Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

melding dat ik spyware of een virus heb van Google

None
43 antwoorden
  • Hoi,

    Iedere keer als ik naar groups.google.nl wil gaan, krijg ik een bericht dat Google veel vragen krijgt en dat het wel eens vanaf mijn computer kan komen.
    Nod32 kan niks vinden bij een diepgaande scan.
    Ook heb ik een Hijjack file toegevoegd :

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 13:53:45, on 13-6-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Eset
    od32kui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


    End of file - 3454 bytes


    Kan iemand me vertellen of ik besmet ben of niet.

    Groetjes,

    Roelof
  • Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:
    [b:2d36a6d420]
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    [/b:2d36a6d420]
    Sluit alle vensters behalve Hijackthis
    Klik op 'Fix checked' om de items te verwijderen.

    1. Download ATF cleaner (gemaakt door Atribune)
    Dubbelklik op ATF cleaner om het programma te starten.
    Op het tabblad "Main", plaats je een vinkje bij [b:2d36a6d420]Select All[/b:2d36a6d420].
    Klik op de knop [b:2d36a6d420]Empty Selected[/b:2d36a6d420].

    Het volgende doen als je ook FireFox als browser hebt:
    Klik op tabblad "Firefox", plaats een vinkje bij [b:2d36a6d420]Select All[/b:2d36a6d420].
    Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    (dit haalt het vinkje weer weg bij "Firefox saved passwords")
    Klik op de knop [b:2d36a6d420]Empty Selected[/b:2d36a6d420].

    Het volgende doen als je ook Opera als browser hebt:
    Klik op tabblad "Opera", plaats een vinkje bij [b:2d36a6d420]Select All[/b:2d36a6d420].
    Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    Klik op de knop [b:2d36a6d420]Empty Selected[/b:2d36a6d420].
    Ga naar het tabblad "Main" en klik op de knop [b:2d36a6d420]Exit[/b:2d36a6d420] om het programma af te sluiten.

    2. Download [b:2d36a6d420]Dr.Web CureIt[/b:2d36a6d420] naar je bureaublad:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

    3. Start de computer in veilige modus.

    4. Dubbelklik [b:2d36a6d420]drweb-cureit.exe[/b:2d36a6d420] en sta het toe om de express scan te starten.
    Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt, klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
    Eenmaal de korte scan is beeïndigd, Klik [b:2d36a6d420]Options[/b:2d36a6d420] > Change Settings
    Kies de "Scan"-tab en verwijder het vinkje bij "Heuristic analyse"
    Terug in het hoofdvenster kan je de drives selecteren die je wilt laten scannen.
    Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
    Klik daarna de [b:2d36a6d420]groene pijl[/b:2d36a6d420] rechts om de scan te starten.
    Klik 'Yes to all' wanneer er gevraagd wordt om cure of move uit te voeren.
    Wanneer de scan gedaan is, kijk of je volgende icoontje kan aanklikken dat staat naast hetgeen gevonden werd: [img:2d36a6d420]http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif[/img:2d36a6d420]
    Indien wel, klik erop en daarna klik op het icoontje er net onder en kies: [b:2d36a6d420]Move incurable[/b:2d36a6d420] zoals je zal zien in volgende afbeelding:
    [img:2d36a6d420]http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif[/img:2d36a6d420]
    Dit zal de bestanden verplaatsen naar volgende map %userprofile%\DoctorWeb\quarantaine-folder indien het niet gedesinfecteerd kan worden. (dit in het geval dat we samples nodig hebben)
    Na bovenstaande te selecteren, in het menu bovenaan van Dr.Web CureIt, klik [b:2d36a6d420]file[/b:2d36a6d420] en kies [b:2d36a6d420]save report list[/b:2d36a6d420]. Bewaar de log op je bureaublad.
    Sluit daarna Dr.Web Cureit.

    5. [b:2d36a6d420]Herstart[/b:2d36a6d420] je computer in normale modus!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart.
    Na het herstarten, Kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post tesamen met een logje van Hijackthis
  • hoi Juisterrr,

    Een logje van Dr. Web Cureit kan ik je niet geven, hij kon niks vinden.

    Maar hier wel een nieuw logje van Hijack :

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 21:42:56, on 13-6-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Eset
    od32kui.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


    End of file - 3405 bytes

    De pagina van groups.google.nl doet het nu weer normaal.
    Raar als er niks gevonden is .

    Roelof
  • Download [b:4d137e99b4]Combofix[/b:4d137e99b4] naar je Bureaublad.[list:4d137e99b4]
    Dubbelklik op [b:4d137e99b4]Combofix.exe[/b:4d137e99b4]
    Volg de instructies, aanvaard de disclaimer door [b:4d137e99b4]1[/b:4d137e99b4] (continue) te typen.
    Tijdens het runnen van de fix, [b:4d137e99b4]NIET[/b:4d137e99b4] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:4d137e99b4]
    Wanneer de fix voltooid is en na herstart, zal de log [b:4d137e99b4]combofix.txt[/b:4d137e99b4] openen.
    [i:4d137e99b4]Plaats deze log in je volgende post samen met een nieuw HijackThis log.[/i:4d137e99b4]

    Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

    Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:
    [b:4d137e99b4]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    [/b:4d137e99b4]
    Klik op 'Fix checked' om de items te verwijderen.
  • Combofix logje :

    ComboFix 07-06-13.3 - CScript-fout: Toegang tot Windows Script Host is op deze computer uitgeschakeld. Neem voor details contact op met uw beheerder.
    "Roelof" - 2007-06-13 14:06:23 - Service Pack 2 NTFS


    ((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))


