Corp NL SP3 aug 2006 + Retail upgr Key (Ghost168 Wga Patch)\Disable WGA Check & Notifications\;Tool.RemoveWGA;Moved.;
    TipTopDeluxe_v11.exe;D:\from DC\ready\All (15) Popcap Games With Keygens 2004.05.04 (Alchemy Astropop Atomica Bejeweled Big Money Bookworm Dynomite ;Tool.ASEye.2;Moved.;
    Patch.exe;D:\from DC\ready\AudioDVDCreator.v1.85-RESURRECTiON\Patch;Tool.ASEye.2;Moved.;
    A0005701.exe;D:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP61;Win32.Parite.2;Cured.;
    A0005701.exe;D:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP61;Win32.Parite.2;Cured.;
    kerstverlichting.exe;F:\BitComet\Downloads\03-ULTIMATE;Joke.Xmas;Moved.;
    A0003817.exe;F:\System Volume Information\_restore{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP42;Modification of BackDoor.Generic.824;Moved.;





    —————-RemoveVideoActiveXObject.exe first run————-

    Files found:

    C:\WINDOWS\system32\rpcc.dll

    Uninstallers Rogue scanners:


    Folders Found:


    ————–RemoveVideoActiveXObject.exe last run—————

    Files found:


    Uninstallers Rogue scanners:


    Folders Found:







    Logfile of HijackThis v1.99.1
    Scan saved at 0:52:23, on 16-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\wmiprsv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Hijack This\hijackthis.exe
    C:\PROGRA~1\Intuwave\Shared\MROUTE~1\MROUTE~2.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\msnetax.dll' missing
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: instcat - instcat.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  • Onnodig te zeggen dat je behoorlijk besmet bent/was, er is al veel weg maar nog niet alles.


    Download [b:a4c9cf17e5]ComboScan[/b:a4c9cf17e5][/color:a4c9cf17e5] naar je [b:a4c9cf17e5]Bureaublad[/b:a4c9cf17e5] (by Deckard).[list:a4c9cf17e5]
    [*:a4c9cf17e5][b:a4c9cf17e5]Sluit[/b:a4c9cf17e5] alle toepassingen en vensters.
    [*:a4c9cf17e5][b:a4c9cf17e5]Dubbelklik[/b:a4c9cf17e5] op [b:a4c9cf17e5]Comboscan.exe[/b:a4c9cf17e5] om het te activeren, en volg de aanwijzingen.
    [*:a4c9cf17e5]Wanneer de scan volledig is, zal een tekstbestand - [b:a4c9cf17e5]ComboScan.txt[/b:a4c9cf17e5] - openen.
    [*:a4c9cf17e5]Kopiëer [b:a4c9cf17e5](Ctrl+A gevolgd door Ctrl+C)[/b:a4c9cf17e5] en plak [b:a4c9cf17e5](Ctrl+V)[/b:a4c9cf17e5] de inhoud van [b:a4c9cf17e5]ComboScan.txt[/b:a4c9cf17e5] in je volgende antwoord.
    [/list:u:a4c9cf17e5][b:a4c9cf17e5]Opmerking:[/b:a4c9cf17e5][/color:a4c9cf17e5] Sommige firewalls [b:a4c9cf17e5]kunnen[/b:a4c9cf17e5] waarschuwen dat [b:a4c9cf17e5]sigcheck.exe[/b:a4c9cf17e5] probeert verbinding te maken met het internet
    - zorg dat [b:a4c9cf17e5]sigcheck.exe[/b:a4c9cf17e5] toestemming krijgt om dit te doen !
    Tevens kan het gebeuren dat je Antivirus Comboscan als verdacht aangeeft, of zelfs probeert te verwijderen.
    Laat je Antivirus dit niet verwijderen ! (In dit geval is het misschien beter om tijdens de Comboscan je Antivirus even uit te schakelen)

    Doe daarna nogmaals onderstaande.


    Download: (als je hem niet meer hebt)[b:a4c9cf17e5]RemoveVideoActiveXObject.exe[/b:a4c9cf17e5][/color:a4c9cf17e5]
    Sla het bestand op je bureaublad op, daarna dubbelklikken.
    Mogelijk start de uninstaller van een rogue scanner op, sluit deze niet af maar laat deze zijn werk doen.

    Daarna de [b:a4c9cf17e5]PC herstarten[/b:a4c9cf17e5] en nogmaals RemoveVideoActiveXObject.exe dubbelklikken.
    Post daarna het logje C:\[b:a4c9cf17e5]RVAXO-results.log[/b:a4c9cf17e5] in je volgende bericht tesamen met een nieuw logje van HijackThis

    succes en vertel gelijk of het probleem al minder is.
  • ComboScan v20070306.20 run by Ricardo on 2007-03-16 at 10:46:32
    Computer is in Normal Mode.
    ——————————————————————————–



    – HijackThis (run as Ricardo.exe) ———————————————

    Logfile of HijackThis v1.99.1
    Scan saved at 10:46:40, on 16-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\wmiprsv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\WINDOWS\system32\svchost.exe
    F:\uTorrent\utorrent.exe
    C:\Documents and Settings\Ricardo\Bureaublad\comboscan.exe
    C:\PROGRA~1\HIJACK~1\Ricardo.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: instcat - instcat.dll (file missing)
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