    2007-06-13 14:06 49,152 –a—— C:\WINDOWS
    ircmd.exe
    2007-06-13 13:25 <DIR> d——– C:\Program Files\Hijack This
    2007-06-13 12:16 <DIR> dr-h—– C:\DOCUME~1\Roelof\Onlangs geopend
    2007-06-12 14:29 0 –a—— C:\WINDOWS
    sreg.dat
    2007-06-12 11:27 <DIR> d——– C:\Program Files\Microsoft Visual Studio 8
    2007-06-12 11:27 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
    2007-06-11 18:56 <DIR> d——– C:\Program Files\FileZilla
    2007-06-11 16:42 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc
    2007-06-11 12:08 <DIR> d——– C:\DOCUME~1\Roelof\Contacts
    2007-06-11 12:07 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
    2007-06-11 12:07 <DIR> d——– C:\Program Files\MSN Messenger
    2007-06-11 11:41 <DIR> d——– C:\PluginCommanderLight
    2007-06-10 21:53 <DIR> d——– C:\Program Files\Lavasoft
    2007-06-10 21:53 <DIR> d——– C:\Program Files\Common Files\Wise Installation Wizard
    2007-06-10 21:53 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-06-10 20:17 <DIR> d——– C:\Program Files\Jasc Software Inc
    2007-06-10 20:17 <DIR> d——– C:\Program Files\Common Files\SWF Studio
    2007-06-10 20:17 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc Software Inc
    2007-06-10 19:47 <DIR> d——– C:\Program Files\FTDv3.7.3
    2007-06-10 19:34 <DIR> d——– C:\Program Files\NewsLeecher
    2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\Downloads
    2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\NewsLeecher
    2007-06-10 19:04 <DIR> d——– C:\WINDOWS\system32\Lang
    2007-06-10 16:18 <DIR> d——– C:\Program Files\MSXML 4.0
    2007-06-10 16:13 17,920 –a—— C:\WINDOWS\system32\mdimon.dll
    2007-06-10 16:12 <DIR> d——– C:\WINDOWS\SHELLNEW
    2007-06-10 16:12 <DIR> d——– C:\Program Files\Microsoft.NET
    2007-06-10 16:09 <DIR> dr-h—– C:\MSOCache
    2007-06-10 15:58 502,368 –a—— C:\WINDOWS\system32\drivers\amon.sys
    2007-06-10 15:58 270,336 –a—— C:\WINDOWS\system32\imon.dll
    2007-06-10 15:52 157,184 -r——- C:\WINDOWS\system32\RtlCPAPI.dll
    2007-06-10 15:51 69,632 -r——- C:\WINDOWS\Alcmtr.exe
    2007-06-10 15:42 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
    2007-06-10 15:40 19,558 –a—— C:\WINDOWS\hpoins01.dat
    2007-06-10 15:40 16,606 ——— C:\WINDOWS\hpomdl01.dat
    2007-06-10 15:35 <DIR> d——– C:\WINDOWS\system32\NtmsData
    2007-06-10 15:25 <DIR> d——– C:\Program Files\Hewlett-Packard
    2007-06-10 15:25 <DIR> d——– C:\Program Files\Common Files\Hewlett-Packard
    2007-06-10 15:24 <DIR> d——– C:\temp\HP All-in-One Series Web Release
    2007-06-10 15:24 <DIR> d——– C:\temp
    2007-06-10 15:09 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Corel
    2007-06-10 15:08 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
    2007-06-10 15:07 88 -r-hs—- C:\WINDOWS\system32\6C0F48D5B7.sys
    2007-06-10 15:07 2,516 –ahs—- C:\WINDOWS\system32\KGyGaAvL.sys
    2007-06-10 15:07 <DIR> d——– C:\Program Files\Corel
    2007-06-10 15:03 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\WinRAR
    2007-06-10 14:49 40,960 -r——- C:\WINDOWS\system32\ChCfg.exe
    2007-06-10 14:49 <DIR> d——– C:\WINDOWS\system32\RTCOM
    2007-06-10 14:48 9,710,592 -r——- C:\WINDOWS\RTLCPL.exe
    2007-06-10 14:48 86,016 -r——- C:\WINDOWS\SoundMan.exe
    2007-06-10 14:48 82,944 –a—— C:\WINDOWS\system32\drivers\wdmaud.sys
    2007-06-10 14:48 7,552 –a—— C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2007-06-10 14:48 60,800 –a—— C:\WINDOWS\system32\drivers\sysaudio.sys
    2007-06-10 14:48 60,288 –a—— C:\WINDOWS\system32\drivers\drmk.sys
    2007-06-10 14:48 6,400 –a—— C:\WINDOWS\system32\drivers\splitter.sys
    2007-06-10 14:48 54,272 –a—— C:\WINDOWS\system32\drivers\swmidi.sys
    2007-06-10 14:48 52,864 –a—— C:\WINDOWS\system32\drivers\DMusic.sys
    2007-06-10 14:48 5,376 –a—— C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2007-06-10 14:48 487,424 -r——- C:\WINDOWS\RtlExUpd.dll
    2007-06-10 14:48 4,992 –a—— C:\WINDOWS\system32\drivers\MSPQM.sys
    2007-06-10 14:48 4,096 –a—— C:\WINDOWS\system32\ksuser.dll
    2007-06-10 14:48 356,352 -r——- C:\WINDOWS\RtlUpd.exe
    2007-06-10 14:48 3,966,976 -r——- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
    2007-06-10 14:48 2,944 –a—— C:\WINDOWS\system32\drivers\drmkaud.sys
    2007-06-10 14:48 2,807,808 -r——- C:\WINDOWS\alcwzrd.exe
    2007-06-10 14:48 2,142,208 -r——- C:\WINDOWS\MicCal.exe
    2007-06-10 14:48 172,416 –a—— C:\WINDOWS\system32\drivers\kmixer.sys
    2007-06-10 14:48 142,464 –a—— C:\WINDOWS\system32\drivers\aec.sys
    2007-06-10 14:48 14,854,144 -r——- C:\WINDOWS\RTHDCPL.exe
    2007-06-10 14:48 <DIR> d——– C:\Program Files\Realtek
    2007-06-10 14:21 <DIR> d——– C:\Program Files\xp-AntiSpy
    2007-06-10 14:17 70,144 -ra—— C:\WINDOWS\system32\drivers\Rtlnicxp.sys
    2007-06-10 14:16 <DIR> d——– C:\WINDOWS\system32\URTTEMP
    2007-06-10 14:15 36,352 -ra—— C:\WINDOWS\system32\drivers\AmdK8.sys
    2007-06-10 14:15 <DIR> d–h—– C:\Program Files\InstallShield Installation Information
    2007-06-10 14:15 <DIR> d——– C:\Program Files\ATI Technologies
    2007-06-10 14:07 208,896 –a—— C:\WINDOWS\system32
    vudisp.exe
    2007-06-10 14:07 <DIR> d——– C:\WINDOWS
    view
    2007-06-10 14:06 208,896 –a—— C:\WINDOWS\system32\NVUNINST.EXE
    2007-06-10 14:06 <DIR> d——– C:\Program Files\Common Files\InstallShield
    2007-06-10 14:06 <DIR> d——– C:\NVIDIA
    2007-06-10 14:01 <DIR> d–hs—- C:\RECYCLER
    2007-06-10 13:33 57,856 –a—— C:\WINDOWS\system32\drivers\redbook.sys
    2007-06-10 13:33 3,072 –a—— C:\WINDOWS\system32\drivers\audstub.sys
    2007-06-10 13:33 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
    2007-06-10 13:32 6,400 –a—— C:\WINDOWS\system32\drivers\enum1394.sys
    2007-06-10 13:32 20,992 –a—— C:\WINDOWS\system32\drivers\rtl8139.sys
    2007-06-10 13:31 76,288 –a—— C:\WINDOWS\system32\usbui.dll
    2007-06-10 13:31 6,144 -ra—— C:\WINDOWS\system32\kbdtuq.dll
    2007-06-10 13:31 6,144 -ra—— C:\WINDOWS\system32\kbdtuf.dll
    2007-06-10 13:31 5,632 -ra—— C:\WINDOWS\system32\kbdazel.dll
    2007-06-10 13:31 <DIR> dr——- C:\Program Files
    2007-06-10 13:31 <DIR> d——– C:\Program Files\Common Files\SpeechEngines
    2007-06-10 13:31 <DIR> d——– C:\Program Files\Common Files\ODBC
    2007-06-10 13:30 9,936 –a—— C:\WINDOWS\system\LZEXPAND.DLL
    2007-06-10 13:30 9,040 –a—— C:\WINDOWS\system\VER.DLL
    2007-06-10 13:30 86,556 –a—— C:\WINDOWS\system32\dgsetup.dll
    2007-06-10 13:30 82,944 –a—— C:\WINDOWS\system\OLECLI.DLL
    2007-06-10 13:30 8,704 –a—— C:\WINDOWS\system32\batt.dll
    2007-06-10 13:30 8,192 -ra—— C:\WINDOWS\system32\kbdhept.dll


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-10 14:17:16 81,436 —-a-w C:\WINDOWS\system32\perfc013.dat
    2007-06-10 14:17:16 465,586 —-a-w C:\WINDOWS\system32\perfh013.dat
    2007-04-19 11:26:00 888,832 —-a-w C:\WINDOWS\system32
    vmobls.dll
    2007-04-19 11:26:00 86,016 —-a-w C:\WINDOWS\system32
    vmctray.dll
    2007-04-19 11:26:00 81,920 —-a-w C:\WINDOWS\system32
    vwddi.dll
    2007-04-19 11:26:00 794,624 —-a-w C:\WINDOWS\system32
    vcplui.exe
    2007-04-19 11:26:00 7,700,480 —-a-w C:\WINDOWS\system32
    vcpl.dll
    2007-04-19 11:26:00 581,632 —-a-w C:\WINDOWS\system32
    vhwvid.dll
    2007-04-19 11:26:00 5,644,288 —-a-w C:\WINDOWS\system32
    voglnt.dll
    2007-04-19 11:26:00 5,619,712 —-a-w C:\WINDOWS\system32
    vdisps.dll
    2007-04-19 11:26:00 466,944 —-a-w C:\WINDOWS\system32
    vshell.dll
    2007-04-19 11:26:00 45,056 —-a-w C:\WINDOWS\system32
    vmccsrs.dll
    2007-04-19 11:26:00 442,368 —-a-w C:\WINDOWS\system32
    vappbar.exe
    2007-04-19 11:26:00 425,984 —-a-w C:\WINDOWS\system32\keystone.exe
    2007-04-19 11:26:00 4,543,616 —-a-w C:\WINDOWS\system32
    v4_disp.dll
    2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32
    vcodins.dll
    2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32
    vcod.dll
    2007-04-19 11:26:00 311,296 —-a-w C:\WINDOWS\system32
    vexpbar.dll
    2007-04-19 11:26:00 3,988,384 —-a-w C:\WINDOWS\system32\drivers
    v4_mini.sys
    2007-04-19 11:26:00 3,035,136 —-a-w C:\WINDOWS\system32
    vgames.dll
    2007-04-19 11:26:00 286,720 —-a-w C:\WINDOWS\system32
    vnt4cpl.dll
    2007-04-19 11:26:00 229,376 —-a-w C:\WINDOWS\system32
    vmccs.dll
    2007-04-19 11:26:00 212,992 —-a-w C:\WINDOWS\system32
    vapi.dll
    2007-04-19 11:26:00 2,924,544 —-a-w C:\WINDOWS\system32
    vvitvs.dll
    2007-04-19 11:26:00 188,416 —-a-w C:\WINDOWS\system32
    vmccss.dll
    2007-04-19 11:26:00 159,810 —-a-w C:\WINDOWS\system32
    vsvc32.exe
    2007-04-19 11:26:00 147,456 —-a-w C:\WINDOWS\system32
    vcolor.exe
    2007-04-19 11:26:00 1,703,936 —-a-w C:\WINDOWS\system32
    vwdmcpl.dll
    2007-04-19 11:26:00 1,626,112 —-a-w C:\WINDOWS\system32
    wiz.exe
    2007-04-19 11:26:00 1,474,560 —-a-w C:\WINDOWS\system32
    view.dll
    2007-04-19 11:26:00 1,339,392 —-a-w C:\WINDOWS\system32
    vdspsch.exe
    2007-04-19 11:26:00 1,236,992 —-a-w C:\WINDOWS\system32
    vwss.dll
    2007-04-19 11:26:00 1,019,904 —-a-w C:\WINDOWS\system32
    vwimg.dll
    2007-04-19 11:26:00 1,011,712 —-a-w C:\WINDOWS\system32
    vcpluir.dll
    2007-04-18 16:15:26 2,854,400 —-a-w C:\WINDOWS\system32\msi.dll
    2007-04-13 13:19:52 7,680 —-a-w C:\WINDOWS\system32\lsdelete.exe
    2007-03-17 13:45:54 293,376 —-a-w C:\WINDOWS\system32\winsrv.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32
    wiz.exe]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2005-09-22 07:36 C:\WINDOWS\RTHDCPL.exe]
    "Alcmtr"="ALCMTR.EXE" [2005-05-03 12:43 C:\WINDOWS\Alcmtr.exe]
    "nod32kui"="C:\Program Files\Eset
    od32kui.exe" [2007-06-10 15:58]
    "muBlinder"="D:\muBlinder\muBlinder.exe" [2007-05-13 04:43]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ClearRecentDocsOnExit"=1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-13 14:07:07
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-13 14:07:33

    — E O F —

    Hijjack logje :

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 22:53:00, on 13-6-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Eset
    od32kui.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


    End of file - 3262 bytes
  • Download [b:557b4b83c2]VirtumundoBegone[/b:557b4b83c2], sla dit op op je bureaublad.
    Dubbelklik op [b:557b4b83c2]VirtumundoBeGone.exe[/b:557b4b83c2] en volg de aanwijzingen.
    Schrik niet als je een blauw scherm met een foutmelding te zien krijgt - dit is normaal.

    Als de fix klaar is, start je de pc opnieuw op.
    Plaats de inhoud van het logbestand [b:557b4b83c2]VBG.TXT[/b:557b4b83c2], dat nu op je bureaublad staat, hier in je volgende bericht.
  • hoi Juisterr,

    Hier het logje :


    [06/14/2007, 12:50:59] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Roelof\Local Settings\Temporary Internet Files\Content.IE5\K1IV8123\VirtumundoBeGone[1].exe" )
    [06/14/2007, 12:51:07] - Detected System Information:
    [06/14/2007, 12:51:07] - Windows Version: 5.1.2600, Service Pack 2
    [06/14/2007, 12:51:07] - Current Username: Roelof (Admin)
    [06/14/2007, 12:51:07] - Windows is in NORMAL mode.
    [06/14/2007, 12:51:07] - Searching for Browser Helper Objects:
    [06/14/2007, 12:51:07] - Finished Searching Browser Helper Objects
    [06/14/2007, 12:51:07] - Finishing up…
    [06/14/2007, 12:51:07] - Nothing found! Exiting…


    Weer niks gevonden dus.
    Heb je een idee dat er ergens een besmetting zit ?

    Groetjes,

    Roelof
  • Ja ik zoek.