    – Files created between 2007-02-16 and 2007-03-16 —————————–

    2007-03-16 01:02:44 13824 –a—— C:\WINDOWS\system32\max1d1641.exe<MAX1D1~1.EXE>
    2007-03-16 01:02:43 30720 –a—— C:\WINDOWS\system32\tcpipmon.exe
    2007-03-16 01:02:41 30720 –a—— C:\WINDOWS\system32\rpcc.dll
    2007-03-16 01:01:57 20480 –a—— C:\WINDOWS\system32\msnetax.dll
    2007-03-16 00:52:05 16768 –a—— C:\WINDOWS\system32\RemoveVideoActiveXObject.reg<REMOVE~1.REG>
    2007-03-15 22:00:10 0 d——– C:\Documents and Settings\Ricardo\DoctorWeb<DOCTOR~1>
    2007-03-15 21:04:53 0 d——– C:\Rustbfix
    2007-03-15 20:57:47 0 d——– C:\Program Files\Hijack This<HIJACK~1>
    2007-03-15 20:56:59 0 d——– C:\SDFix
    2007-03-15 15:23:39 0 d——– C:\Program Files\XoftSpySE<XOFTSP~1>
    2007-03-15 10:23:31 423784 –a—— C:\WINDOWS\system32\XceedBkp.dll
    2007-03-15 10:23:30 101888 –a—— C:\WINDOWS\system32\VB6STKIT.DLL
    2007-03-15 10:14:28 0 d——– C:\Program Files\BulletProofSoft.com<BULLET~1.COM>
    2007-03-13 22:21:10 0 d——– C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
    2007-03-13 09:20:03 0 d——– C:\Program Files\Alcohol Soft<ALCOHO~1>
    2007-03-11 18:23:20 0 d——– C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage<OFFICE~1>
    2007-03-11 18:23:17 0 d——– C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1>
    2007-03-11 18:07:01 69632 –a—— C:\WINDOWS\system32\remove.exe
    2007-03-10 23:19:14 0 d——– C:\Program Files\RegCure
    2007-03-10 22:07:41 223128 –a—— C:\WINDOWS\system32\drivers\vaxscsi.sys
    2007-03-10 21:54:29 1239040 -r-hs—- C:\WINDOWS\wmiprsv.exe
    2007-03-10 21:54:27 0 d——– C:\WINDOWS\in
    2007-03-09 11:24:38 159744 –a—— C:\WINDOWS\system32\lfpng13n.dll
    2007-03-09 11:24:35 69632 –a—— C:\WINDOWS\system32\lfgif13n.dll
    2007-03-09 11:24:34 462848 –a—— C:\WINDOWS\system32\ltkrn13n.dll
    2007-03-09 11:24:34 450560 –a—— C:\WINDOWS\system32\ltimg13n.dll
    2007-03-09 11:24:34 163840 –a—— C:\WINDOWS\system32\ltfil13n.dll
    2007-03-09 11:24:34 206336 –a—— C:\WINDOWS\system32\ltefx13n.dll
    2007-03-09 11:24:34 299008 –a—— C:\WINDOWS\system32\ltdis13n.dll
    2007-03-09 11:24:34 401408 –a—— C:\WINDOWS\system32\lfcmp13n.dll
    2007-03-09 11:24:34 57344 –a—— C:\WINDOWS\system32\lfbmp13n.dll
    2007-03-06 19:44:18 0 d——– C:\Program Files\PC Inspector File Recovery<PCINSP~1>
    2007-03-06 19:37:13 44544 –a—— C:\WINDOWS\system32\Gif89.dll
    2007-03-06 19:37:13 0 d——– C:\Program Files\Convar
    2007-03-06 19:37:12 512688 –a—— C:\WINDOWS\system32\XceedCry.dll
    2007-03-06 19:37:12 118784 –a—— C:\WINDOWS\system32\DartWeb.dll
    2007-03-06 19:37:12 217088 –a—— C:\WINDOWS\system32\DartSock.dll
    2007-03-06 19:37:11 89360 –a—— C:\WINDOWS\system32\VB5DB.DLL
    2007-03-06 13:02:42 0 d——– C:\Bdienst
    2007-03-05 08:19:16 70656 –a—— C:\WINDOWS\system32\yv12vfw.dll