    Mag ik een nieuw HJT logje aub.
  • oke,

    Hier is het logje :

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 14:52:39, on 14-6-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Eset
    od32kui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


    End of file - 3348 bytes

    Het enigste wat ik hierin nooit eerder ben tegengekomen is de laatste regel maar volgens Google is het wel vertrouwd.

    Groetjes,

    Roelof
  • Hai, verwijder even alle tools die ik had aangeboden en start dan opnieuw op.

    Doe dan onderstaande aub.


    Download [b:0651770cb8]Combofix[/b:0651770cb8] naar je Bureaublad.[list:0651770cb8]
    Dubbelklik op [b:0651770cb8]Combofix.exe[/b:0651770cb8]
    Volg de instructies, aanvaard de disclaimer door [b:0651770cb8]1[/b:0651770cb8] (continue) te typen.
    Tijdens het runnen van de fix, [b:0651770cb8]NIET[/b:0651770cb8] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:0651770cb8]
    Wanneer de fix voltooid is en na herstart, zal de log [b:0651770cb8]combofix.txt[/b:0651770cb8] openen.
    [i:0651770cb8]Plaats deze log in je volgende post samen met een nieuw HijackThis log.[/i:0651770cb8]

    Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.
  • Hoi,

    Hier alvast het combofix logje :

    ComboFix 07-06-13.3 - CScript-fout: Toegang tot Windows Script Host is op deze computer uitgeschakeld. Neem voor details contact op met uw beheerder.
    "Roelof" - 2007-06-15 12:43:28 - Service Pack 2 NTFS


    ((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))


    2007-06-15 12:31 <DIR> dr-h—– C:\DOCUME~1\Roelof\Onlangs geopend
    2007-06-13 21:05 <DIR> d——– C:\DOCUME~1\Roelof\DoctorWeb
    2007-06-13 21:04 <DIR> d——– C:\WINDOWS\CSC
    2007-06-13 14:06 49,152 –a—— C:\WINDOWS
    ircmd.exe
    2007-06-13 13:25 <DIR> d——– C:\Program Files\Hijack This
    2007-06-12 14:29 0 –a—— C:\WINDOWS
    sreg.dat
    2007-06-12 11:27 <DIR> d——– C:\Program Files\Microsoft Visual Studio 8
    2007-06-12 11:27 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
    2007-06-11 18:56 <DIR> d——– C:\Program Files\FileZilla
    2007-06-11 16:42 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc
    2007-06-11 12:08 <DIR> d——– C:\DOCUME~1\Roelof\Contacts
    2007-06-11 12:07 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
    2007-06-11 12:07 <DIR> d——– C:\Program Files\MSN Messenger
    2007-06-11 11:41 <DIR> d——– C:\PluginCommanderLight
    2007-06-10 21:53 <DIR> d——– C:\Program Files\Lavasoft
    2007-06-10 21:53 <DIR> d——– C:\Program Files\Common Files\Wise Installation Wizard
    2007-06-10 21:53 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-06-10 20:17 <DIR> d——– C:\Program Files\Jasc Software Inc
    2007-06-10 20:17 <DIR> d——– C:\Program Files\Common Files\SWF Studio
    2007-06-10 20:17 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc Software Inc
    2007-06-10 19:47 <DIR> d——– C:\Program Files\FTDv3.7.3
    2007-06-10 19:34 <DIR> d——– C:\Program Files\NewsLeecher
    2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\Downloads
    2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\NewsLeecher
    2007-06-10 19:04 <DIR> d——– C:\WINDOWS\system32\Lang
    2007-06-10 16:18 <DIR> d——– C:\Program Files\MSXML 4.0
    2007-06-10 16:13 17,920 –a—— C:\WINDOWS\system32\mdimon.dll
    2007-06-10 16:12 <DIR> d——– C:\WINDOWS\SHELLNEW
    2007-06-10 16:12 <DIR> d——– C:\Program Files\Microsoft.NET
    2007-06-10 16:09 <DIR> dr-h—– C:\MSOCache
    2007-06-10 15:58 502,368 –a—— C:\WINDOWS\system32\drivers\amon.sys
    2007-06-10 15:58 270,336 –a—— C:\WINDOWS\system32\imon.dll
    2007-06-10 15:52 157,184 -r——- C:\WINDOWS\system32\RtlCPAPI.dll
    2007-06-10 15:51 69,632 -r——- C:\WINDOWS\Alcmtr.exe
    2007-06-10 15:42 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
    2007-06-10 15:40 19,558 –a—— C:\WINDOWS\hpoins01.dat
    2007-06-10 15:40 16,606 ——— C:\WINDOWS\hpomdl01.dat
    2007-06-10 15:35 <DIR> d——– C:\WINDOWS\system32\NtmsData
    2007-06-10 15:25 <DIR> d——– C:\Program Files\Hewlett-Packard
    2007-06-10 15:25 <DIR> d——– C:\Program Files\Common Files\Hewlett-Packard
    2007-06-10 15:24 <DIR> d——– C:\temp\HP All-in-One Series Web Release
    2007-06-10 15:24 <DIR> d——– C:\temp
    2007-06-10 15:09 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Corel
    2007-06-10 15:08 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
    2007-06-10 15:07 88 -r-hs—- C:\WINDOWS\system32\6C0F48D5B7.sys
    2007-06-10 15:07 2,516 –ahs—- C:\WINDOWS\system32\KGyGaAvL.sys
    2007-06-10 15:07 <DIR> d——– C:\Program Files\Corel
    2007-06-10 15:03 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\WinRAR
    2007-06-10 14:49 40,960 -r——- C:\WINDOWS\system32\ChCfg.exe
    2007-06-10 14:49 <DIR> d——– C:\WINDOWS\system32\RTCOM
    2007-06-10 14:48 9,710,592 -r——- C:\WINDOWS\RTLCPL.exe
    2007-06-10 14:48 86,016 -r——- C:\WINDOWS\SoundMan.exe
    2007-06-10 14:48 82,944 –a—— C:\WINDOWS\system32\drivers\wdmaud.sys
    2007-06-10 14:48 7,552 –a—— C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2007-06-10 14:48 60,800 –a—— C:\WINDOWS\system32\drivers\sysaudio.sys
    2007-06-10 14:48 60,288 –a—— C:\WINDOWS\system32\drivers\drmk.sys
    2007-06-10 14:48 6,400 –a—— C:\WINDOWS\system32\drivers\splitter.sys
    2007-06-10 14:48 54,272 –a—— C:\WINDOWS\system32\drivers\swmidi.sys
    2007-06-10 14:48 52,864 –a—— C:\WINDOWS\system32\drivers\DMusic.sys
    2007-06-10 14:48 5,376 –a—— C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2007-06-10 14:48 487,424 -r——- C:\WINDOWS\RtlExUpd.dll
    2007-06-10 14:48 4,992 –a—— C:\WINDOWS\system32\drivers\MSPQM.sys
    2007-06-10 14:48 4,096 –a—— C:\WINDOWS\system32\ksuser.dll
    2007-06-10 14:48 356,352 -r——- C:\WINDOWS\RtlUpd.exe
    2007-06-10 14:48 3,966,976 -r——- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
    2007-06-10 14:48 2,944 –a—— C:\WINDOWS\system32\drivers\drmkaud.sys
    2007-06-10 14:48 2,807,808 -r——- C:\WINDOWS\alcwzrd.exe
    2007-06-10 14:48 2,142,208 -r——- C:\WINDOWS\MicCal.exe
    2007-06-10 14:48 172,416 –a—— C:\WINDOWS\system32\drivers\kmixer.sys
    2007-06-10 14:48 142,464 –a—— C:\WINDOWS\system32\drivers\aec.sys
    2007-06-10 14:48 14,854,144 -r——- C:\WINDOWS\RTHDCPL.exe
    2007-06-10 14:48 <DIR> d——– C:\Program Files\Realtek
    2007-06-10 14:21 <DIR> d——– C:\Program Files\xp-AntiSpy
    2007-06-10 14:17 70,144 -ra—— C:\WINDOWS\system32\drivers\Rtlnicxp.sys
    2007-06-10 14:16 <DIR> d——– C:\WINDOWS\system32\URTTEMP
    2007-06-10 14:15 36,352 -ra—— C:\WINDOWS\system32\drivers\AmdK8.sys
    2007-06-10 14:15 <DIR> d–h—– C:\Program Files\InstallShield Installation Information
    2007-06-10 14:15 <DIR> d——– C:\Program Files\ATI Technologies
    2007-06-10 14:07 208,896 –a—— C:\WINDOWS\system32
    vudisp.exe
    2007-06-10 14:07 <DIR> d——– C:\WINDOWS
    view
    2007-06-10 14:06 208,896 –a—— C:\WINDOWS\system32\NVUNINST.EXE
    2007-06-10 14:06 <DIR> d——– C:\Program Files\Common Files\InstallShield
    2007-06-10 14:06 <DIR> d——– C:\NVIDIA
    2007-06-10 14:01 <DIR> d–hs—- C:\RECYCLER
    2007-06-10 13:33 57,856 –a—— C:\WINDOWS\system32\drivers\redbook.sys
    2007-06-10 13:33 3,072 –a—— C:\WINDOWS\system32\drivers\audstub.sys
    2007-06-10 13:33 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
    2007-06-10 13:32 6,400 –a—— C:\WINDOWS\system32\drivers\enum1394.sys
    2007-06-10 13:32 20,992 –a—— C:\WINDOWS\system32\drivers\rtl8139.sys
    2007-06-10 13:31 76,288 –a—— C:\WINDOWS\system32\usbui.dll
    2007-06-10 13:31 6,144 -ra—— C:\WINDOWS\system32\kbdtuq.dll
    2007-06-10 13:31 6,144 -ra—— C:\WINDOWS\system32\kbdtuf.dll
    2007-06-10 13:31 5,632 -ra—— C:\WINDOWS\system32\kbdazel.dll
    2007-06-10 13:31 <DIR> dr——- C:\Program Files
    2007-06-10 13:31 <DIR> d——– C:\Program Files\Common Files\SpeechEngines
    2007-06-10 13:31 <DIR> d——– C:\Program Files\Common Files\ODBC
    2007-06-10 13:30 9,936 –a—— C:\WINDOWS\system\LZEXPAND.DLL
    2007-06-10 13:30 9,040 –a—— C:\WINDOWS\system\VER.DLL
    2007-06-10 13:30 86,556 –a—— C:\WINDOWS\system32\dgsetup.dll
    2007-06-10 13:30 82,944 –a—— C:\WINDOWS\system\OLECLI.DLL


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-10 14:17:16 81,436 —-a-w C:\WINDOWS\system32\perfc013.dat
    2007-06-10 14:17:16 465,586 —-a-w C:\WINDOWS\system32\perfh013.dat
    2007-04-25 14:22:52 144,896 —-a-w C:\WINDOWS\system32\schannel.dll
    2007-04-19 11:26:00 888,832 —-a-w C:\WINDOWS\system32
    vmobls.dll
    2007-04-19 11:26:00 86,016 —-a-w C:\WINDOWS\system32
    vmctray.dll
    2007-04-19 11:26:00 81,920 —-a-w C:\WINDOWS\system32
    vwddi.dll
    2007-04-19 11:26:00 794,624 —-a-w C:\WINDOWS\system32
    vcplui.exe
    2007-04-19 11:26:00 7,700,480 —-a-w C:\WINDOWS\system32
    vcpl.dll
    2007-04-19 11:26:00 581,632 —-a-w C:\WINDOWS\system32
    vhwvid.dll
    2007-04-19 11:26:00 5,644,288 —-a-w C:\WINDOWS\system32
    voglnt.dll
    2007-04-19 11:26:00 5,619,712 —-a-w C:\WINDOWS\system32
    vdisps.dll
    2007-04-19 11:26:00 466,944 —-a-w C:\WINDOWS\system32
    vshell.dll
    2007-04-19 11:26:00 45,056 —-a-w C:\WINDOWS\system32
    vmccsrs.dll
    2007-04-19 11:26:00 442,368 —-a-w C:\WINDOWS\system32
    vappbar.exe
    2007-04-19 11:26:00 425,984 —-a-w C:\WINDOWS\system32\keystone.exe
    2007-04-19 11:26:00 4,543,616 —-a-w C:\WINDOWS\system32
    v4_disp.dll
    2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32
    vcodins.dll
    2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32
    vcod.dll
    2007-04-19 11:26:00 311,296 —-a-w C:\WINDOWS\system32
    vexpbar.dll
    2007-04-19 11:26:00 3,988,384 —-a-w C:\WINDOWS\system32\drivers
    v4_mini.sys
    2007-04-19 11:26:00 3,035,136 —-a-w C:\WINDOWS\system32
    vgames.dll
    2007-04-19 11:26:00 286,720 —-a-w C:\WINDOWS\system32
    vnt4cpl.dll
    2007-04-19 11:26:00 229,376 —-a-w C:\WINDOWS\system32
    vmccs.dll
    2007-04-19 11:26:00 212,992 —-a-w C:\WINDOWS\system32
    vapi.dll
    2007-04-19 11:26:00 2,924,544 —-a-w C:\WINDOWS\system32
    vvitvs.dll
    2007-04-19 11:26:00 188,416 —-a-w C:\WINDOWS\system32
    vmccss.dll
    2007-04-19 11:26:00 159,810 —-a-w C:\WINDOWS\system32
    vsvc32.exe
    2007-04-19 11:26:00 147,456 —-a-w C:\WINDOWS\system32
    vcolor.exe
    2007-04-19 11:26:00 1,703,936 —-a-w C:\WINDOWS\system32
    vwdmcpl.dll
    2007-04-19 11:26:00 1,626,112 —-a-w C:\WINDOWS\system32
    wiz.exe
    2007-04-19 11:26:00 1,474,560 —-a-w C:\WINDOWS\system32
    view.dll
    2007-04-19 11:26:00 1,339,392 —-a-w C:\WINDOWS\system32
    vdspsch.exe
    2007-04-19 11:26:00 1,236,992 —-a-w C:\WINDOWS\system32
    vwss.dll
    2007-04-19 11:26:00 1,019,904 —-a-w C:\WINDOWS\system32
    vwimg.dll
    2007-04-19 11:26:00 1,011,712 —-a-w C:\WINDOWS\system32
    vcpluir.dll
    2007-04-18 16:15:26 2,854,400 —-a-w C:\WINDOWS\system32\msi.dll
    2007-04-13 13:19:52 7,680 —-a-w C:\WINDOWS\system32\lsdelete.exe
    2007-03-17 13:45:54 293,376 —-a-w C:\WINDOWS\system32\winsrv.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32
    wiz.exe]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2005-09-22 07:36 C:\WINDOWS\RTHDCPL.exe]
    "nod32kui"="C:\Program Files\Eset
    od32kui.exe" [2007-06-10 15:58]
    "muBlinder"="D:\muBlinder\muBlinder.exe" [2007-05-13 04:43]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ClearRecentDocsOnExit"=1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-15 12:43:46
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-15 12:44:07