    2007-03-05 08:19:16 845312 –a—— C:\WINDOWS\system32\Smab.dll
    2007-03-05 08:19:16 70656 –a—— C:\WINDOWS\system32\i420vfw.dll
    2007-03-05 08:19:16 719872 –a—— C:\WINDOWS\system32\devil.dll
    2007-03-05 08:19:16 27648 –a—— C:\WINDOWS\system32\AVSredirect.dll<AVSRED~1.DLL>
    2007-03-05 08:19:16 306688 –a—— C:\WINDOWS\system32\avisynth.dll
    2007-03-05 08:19:16 66560 –a—— C:\WINDOWS\MOTA113.exe
    2007-03-05 08:19:16 217073 –a—— C:\WINDOWS\meta4.exe
    2007-03-05 08:19:15 0 d——– C:\WINDOWS\system32\ShellDHCP<SHELLD~1>
    2007-03-05 08:19:15 0 d——– C:\Program Files\AviSynth 2.5<AVISYN~1.5>
    2007-03-05 08:19:06 163328 -r-hs—- C:\WINDOWS\system32\flvDX.dll
    2007-03-05 08:19:01 0 d——– C:\Program Files\eRightSoft<ERIGHT~1>
    2007-03-03 18:42:53 0 d——– C:\WINDOWS\system32\NtmsData
    2007-02-28 14:20:36 0 d——– C:\WINDOWS\speech
    2007-02-28 14:20:34 0 d——– C:\WINDOWS\lhsp
    2007-02-28 14:20:05 640512 –a—— C:\WINDOWS\system32\Oc30.dll
    2007-02-28 14:20:05 159744 –a—— C:\WINDOWS\system32\Mfcans32.dll
    2007-02-25 13:48:03 0 d——– C:\Program Files\HooTech
    2007-02-25 13:35:11 0 d——– C:\Program Files\QuickTime<QUICKT~1>
    2007-02-25 13:34:39 0 d——– C:\Documents and Settings\All Users\Application Data\Apple Computer<APPLEC~1>
    2007-02-25 13:34:12 0 d——– C:\Program Files\Vertical Moon<VERTIC~1>
    2007-02-22 21:43:32 0 d——– C:\Program Files\TopDesk
    2007-02-22 20:54:02 0 d——– C:\Pinball Arcade<PINBAL~1>
    2007-02-22 13:33:48 0 d——– C:\Documents and Settings\All Users\Application Data\Zylom
    2007-02-21 19:51:01 18934 –a—— C:\WINDOWS\BricoPackUninst.cmd<BRICOP~2.CMD>
    2007-02-21 19:49:05 619 –a—— C:\WINDOWS\BricoPackFoldersDelete.cmd<BRICOP~1.CMD>
    2007-02-21 19:48:12 0 d——– C:\WINDOWS\BricoPacks<BRICOP~1>
    2007-02-21 13:47:07 0 d——– C:\Program Files\Any Video Converter<ANYVID~1>
    2007-02-19 19:58:14 0 d——– C:\Program Files\ewido anti-spyware 4.0<EWIDOA~1.0>
    2007-02-19 19:39:42 0 d——– C:\Program Files\Trend Micro<TRENDM~1>
    2007-02-19 09:03:11 74240 –a—— C:\WINDOWS\system32\exec1.exe
    2007-02-19 09:03:10 11776 –a—— C:\WINDOWS\system32\drivers\oyiujgjq.sys
    2007-02-19 08:55:31 0 d——– C:\Documents and Settings\Ricardo\Application Data\MCMPEGEnc<MCMPEG~1>
    2007-02-19 08:55:16 0 d——– C:\Program Files\MainConcept<MAINCO~1>
    2007-02-18 15:36:58 0 d–h—– C:\WINDOWS\PIF
    2007-02-17 18:14:58 5504 –a—— C:\WINDOWS\system32\drivers\xmasscsi.sys
    2007-02-17 18:14:58 140800 –a—— C:\WINDOWS\system32\drivers\xmasbus.sys
    2007-02-17 11:40:32 0 d——– C:\Documents and Settings\Ricardo\Application Data\DVD Shrink<DVDSHR~1>
    2007-02-16 16:23:34 0 d——– C:\Program Files\Apoint2K
    2007-02-16 16:23:31 0 d——– C:\WINDOWS\system32\ReinstallBackups<REINST~1>
    2007-02-16 16:21:48 0 d——– C:\WINDOWS\ie7updates<IE7UPD~1>