    — E O F —

    Als ik dit tooltje draai, krijg ik wel deze melding " findstr : zoekreeks te lang". IK heb alle vensters gesloten en doe verder helemaal niks als Combofix draait.

    Hijjacklogje :

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 12:48:13, on 15-6-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Eset
    od32kui.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


    End of file - 3302 bytes

    Groetjes,

    Roelof
  • Juisterr,

    Heb je ook een idee wat er aan de hand kan zijn met mij computer?

    Groetjes,

    Roelof
  • Nou ik mis in je logje de O2 en O20 regels. Dat wijst normaal gesproken op een vundo infectie.

    Maar die zou zichtbaar moeten zijn omdat je de beta versie van hjt draait. Dus die is het niet.

    Wil je deze doen aub.
    Download win32delfkil.exe.
    Plaats het op je bureaublad en dubbelklik op win32delfkil.exe om het te installeren.
    Er wordt een map op je bureaublad geplaatst: win32delfkil.
    sluit alle open vensters en alle bestanden die open staan.
    Open de map win32delfkil en dubbelklik op fix.bat.
    De computer zal herstarten.
    Als de computer opnieuw gestart is zoek je het bestand c:\windelf.txt.
    Post de inhoud van dit bestand.
  • hier het logje :

    WIN32DELFKIL LOGFILE - by Marckie


    version 3.128
    za 16-06-2007 17:19:06,98
    running from: "C:\Documents and Settings\Roelof\Bureaublad"


    — File(s) found in Windows directory —

    — File(s) found in system32 folder —

    — Services —

    — Export SharedTaskScheduler key —
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"


    — Notify key —


    — rebooting the computer —

    Groetjes,

    Roelof
  • mag ik een nieuw gemaakt HJT logje aub.
  • Tuurlijk,

    Hier komt die :

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 14:29:40, on 17-6-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Eset
    od32kui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


    End of file - 3465 bytes

    Groetjes,

    Roelof
  • Download [b:35a068a27c]Combofix[/b:35a068a27c] naar je Bureaublad.[list:35a068a27c]
    Dubbelklik op [b:35a068a27c]Combofix.exe[/b:35a068a27c]
    Volg de instructies, aanvaard de disclaimer door [b:35a068a27c]1[/b:35a068a27c] (continue) te typen.
    Tijdens het runnen van de fix, [b:35a068a27c]NIET[/b:35a068a27c] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:35a068a27c]
    Wanneer de fix voltooid is en na herstart, zal de log [b:35a068a27c]combofix.txt[/b:35a068a27c] openen.
    [i:35a068a27c]Plaats deze log in je volgende post samen met een nieuw HijackThis log.[/i:35a068a27c]

    Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

    Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:
    [b:35a068a27c]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    [/b:35a068a27c]
    Klik op 'Fix checked' om de items te verwijderen.


    Download [b:35a068a27c]Gmer[/b:35a068a27c][list:35a068a27c]
    [*:35a068a27c]Bewaar het op een veilige plaats en pak het uit naar je bureaublad
    [*:35a068a27c]Verbreek je internetverbinding en sluit ALLE programma's
    [*:35a068a27c]Er is een [b:35a068a27c]kleine[/b:35a068a27c] kans dat tijdens het runnen van deze applicatie de computer uitvalt, dus zorg dat je al je werk hebt opgeslagen
    [*:35a068a27c]Dubbelklik [b:35a068a27c]gmer.exe[/b:35a068a27c] en selecteer de [b:35a068a27c]rootkit tab[/b:35a068a27c] > klik [b:35a068a27c]scan[/b:35a068a27c]
    [*:35a068a27c]Als je een waarschuwing krijgt over "rootkitactiviteiten" en als er wordt gevraagd om toestemming voor de scan geef [b:35a068a27c]OK[/b:35a068a27c]
    [*:35a068a27c]Klik [b:35a068a27c]rootkit[/b:35a068a27c] tab en klik [b:35a068a27c]scan[/b:35a068a27c]
    [*:35a068a27c]als het scannen klaar is klik je [b:35a068a27c]copy[/b:35a068a27c]
    [*:35a068a27c]Open kladblok (of word) en copy/paste de tekst en sla de tekst op je bureaublad op.
    [*:35a068a27c]Herstel je internetverbinding en post de tekst in je volgende antwoord.
    [/list:u:35a068a27c]

    samen met een hjt logje.
  • Combofix logje :

    ComboFix 07-06-13.3 - CScript-fout: Toegang tot Windows Script Host is op deze computer uitgeschakeld. Neem voor details contact op met uw beheerder.
    "Roelof" - 2007-06-17 16:03:43 - Service Pack 2 NTFS


    ((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))