    – Find3M Report —————————————————————

    2007-03-16 10:46:38 0 d——– C:\Documents and Settings\Ricardo\Application Data\uTorrent
    2007-03-16 01:04:18 0 d—s—- C:\Documents and Settings\Ricardo\Application Data\Microsoft<MICROS~1>
    2007-03-15 11:59:37 0 d——– C:\Program Files\XoftSpy
    2007-03-15 09:58:10 503234 –a—— C:\WINDOWS\system32\perfh013.dat
    2007-03-15 09:58:10 88926 –a—— C:\WINDOWS\system32\perfc013.dat
    2007-03-07 14:14:17 113406 –a—— C:\WINDOWS\hpoins07.dat
    2007-03-07 14:13:53 0 d——– C:\Program Files\HP
    2007-03-07 14:05:33 0 d——– C:\Documents and Settings\Ricardo\Application Data\Image Zone Express<IMAGEZ~1>
    2007-03-06 19:44:17 0 d–h—– C:\Program Files\InstallShield Installation Information<INSTAL~1>
    2007-03-04 20:56:05 0 d——– C:\Documents and Settings\Ricardo\Application Data\Ahead
    2007-02-25 20:37:42 0 d——– C:\Program Files\Real
    2007-02-21 19:51:00 219136 –a—— C:\WINDOWS\system32\uxtheme.dll
    2007-02-14 21:43:03 0 d——– C:\Documents and Settings\Ricardo\Application Data\Sun
    2007-02-14 21:42:49 0 d——– C:\Program Files\Java
    2007-02-14 21:41:55 0 d——– C:\Program Files\Common Files\Java
    2007-02-14 12:35:53 0 d——– C:\Documents and Settings\Ricardo\Application Data\Macromedia<MACROM~1>
    2007-02-13 22:31:12 0 d——– C:\Program Files\Common Files\Motorola Shared<MOTORO~1>
    2007-02-13 21:22:33 0 d——– C:\Program Files\USR
    2007-02-11 15:11:28 0 d——– C:\Program Files\Nokia
    2007-02-08 14:53:37 0 d——– C:\Program Files\Common Files\HP
    2007-02-08 14:46:48 2099 –a—— C:\Documents and Settings\Ricardo\Application Data\HPSU_48BitScanUpdate.log<HPSU_4~1.LOG>
    2007-02-08 14:44:53 40026 –a—— C:\Documents and Settings\Ricardo\Application Data\Update_HP_RedboxHprblog_HPSU.log<UPDATE~1.LOG>
    2007-02-08 14:44:42 139264 –a—— C:\WINDOWS\system32\hpzjrd01.dll
    2007-02-08 14:43:50 0 d——– C:\Documents and Settings\Ricardo\Application Data\HP
    2007-02-08 14:01:47 0 d——– C:\Documents and Settings\Ricardo\Application Data\ArcSoft
    2007-02-06 15:00:40 0 d——– C:\Program Files\Elecard
    2007-02-06 14:59:32 0 d——– C:\Documents and Settings\Ricardo\Application Data\Leadertech<LEADER~1>
    2007-02-06 14:25:53 0 d——– C:\Program Files\Common Files\Autodata Limited Shared<AUTODA~1>
    2007-02-05 09:56:25 0 d——– C:\Program Files\DivX
    2007-02-04 17:20:26 0 d——– C:\Program Files\LiveUpdate<LIVEUP~1>
    2007-02-04 17:20:09 0 d——– C:\Program Files\mobile PhoneTools<MOBILE~2>
    2007-02-04 17:18:00 0 d——– C:\Program Files\Common Files\InstallShield<INSTAL~1>
    2007-02-04 17:17:45 0 d——– C:\Program Files\Motorola
    2007-02-02 00:25:13 0 d——– C:\Documents and Settings\Ricardo\Application Data\DivX
    2007-02-02 00:21:17 0 d——– C:\Documents and Settings\Ricardo\Application Data\Real
    2007-02-02 00:19:23 0 d——– C:\Program Files\Common Files\xing shared<XINGSH~1>
    2007-02-02 00:19:20 0 d——– C:\Program Files\Common Files\Real
    2007-02-01 17:28:51 55949 –a—— C:\WINDOWS\system32\x264-uninstall.exe<X264-U~1.EXE>
    2007-02-01 17:21:09 0 d——– C:\Program Files\CyberLink<CYBERL~1>
    2007-02-01 17:19:14 0 d——– C:\Documents and Settings\Ricardo\Application Data\CyberLink<CYBERL~1>
    2007-02-01 17:10:29 0 d——– C:\Program Files\WMV9_VCM
    2007-02-01 17:05:51 0 d——– C:\Program Files\Windows Media Bonus Pack for Windows XP<WI12E0~1>
    2007-02-01 13:33:16 0 d——– C:\Program Files\Gadwin Systems<GADWIN~1>
    2007-02-01 09:53:45 0 d——– C:\Documents and Settings\Ricardo\Application Data\Adobe
    2007-02-01 05:56:06 823296 –a—— C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL>
    2007-02-01 05:56:05 802816 –a—— C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL>
    2007-02-01 05:56:05 823296 –a—— C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL>
    2007-02-01 05:56:04 639066 –a—— C:\WINDOWS\system32\DivX.dll
    2007-01-31 22:27:01 524288 –a—— C:\WINDOWS\system32\DivXsm.exe
    2007-01-31 00:15:10 118784 –a—— C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE>
    2007-01-30 22:45:32 0 d——– C:\Program Files\MSN Messenger<MSNMES~1>
    2007-01-30 21:16:20 0 d——– C:\Program Files\Mobile Phone Manager<MOBILE~1>
    2007-01-30 17:52:43 0 d——– C:\Documents and Settings\Ricardo\Application Data\AdobeUM
    2007-01-30 12:19:30 0 d——– C:\Program Files\RegCleaner<REGCLE~1>
    2007-01-30 06:03:40 3596288 –a—— C:\WINDOWS\system32\qt-dx331.dll
    2007-01-30 05:56:56 73728 –a—— C:\WINDOWS\system32\dpl100.dll
    2007-01-30 05:35:26 0 d——– C:\Program Files\Microsoft Works<MIF2B0~1>
    2007-01-30 05:35:11 0 d——– C:\Program Files\MSBuild
    2007-01-30 05:33:56 0 d——– C:\Program Files\Microsoft.NET<MICROS~1.NET>
    2007-01-30 05:31:45 0 d——– C:\Program Files\Analog Devices<ANALOG~1>
    2007-01-30 05:30:29 0 d——– C:\Program Files\Microsoft Visual Studio 8<MICROS~3>
    2007-01-30 05:19:56 0 d——– C:\Program Files\Common Files\LightScribe<LIGHTS~1>
    2007-01-30 05:19:34 0 d——– C:\Program Files\Common Files\Ahead
    2007-01-30 05:15:26 0 d——– C:\Program Files\Nero
    2007-01-30 05:08:29 0 d——– C:\Program Files\MSXML 4.0<MSXML4~1.0>
    2007-01-30 04:57:29 0 d——– C:\Program Files\Elaborate Bytes<ELABOR~1>
    2007-01-30 04:54:24 0 d——– C:\Program Files\Intuwave
    2007-01-30 04:53:54 0 d——– C:\Program Files\Common Files\Nokia
    2007-01-30 04:43:40 0 d——– C:\Documents and Settings\Ricardo\Application Data\Identities<IDENTI~1>
    2007-01-30 04:40:29 0 d——– C:\Program Files\Hewlett-Packard<HEWLET~1>
    2007-01-30 04:38:05 0 d——– C:\Program Files\Common Files\Hewlett-Packard<HEWLET~1>
    2007-01-30 04:29:52 0 d——– C:\Program Files\Sitecom
    2007-01-30 04:04:30 0 d——– C:\Program Files\Reference Assemblies<REFERE~1>
    2007-01-30 04:02:33 0 d——– C:\Program Files\Windows Media Connect 2<WINDOW~3>
    2007-01-30 03:44:45 0 d——– C:\Program Files\Common Files\Adobe
    2007-01-30 03:35:35 0 d——– C:\Program Files\xat.com Image Optimizer<XAT~1.COM>
    2007-01-30 03:33:59 0 d——– C:\Program Files\coverXP
    2007-01-30 03:09:39 0 d——– C:\Program Files\Common Files\ODBC
    2007-01-30 03:09:34 0 d——– C:\Program Files\Common Files\SpeechEngines<SPEECH~1>
    2007-01-30 03:08:55 62 –ahs—- C:\Documents and Settings\Ricardo\Application Data\desktop.ini
    2007-01-30 02:27:53 0 d——– C:\Program Files\microsoft frontpage<MICROS~1>
    2007-01-30 02:27:28 0 -rahs—- C:\MSDOS.SYS
    2007-01-30 02:27:28 0 -rahs—- C:\IO.SYS
    2007-01-30 02:27:28 0 –a—— C:\CONFIG.SYS
    2007-01-30 02:27:28 0 –a—— C:\AUTOEXEC.BAT
    2007-01-30 02:25:50 0 d–h—– C:\Program Files\WindowsUpdate<WINDOW~4>
    2007-01-30 02:23:07 0 d——– C:\Program Files\Common Files\MSSoap
    2007-01-30 02:22:31 0 d——– C:\Program Files\Movie Maker<MOVIEM~1>
    2007-01-30 02:20:33 21748 –a—— C:\WINDOWS\system32\emptyregdb.dat<EMPTYR~1.DAT>
    2007-01-30 02:19:49 0 d——– C:\Program Files\MSN Gaming Zone<MSNGAM~1>
    2007-01-30 02:19:36 0 d——– C:\Program Files\Windows NT<WINDOW~1>
    2007-01-29 09:58:06 60416 —–n— C:\WINDOWS\system32\tzchange.exe
    2007-01-26 02:19:00 118520 —–n— C:\WINDOWS\system32\pxinsi64.exe
    2007-01-26 02:19:00 116472 —–n— C:\WINDOWS\system32\pxcpyi64.exe
    2007-01-26 02:19:00 129784 —–n— C:\WINDOWS\system32\pxafs.dll
    2007-01-26 02:18:54 200704 –a—— C:\WINDOWS\system32\ssldivx.dll
    2007-01-26 02:18:54 1044480 –a—— C:\WINDOWS\system32\libdivx.dll
    2007-01-26 02:13:45 196608 –a—— C:\WINDOWS\system32\dtu100.dll
    2007-01-26 02:13:45 53248 –a—— C:\WINDOWS\system32\dpuGUI10.dll
    2007-01-26 02:13:44 57344 –a—— C:\WINDOWS\system32\dpv11.dll
    2007-01-26 02:13:44 344064 –a—— C:\WINDOWS\system32\dpus11.dll
    2007-01-26 02:13:44 593920 –a—— C:\WINDOWS\system32\dpuGUI11.dll
    2007-01-26 02:13:44 294912 –a—— C:\WINDOWS\system32\dpu11.dll
    2007-01-26 02:13:44 294912 –a—— C:\WINDOWS\system32\dpu10.dll
    2007-01-19 12:53:04 51056 –a—— C:\WINDOWS\system32\sirenacm.dll
    2007-01-12 09:27:42 871936 –a—— C:\WINDOWS\system32\webcheck.dll
    2007-01-12 09:27:42 51712 —–n— C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
    2007-01-12 09:27:42 458752 —–n— C:\WINDOWS\system32\msfeeds.dll
    2007-01-12 09:27:42 6054400 –a—— C:\WINDOWS\system32\ieframe.dll
    2007-01-08 19:04:54 196096 –a—— C:\WINDOWS\system32\url.dll
    2007-01-08 19:04:08 718848 –a—— C:\WINDOWS\system32\occache.dll
    2007-01-08 19:02:04 266752 –a—— C:\WINDOWS\system32\iertutil.dll
    2007-01-08 19:02:04 44544 –a—— C:\WINDOWS\system32\iernonce.dll
    2007-01-08 19:02:02 384000 –a—— C:\WINDOWS\system32\iedkcs32.dll
    2007-01-08 19:02:02 383488 –a—— C:\WINDOWS\system32\ieapfltr.dll
    2007-01-08 19:02:02 161792 –a—— C:\WINDOWS\system32\ieakui.dll
    2007-01-08 19:02:02 230400 –a—— C:\WINDOWS\system32\ieaksie.dll
    2007-01-08 19:02:02 153088 –a—— C:\WINDOWS\system32\ieakeng.dll
    2007-01-08 19:01:14 17408 –a—— C:\WINDOWS\system32\corpol.dll
    2007-01-08 19:00:48 124928 –a—— C:\WINDOWS\system32\advpack.dll
    2007-01-08 18:08:14 56832 –a—— C:\WINDOWS\system32\ie4uinit.exe
    2007-01-08 18:08:10 13824 –a—— C:\WINDOWS\system32\ieudinit.exe
    2006-12-19 22:48:54 135680 –a—— C:\WINDOWS\system32\shsvcs.dll
    2006-12-19 19:18:35 334336 –a—— C:\WINDOWS\system32\wiaservc.dll