    2007-06-17 09:17 <DIR> dr-h—– C:\DOCUME~1\Roelof\Onlangs geopend
    2007-06-16 21:02 <DIR> d——– C:\WINDOWS\pss
    2007-06-16 19:31 <DIR> d——– C:\WINDOWS\ulead.dat
    2007-06-16 19:30 9,136 ——— C:\WINDOWS\INETWH16.DLL
    2007-06-16 19:30 4,528 ——— C:\WINDOWS\SETBROWS.EXE
    2007-06-16 19:30 35,328 ——— C:\WINDOWS\INETWH32.DLL
    2007-06-16 19:30 26,832 ——— C:\WINDOWS\CTL3DV2.DLL
    2007-06-16 19:30 <DIR> d——– C:\WINDOWS\Noslip
    2007-06-16 19:30 <DIR> d——– C:\Program Files\Ulead ArtTexture.Plugin
    2007-06-16 19:29 304,128 –a—— C:\WINDOWS\IsUninst.exe
    2007-06-16 19:29 <DIR> d——– C:\DOCUME~1\Roelof\WINDOWS
    2007-06-16 17:19 <DIR> d——– C:\_backupD
    2007-06-16 17:18 90,112 –a—— C:\WINDOWS\system32\regdacl.exe
    2007-06-16 17:18 53,248 –a—— C:\WINDOWS\system32\process.exe
    2007-06-16 17:18 4,096 –a—— C:\WINDOWS\system32\reboot.exe
    2007-06-16 17:18 16,384 –a—— C:\WINDOWS\system32\restart.exe
    2007-06-16 17:18 <DIR> d——– C:\WINDOWS\system32\regdacl
    2007-06-16 15:52 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\vlc
    2007-06-16 15:52 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\dvdcss
    2007-06-16 15:51 <DIR> d——– C:\Program Files\VideoLAN
    2007-06-13 21:05 <DIR> d——– C:\DOCUME~1\Roelof\DoctorWeb
    2007-06-13 21:04 <DIR> d——– C:\WINDOWS\CSC
    2007-06-13 14:06 49,152 –a—— C:\WINDOWS
    ircmd.exe
    2007-06-13 13:25 <DIR> d——– C:\Program Files\Hijack This
    2007-06-12 14:29 0 –a—— C:\WINDOWS
    sreg.dat
    2007-06-12 11:27 <DIR> d——– C:\Program Files\Microsoft Visual Studio 8
    2007-06-12 11:27 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
    2007-06-11 18:56 <DIR> d——– C:\Program Files\FileZilla
    2007-06-11 16:42 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc
    2007-06-11 12:08 <DIR> d——– C:\DOCUME~1\Roelof\Contacts
    2007-06-11 12:07 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
    2007-06-11 12:07 <DIR> d——– C:\Program Files\MSN Messenger
    2007-06-11 11:41 <DIR> d——– C:\PluginCommanderLight
    2007-06-10 21:53 <DIR> d——– C:\Program Files\Lavasoft
    2007-06-10 21:53 <DIR> d——– C:\Program Files\Common Files\Wise Installation Wizard
    2007-06-10 21:53 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-06-10 20:17 <DIR> d——– C:\Program Files\Jasc Software Inc
    2007-06-10 20:17 <DIR> d——– C:\Program Files\Common Files\SWF Studio
    2007-06-10 20:17 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc Software Inc
    2007-06-10 19:47 <DIR> d——– C:\Program Files\FTDv3.7.3
    2007-06-10 19:34 <DIR> d——– C:\Program Files\NewsLeecher
    2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\Downloads
    2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\NewsLeecher
    2007-06-10 19:04 <DIR> d——– C:\WINDOWS\system32\Lang
    2007-06-10 16:18 <DIR> d——– C:\Program Files\MSXML 4.0
    2007-06-10 16:13 17,920 –a—— C:\WINDOWS\system32\mdimon.dll
    2007-06-10 16:12 <DIR> d——– C:\WINDOWS\SHELLNEW
    2007-06-10 16:12 <DIR> d——– C:\Program Files\Microsoft.NET
    2007-06-10 16:09 <DIR> dr-h—– C:\MSOCache
    2007-06-10 15:58 502,368 –a—— C:\WINDOWS\system32\drivers\amon.sys
    2007-06-10 15:58 270,336 –a—— C:\WINDOWS\system32\imon.dll
    2007-06-10 15:52 157,184 -r——- C:\WINDOWS\system32\RtlCPAPI.dll
    2007-06-10 15:51 69,632 -r——- C:\WINDOWS\Alcmtr.exe
    2007-06-10 15:42 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
    2007-06-10 15:40 19,558 –a—— C:\WINDOWS\hpoins01.dat
    2007-06-10 15:40 16,606 ——— C:\WINDOWS\hpomdl01.dat
    2007-06-10 15:35 <DIR> d——– C:\WINDOWS\system32\NtmsData
    2007-06-10 15:25 <DIR> d——– C:\Program Files\Hewlett-Packard
    2007-06-10 15:25 <DIR> d——– C:\Program Files\Common Files\Hewlett-Packard
    2007-06-10 15:24 <DIR> d——– C:\temp\HP All-in-One Series Web Release
    2007-06-10 15:24 <DIR> d——– C:\temp
    2007-06-10 15:09 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Corel
    2007-06-10 15:08 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
    2007-06-10 15:07 88 -r-hs—- C:\WINDOWS\system32\6C0F48D5B7.sys
    2007-06-10 15:07 2,516 –ahs—- C:\WINDOWS\system32\KGyGaAvL.sys
    2007-06-10 15:07 <DIR> d——– C:\Program Files\Corel
    2007-06-10 15:03 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\WinRAR
    2007-06-10 14:49 40,960 -r——- C:\WINDOWS\system32\ChCfg.exe
    2007-06-10 14:49 <DIR> d——– C:\WINDOWS\system32\RTCOM
    2007-06-10 14:48 9,710,592 -r——- C:\WINDOWS\RTLCPL.exe
    2007-06-10 14:48 86,016 -r——- C:\WINDOWS\SoundMan.exe
    2007-06-10 14:48 82,944 –a—— C:\WINDOWS\system32\drivers\wdmaud.sys
    2007-06-10 14:48 7,552 –a—— C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2007-06-10 14:48 60,800 –a—— C:\WINDOWS\system32\drivers\sysaudio.sys
    2007-06-10 14:48 60,288 –a—— C:\WINDOWS\system32\drivers\drmk.sys
    2007-06-10 14:48 6,400 –a—— C:\WINDOWS\system32\drivers\splitter.sys
    2007-06-10 14:48 54,272 –a—— C:\WINDOWS\system32\drivers\swmidi.sys
    2007-06-10 14:48 52,864 –a—— C:\WINDOWS\system32\drivers\DMusic.sys
    2007-06-10 14:48 5,376 –a—— C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2007-06-10 14:48 487,424 -r——- C:\WINDOWS\RtlExUpd.dll
    2007-06-10 14:48 4,992 –a—— C:\WINDOWS\system32\drivers\MSPQM.sys
    2007-06-10 14:48 4,096 –a—— C:\WINDOWS\system32\ksuser.dll
    2007-06-10 14:48 356,352 -r——- C:\WINDOWS\RtlUpd.exe
    2007-06-10 14:48 3,966,976 -r——- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
    2007-06-10 14:48 2,944 –a—— C:\WINDOWS\system32\drivers\drmkaud.sys
    2007-06-10 14:48 2,807,808 -r——- C:\WINDOWS\alcwzrd.exe
    2007-06-10 14:48 2,142,208 -r——- C:\WINDOWS\MicCal.exe
    2007-06-10 14:48 172,416 –a—— C:\WINDOWS\system32\drivers\kmixer.sys
    2007-06-10 14:48 142,464 –a—— C:\WINDOWS\system32\drivers\aec.sys
    2007-06-10 14:48 14,854,144 -r——- C:\WINDOWS\RTHDCPL.exe
    2007-06-10 14:48 <DIR> d——– C:\Program Files\Realtek
    2007-06-10 14:21 <DIR> d——– C:\Program Files\xp-AntiSpy
    2007-06-10 14:17 70,144 -ra—— C:\WINDOWS\system32\drivers\Rtlnicxp.sys
    2007-06-10 14:16 <DIR> d——– C:\WINDOWS\system32\URTTEMP
    2007-06-10 14:15 36,352 -ra—— C:\WINDOWS\system32\drivers\AmdK8.sys
    2007-06-10 14:15 <DIR> d–h—– C:\Program Files\InstallShield Installation Information
    2007-06-10 14:15 <DIR> d——– C:\Program Files\ATI Technologies
    2007-06-10 14:07 208,896 –a—— C:\WINDOWS\system32
    vudisp.exe
    2007-06-10 14:07 <DIR> d——– C:\WINDOWS
    view
    2007-06-10 14:06 208,896 –a—— C:\WINDOWS\system32\NVUNINST.EXE


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-10 14:17:16 81,436 —-a-w C:\WINDOWS\system32\perfc013.dat
    2007-06-10 14:17:16 465,586 —-a-w C:\WINDOWS\system32\perfh013.dat
    2007-04-25 14:22:52 144,896 —-a-w C:\WINDOWS\system32\schannel.dll
    2007-04-19 11:26:00 888,832 —-a-w C:\WINDOWS\system32
    vmobls.dll
    2007-04-19 11:26:00 86,016 —-a-w C:\WINDOWS\system32
    vmctray.dll
    2007-04-19 11:26:00 81,920 —-a-w C:\WINDOWS\system32
    vwddi.dll
    2007-04-19 11:26:00 794,624 —-a-w C:\WINDOWS\system32
    vcplui.exe
    2007-04-19 11:26:00 7,700,480 —-a-w C:\WINDOWS\system32
    vcpl.dll
    2007-04-19 11:26:00 581,632 —-a-w C:\WINDOWS\system32
    vhwvid.dll
    2007-04-19 11:26:00 5,644,288 —-a-w C:\WINDOWS\system32
    voglnt.dll
    2007-04-19 11:26:00 5,619,712 —-a-w C:\WINDOWS\system32
    vdisps.dll
    2007-04-19 11:26:00 466,944 —-a-w C:\WINDOWS\system32
    vshell.dll
    2007-04-19 11:26:00 45,056 —-a-w C:\WINDOWS\system32
    vmccsrs.dll
    2007-04-19 11:26:00 442,368 —-a-w C:\WINDOWS\system32
    vappbar.exe
    2007-04-19 11:26:00 425,984 —-a-w C:\WINDOWS\system32\keystone.exe
    2007-04-19 11:26:00 4,543,616 —-a-w C:\WINDOWS\system32
    v4_disp.dll
    2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32
    vcodins.dll
    2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32
    vcod.dll
    2007-04-19 11:26:00 311,296 —-a-w C:\WINDOWS\system32
    vexpbar.dll
    2007-04-19 11:26:00 3,988,384 —-a-w C:\WINDOWS\system32\drivers
    v4_mini.sys
    2007-04-19 11:26:00 3,035,136 —-a-w C:\WINDOWS\system32
    vgames.dll
    2007-04-19 11:26:00 286,720 —-a-w C:\WINDOWS\system32
    vnt4cpl.dll
    2007-04-19 11:26:00 229,376 —-a-w C:\WINDOWS\system32
    vmccs.dll
    2007-04-19 11:26:00 212,992 —-a-w C:\WINDOWS\system32
    vapi.dll
    2007-04-19 11:26:00 2,924,544 —-a-w C:\WINDOWS\system32
    vvitvs.dll
    2007-04-19 11:26:00 188,416 —-a-w C:\WINDOWS\system32
    vmccss.dll
    2007-04-19 11:26:00 159,810 —-a-w C:\WINDOWS\system32
    vsvc32.exe
    2007-04-19 11:26:00 147,456 —-a-w C:\WINDOWS\system32
    vcolor.exe
    2007-04-19 11:26:00 1,703,936 —-a-w C:\WINDOWS\system32
    vwdmcpl.dll
    2007-04-19 11:26:00 1,626,112 —-a-w C:\WINDOWS\system32
    wiz.exe
    2007-04-19 11:26:00 1,474,560 —-a-w C:\WINDOWS\system32
    view.dll
    2007-04-19 11:26:00 1,339,392 —-a-w C:\WINDOWS\system32
    vdspsch.exe
    2007-04-19 11:26:00 1,236,992 —-a-w C:\WINDOWS\system32
    vwss.dll
    2007-04-19 11:26:00 1,019,904 —-a-w C:\WINDOWS\system32
    vwimg.dll
    2007-04-19 11:26:00 1,011,712 —-a-w C:\WINDOWS\system32
    vcpluir.dll
    2007-04-18 16:15:26 2,854,400 —-a-w C:\WINDOWS\system32\msi.dll
    2007-04-13 13:19:52 7,680 —-a-w C:\WINDOWS\system32\lsdelete.exe
    2007-03-17 13:45:54 293,376 —-a-w C:\WINDOWS\system32\winsrv.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32
    wiz.exe]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2005-09-22 07:36 C:\WINDOWS\RTHDCPL.exe]
    "nod32kui"="C:\Program Files\Eset
    od32kui.exe" [2007-06-10 15:58]
    "muBlinder"="D:\muBlinder\muBlinder.exe" [2007-05-13 04:43]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ClearRecentDocsOnExit"=1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-17 16:04:36
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-17 16:04:59
    C:\ComboFix2.txt … 2007-06-15 12:44

    — E O F —


    Hijjack logje na Combofix :

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 16:06:47, on 17-6-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Eset
    od32kui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


    End of file - 3388 bytes


    Gmer logje :

    MER 1.0.12.12244 - http://www.gmer.net
    Rootkit scan 2007-06-17 16:22:34
    Windows 5.1.2600 Service Pack 2


    —- Kernel code sections - GMER 1.0.12 —-

    ? C:\WINDOWS\System32\DRIVERS\update.sys
    ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Het systeem kan het opgegeven bestand niet vinden.

    —- User code sections - GMER 1.0.12 —-

    .text C:\Program Files\MSN Messenger\msnmsgr.exe[2232] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe

    —- EOF - GMER 1.0.12 —-


    Hijacklogje na Gmer :

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 16:29:34, on 17-6-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Eset
    od32kui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset
    od32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe


    End of file - 3388 bytes


    Ik heb alles laten lopen in de normale modus van Windows Xp.

    Groetjes,

    Roelof
  • http://www.sysinternals.com/Utilities/RootkitRevealer.html

    Unzip the download and run the exe file, swhich will nstall the RootkitRevealer folder. Go into that folder and run RootkitRevealeer.exe.

    The scan will take a little time. When it completes the scan, use 'File > Save' to save the RootkitReveal.txt log file.

    Send the contents of that text file back with your reply
  • Hoi Juisterr,

    Ik heb drie keer geprobeerd, maar zodra ik op save druk, gaat mijn computer op slot.

    Bij poging 1 vondt ik 25 verschillen, en bij het saven draaide een programma HJWQ.exe die alles opslokte.

    Bij poging 2 vondt hij 23 verschillen , maar was het een programma PEH.exe die alles op slot gooide.

    Bij poging 3 vondt hij 26 verschillen, maar was het een programma VN.exe die alles op slot gooide.

    Groetjes en hopelijk heb je hier iets aan.

    Roelof

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.