    – Registry Dump —————————————————————


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
    "Gadwin PrintScreen 3.5"="C:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe /nosplash"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "ServiceLayer"="C:\\Program Files\\Common Files\\Nokia\\Services\\ServiceLayer.exe"
    "Nokia Tray Application"="C:\\Program Files\\Common Files\\Nokia\\NCLTools\\NclTray.exe"
    "NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
    "BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
    "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
    "LanguageShortcut"="\"C:\\Program Files\\CyberLink\\PowerDVD\\Language\\Language.exe\""
    "TopDesk"="C:\\Program Files\\TopDesk\\topdesk.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "tcpipmon"="tcpipmon.exe"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="Network Neighborhood"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    otify\instcat
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    otify\rpcc

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
    bthsvcs REG_MULTI_SZ BthServ\0\0



    – End of ComboScan: finished at 2007-03-16 at 10:47:10 ————————



    —————-RemoveVideoActiveXObject.exe first run————-

    Files found:

    C:\WINDOWS\system32\rpcc.dll

    Uninstallers Rogue scanners:


    Folders Found:


    ————–RemoveVideoActiveXObject.exe last run—————

    Files found:


    Uninstallers Rogue scanners:


    Folders Found:





    Logfile of HijackThis v1.99.1
    Scan saved at 11:01:16, on 16-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\wmiprsv.exe
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: instcat - instcat.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    Het lijkt erop dat het een stuk beter is, ik kreeg alleen een schermpje met de melding dat de server bezet is en ik heb op activeren geklikt.
    Hierna kon ik horen dat er een programma werd geopend, dit ging achter elkaar door.
    Omdat ik geen, of beperkte internetverbinding had, heb ik netwerkcontrole gestart, deze vroeg mij om LSP te verwijderen. Dit heb ik gedaan en moest herstarten.
    Hierna had ik weer netwerkverbinding.

    Ik moet er nog even bijzeggen dat het trojan-gedoe begonnen is op 11-03, vermoedelijk nadat ik een patch voor een alcohol120% versie had gebruikt. Deze versie en prefetches heb ik meteen verwijdert, evenals de versie van alcohol.

    Ik gebruik een us robotics maxg router, broadcast geen name, wireless disabled. Verder heb ik 1 poort forwarded staan voor utorrent, en firewall enabled.
    Helaas kan ik mijn windowsfirewall niet meer aanzetten.

    Terwijl ik hier nu typ, komt de balloon weer tevoorschijn….
    Het is net het schild wat ook voor windows beveiligingscentrum wordt gebruikt met de melding: your computer is infected.
    Als ik erop klik krijg ik een Question scherm met: Would you like to update your security software an download Registry Cleaner?



    Logfile of HijackThis v1.99.1
    Scan saved at 11:15:57, on 16-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\wmiprsv.exe
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: instcat - instcat.dll (file missing)
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  • Als je er zelf een hard hoofd in hebt, is het dan niet sneller om een outlook backup te maken, de windows partitie (is maar 30 Gb) formatteren, xp en progs opnieuw erop?

    Of valt het nog te redden?
  • Vooralsnog hoeft dat niet, ik ben op zoek naar een bestand in System.ini
    en er zit denk ik een rootkit in die een bestand terugplaatst.


    Download LSPFix.exe van deze site http://cexx.org/lspfix.htm
    1. Start het programma.
    2. Selecteer "I know what I'am doing"
    3. Selecteer ALLEEN dit bestand: [b:80becdd77e]msnetax.dll [/b:80becdd77e]
    4. Klik op "remove" zodat het bestand naar het rechter venster gaat.
    5. Klik op "Finish"
    6. Herstart de pc.
    7. Verwijder het bovengenoemde bestand uit de C:\Windows\System32\ directory (als het bestand niet missing is)


    Kan jij me vertellen wat er allemaal bij System.ini voor bestanden staan?
  • ; for 16-bit app support

    [drivers]
    wave=mmdrv.dll
    timer=timer.drv

    [mci]
    [driver32]
    [386enh]
    woafont=app850.FON
    EGA80WOA.FON=EGA80850.FON
    EGA40WOA.FON=EGA40850.FON
    CGA80WOA.FON=CGA80850.FON
    CGA40WOA.FON=CGA40850.FON


    Bedoel je je dit?

    Tevens vindt hij deze als ik zoek op system.ini : C:\WINDOWS\system32\ShellDHCP


    Het dll bestand msnetax is niet te verwijderen.

    Ik moet wel telkens de structuur van de tcpipmon beeindigen, anders is mijn inet te traag om een pagina te openen.
  • Ik was even aan het meelezen:

    probeer dit eens:
    Download Killbox.(alternatieve download)
    Klik op killbox.exe.
    Kies de optie: "[b:7e42415baa]Delete on reboot[/b:7e42415baa]".

    [b:7e42415baa]Kopieer[/b:7e42415baa] het volgende vetgedrukt deel:

    [b:7e42415baa]C:\WINDOWS\wmiprsv.exe
    c:\windows\system32\msnetax.dll
    C:\WINDOWS\system32\max1d1641.exe
    C:\WINDOWS\system32\tcpipmon.exe
    C:\WINDOWS\system32\rpcc.dll
    C:\WINDOWS\system32\exec1.exe
    C:\WINDOWS\system32\drivers\oyiujgjq.sys[/b:7e42415baa]

    Open [b:7e42415baa]'file'[/b:7e42415baa] in het killboxmenu bovenaan en kies: [b:7e42415baa]Paste from clipboard[/b:7e42415baa]

    Je zal zien, het bovenstaande vetgedrukte zal staan in het "Full Path of File to Delete"-veld.
    Er is een klein pijltje naast dat veld. Als je daarop klikt zal je al die bovenstaande lijntjes (indien bestanden aanwezig) die je gekopieerd hebt zien staan (dit is alvast de bedoeling)

    Klik op de knop: [b:7e42415baa]All files[/b:7e42415baa] (!Belangrijk!)

    Daarna, Klik op de rode cirkel met het wit kruisje erin.
    Killbox zal zeggen dat deze file zal verwijderd worden on reboot.. vraagt om nu te rebooten. Klik YES.

    Je pc moet nu rebooten.

    Post na de herstart een nieuw logje van HijackThis en meldt of er verbetering is ;)
  • msnetax staat nog wel in de system32 map, maar verder lijkt het nu goed te gaan.
    Er komen (nog) geen bestanden meer nieuw op de C:.
    Tcpipmon.exe staat niet meer tussen de processen.

    Hieronder een log.


    Logfile of HijackThis v1.99.1
    Scan saved at 14:30:57, on 16-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.home.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: instcat - instcat.dll (file missing)
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    Laat maar even weten wat je er nu van vindt.
  • Kan je msnetax.dll hernoemen(rechtsklikken, kiezen voor "Naam wijzigen" en een andere naam geven?)

    Probeer die stap met LSPfix van juisterr nog een keer.

    Herstart je PC en post een nieuw logje ;)
  • Msnetax.dll is na de herstart terug gekomen in de map, het hernoemde bestand (aabbcc.dll) stond er nog wel, kon ik gewoon verwijderen.
    Internet is nu wel heel erg traag trouwens (met name openen van pagina's, up en down zijn prima). Ik moet wel xp opnieuw activeren, maar dat is geen probleem.
    Verder geen problemen.

    Hieronder een log.


    Logfile of HijackThis v1.99.1
    Scan saved at 14:54:18, on 16-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.home.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: instcat - instcat.dll (file missing)
    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  • Hernoem het bestand opnieuw en doe dan het volgende:

    Download ATF cleaner (gemaakt door Atribune)
    Dubbelklik op ATF cleaner om het programma te starten.
    Op het tabblad "Main", plaats je een vinkje bij [b:6badfecb54]Select All[/b:6badfecb54].
    Klik op de knop [b:6badfecb54]Empty Selected[/b:6badfecb54].

    Het volgende doen als je ook FireFox als browser hebt:
    Klik op tabblad "Firefox", plaats een vinkje bij [b:6badfecb54]Select All[/b:6badfecb54].
    Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    (dit haalt het vinkje weer weg bij "Firefox saved passwords")
    Klik op de knop [b:6badfecb54]Empty Selected[/b:6badfecb54].

    Het volgende doen als je ook Opera als browser hebt:
    Klik op tabblad "Opera", plaats een vinkje bij [b:6badfecb54]Select All[/b:6badfecb54].
    Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    Klik op de knop [b:6badfecb54]Empty Selected[/b:6badfecb54].
    Ga naar het tabblad "Main" en klik op de knop [b:6badfecb54]Exit[/b:6badfecb54] om het programma af te sluiten.

    Download [b:6badfecb54]SuperAntiSpyware[/b:6badfecb54][/color:6badfecb54][list:6badfecb54]
    [*:6badfecb54]Klik "ja" als wordt gevraagd of je voor updates wilt checken.
    [*:6badfecb54]Vul je e-mailadres in als ernaar wordt gevraagd.
    [*:6badfecb54] Kies "ja" als wordt gevraagd of je ervoor wilt worden gewaarschuwd als je homepage verandert.
    [*:6badfecb54]Klik "scan your computer"
    [*:6badfecb54]Selecteer de drives die je wil laten scannen door ze aan te vinken.
    [*:6badfecb54]Vink aan de middelste optie [b:6badfecb54]Perform complete scan[/b:6badfecb54] en dan "volgende".
    [/list:u:6badfecb54]
    De computer zal nu worden gescand dus wacht geduldig af!

    [list:6badfecb54][*:6badfecb54] Als "harmfull items" worden gevonden let je erop dat ze allemaal zijn aangevinkt en klik je [b:6badfecb54]OK[/b:6badfecb54] om verder te gaan.
    [*:6badfecb54]Als de scan is gedaan klik je op [b:6badfecb54]OK[/b:6badfecb54] om de gevonden items via quarantaine te laten verwijderen en dan op "volgende".
    [*:6badfecb54]Klik op [b:6badfecb54]scanningpreferences/control centre[/b:6badfecb54] op naar het hoofdmenu te gaan.
    [*:6badfecb54]Klik tabblad [b:6badfecb54]statistics/logs[/b:6badfecb54] en dan [b:6badfecb54]view log[/b:6badfecb54].
    [*:6badfecb54]Kopieer en plak de tekst van het kladblokbestandje in je antwoord op het forum.
    [*:6badfecb54]Klik op "volgende" en op "ja" om de computer te laten herstarten.[/list:u:6badfecb54]

    Post dus het logje van de scan van SuperAntiSpyware en een nieuw logje van HijackThis ;)
  • SUPERAntiSpyware Scan Log
    Generated 03/16/2007 at 04:20 PM

    Application Version : 3.6.1000

    Core Rules Database Version : 3190
    Trace Rules Database Version: 1200

    Scan type : Complete Scan
    Total Scan Time : 00:29:23

    Memory items scanned : 474
    Memory threats detected : 1
    Registry items scanned : 6462
    Registry threats detected : 14
    File items scanned : 35128
    File threats detected : 50

    Trojan.Spam-RUCrzy
    C:\WINDOWS\MEDIA\D3UI32.DLL
    C:\WINDOWS\MEDIA\D3UI32.DLL

    Trojan.Downloadsr-NetHood
    HKLM\Software\Classes\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}
    HKCR\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}
    HKCR\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32
    HKCR\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}
    HKCR\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}

    Trojan.Media-Codec
    HKCR\BprintingHost.Serv
    HKCR\BprintingHost.Serv\CLSID
    HKCR\BprintingHost.Serv\CLSID\{38ca2fcd-7d7e-11db-96a0-00e08161165f}

    Trojan.Downloader-RPCC
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#DllName
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Asynchronous
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Impersonate
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Startup

    Dialer.Dial/Gen Variant
    C:\!KILLBOX\MAX1D1641.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0015697.EXE

    Trojan.Net-MSNetAX
    C:\!KILLBOX\MSNETAX.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0012696.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0014695.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0015696.DLL
    C:\WINDOWS\SYSTEM32\AABBCC.DLL

    Trojan.Downloader-TCPIP Mon
    C:\!KILLBOX\TCPIPMON.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0012697.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0014697.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0015698.EXE

    Trojan.SpySheriff
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010062.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010064.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010065.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010092.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010093.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010094.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010163.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010165.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010205.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010206.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP89\A0010207.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90\A0010217.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90\A0010218.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90\A0010219.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90\A0010232.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90\A0010233.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP90\A0010234.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93\A0010337.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93\A0010338.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93\A0010339.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93\A0010377.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93\A0010378.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP93\A0010379.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010461.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010462.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010463.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010472.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010473.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010474.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010492.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010493.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010506.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010508.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP94\A0010509.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP95\A0010543.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP95\A0010544.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP95\A0010545.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{E6E64FED-E68A-4F78-B214-DD3E57E196DC}\RP96\A0011729.EXE




    Hijackthislog:

    Logfile of HijackThis v1.99.1
    Scan saved at 16:55:54, on 16-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: instcat - instcat.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe



    Het lijkt nu goed te gaan. Msnetax is nu ook weg en blijft weg.
    Hoe zit het trouwens met de tcpipmon.exe die nog wel in de startup staat?
    Kan deze kwaad?
  • Laten we hopen dat dat zo blijft :)

    Start HijackThis nog een keer, kies voor "Do a system scan only" en plaats alleen een vinkje voor de volgende regels:
    [b:0fb64e834f]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O20 - Winlogon Notify: instcat - instcat.dll (file missing) [/b:0fb64e834f]
    Sluit alle open vensters(behalve HijackThis), klik daarna op "Fix checked" en sluit HijackThis af.

    Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
    Kijk hier hoe je je systeemherstel moet uitschakelen.
    Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

    Post maar even een nieuw logje van HijackThis ter controle ;)
  • Na het herstarten was het niet mogelijk om me aan te melden of af te sluiten.
    Ik heb de pc dus met de knop uit moeten zetten.
    Hierna was het wel weer mogelijk om aan te melden.
    Messenger aanmelden lukt niet meer, na verwijderen en opnieuw installeren nog steeds niet ivm hosts. Is hier nog een manier voor?
    En is er nog een manier zodat ik windows firewall weer kan inschakelen?
    Ik kan nu niet kiezen tussen in en uitschakelen.

    Hieronder nog een logje, echt fantastisch dat er toch nog mensen zijn die weten hoe irritant lastige trojans e.d. zijn, en die je hier geweldig mee helpen om dit uit je systeem te krijgen. Als ik het zó zelf kon, had ik hetzelfde gedaan.


    Logfile of HijackThis v1.99.1
    Scan saved at 19:55:40, on 16-3-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\TopDesk\topdesk.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.home.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin
    pjpi150_11.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bzautoreparaties.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586-jc.cab
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game07.zylom.com/activex/zylomgamesplayer.cab
    O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f011.mail.lycos.nl/app/uploader/FileUploader.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe (file missing)
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  • Dubbelklik nog maar eens op RemoveVideoActiveXObject.exe
    Dat zou een aantal van die problemen moeten oplossen.
  • Messenger ligt er al een paar uur uit hier dus dat je niet inloggen kan zal dus niet verbazend zijn. Blij dat het goed gaat lees ik hierboven. :D

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.