Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

HijackThis log MSN virus

None
8 antwoorden
  • Door een stomme fout van mij ( op de link klikken ) tijdens een MSN gesprek is er veel rotzooi op mijn laptop gezet. Het betrof een MSN virus met als tekst: "Is that you on that picture?" met een link erbij.

    Ik heb al een aantal malen anti-spyware en anti-virus programmaatjes gedraaid, maar ik denk dat er nog veel op staat.

    Hier volgt een HijackThis logje:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 12:14:47, on 1-7-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
    C:\Program Files\Opera\Opera.exe
    D:\My Documents\HijackThis\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {386D91C0-635A-42D4-A714-E6C68F68A273} - (no file)
    O2 - BHO: (no name) - {49DDAB47-F068-486C-8F7E-EB03CB8F5A09} - (no file)
    O2 - BHO: (no name) - {52249FD1-48C7-4A22-A237-5911DA2194FD} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\fdpnspdk.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E192CC1-1A88-441B-860E-8B6B86BABF52} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {BBB21881-FD3A-4CE1-B3BC-310CF45FEAC3} - (no file)
    O2 - BHO: (no name) - {BF77CA7D-35C1-4F06-B1E7-9B6D5D0EB724} - (no file)
    O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - (no file)
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\vtfqwvgy.dll",realset
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to AMV Convert Tool… - C:\Program Files\MP3 Player Utilities 3.79\AMVConverter\grab.html
    O8 - Extra context menu item: Add to Media Manager… - C:\Program Files\MP3 Player Utilities 3.79\MediaManager\grab.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\s060366\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.tue.nl
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151909746906
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151909978546
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = campus.tue.nl
    O17 - HKLM\Software\..\Telephony: DomainName = campus.tue.nl
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = campus.tue.nl
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


    End of file - 8547 bytes

    Kan iemand mij helpen?

    Alvast bedankt,

    Leroy
  • Hallo,

    Je kan beter msn even verwijderen omdat die ook besmet is.


    Download [b:1a7b53d000]Combofix[/b:1a7b53d000] naar je Bureaublad.[list:1a7b53d000]
    Dubbelklik op [b:1a7b53d000]Combofix.exe[/b:1a7b53d000]
    Volg de instructies, aanvaard de disclaimer door [b:1a7b53d000]1[/b:1a7b53d000] (continue) te typen.
    Tijdens het runnen van de fix, [b:1a7b53d000]NIET[/b:1a7b53d000] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:1a7b53d000]
    Wanneer de fix voltooid is en na herstart, zal de log [b:1a7b53d000]combofix.txt[/b:1a7b53d000] openen.
    [i:1a7b53d000]Plaats deze log in je volgende post samen met een nieuw HijackThis log.[/i:1a7b53d000]

    Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

    Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:
    [b:1a7b53d000]
    O2 - BHO: (no name) - {386D91C0-635A-42D4-A714-E6C68F68A273} - (no file)
    O2 - BHO: (no name) - {49DDAB47-F068-486C-8F7E-EB03CB8F5A09} - (no file)
    O2 - BHO: (no name) - {52249FD1-48C7-4A22-A237-5911DA2194FD} - (no file)
    O2 - BHO: (no name) - {7E192CC1-1A88-441B-860E-8B6B86BABF52} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {BBB21881-FD3A-4CE1-B3BC-310CF45FEAC3} - (no file)
    O2 - BHO: (no name) - {BF77CA7D-35C1-4F06-B1E7-9B6D5D0EB724} - (no file)
    O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - (no file)
    [/b:1a7b53d000]
    Sluit alle vensters behalve Hijackthis
    Klik op 'Fix checked' om de items te verwijderen.

    start opnieuw op en plaats de uitslag van combofix en een nieuw HJT logje aub.
  • Bedankt voor je reactie, MSN had ik al verwijderd en opnieuw geïnstalleerd direct na de infectie. Verder merk ik dat het lastig is om van smitfraud-c.toolbar88 af te komen. Hier volgt de log van ComboFix:

    "s060366" - 2007-07-02 9:11:43 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\fdpnspdk.dll
    C:\WINDOWS\system32\ronddpdo.dll
    C:\WINDOWS\system32\vtfqwvgy.dll
    C:\WINDOWS\system32\ygvwqftv.ini


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\drivers\sfsync02.sys


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    ——-\LEGACY_NM
    ——-\LEGACY_SFSYNC02
    ——-
    m
    ——-\sfsync02


    ((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))


    2007-07-02 09:13 0 –a—— C:\WINDOWS\system32\sfsync02.dll
    2007-07-02 09:11 49,152 –a—— C:\WINDOWS
    ircmd.exe
    2007-07-01 17:25 <DIR> d——– C:\Program Files\Roguescanfix
    2007-07-01 17:16 <DIR> d——– C:\WINDOWS\system32\RVAXO
    2007-07-01 13:52 <DIR> d——– C:\Program Files\Picasa2
    2007-06-26 13:54 <DIR> d——– C:\Program Files\StepMania
    2007-06-21 00:08 3,426,072 –a—— C:\WINDOWS\system32\d3dx9_32.dll
    2007-06-21 00:08 251,672 –a—— C:\WINDOWS\system32\xactengine2_5.dll
    2007-06-21 00:08 <DIR> dr-h—– C:\DOCUME~1\s060366\APPLIC~1\SecuROM
    2007-06-21 00:03 <DIR> d——– C:\Program Files\Tomb Raider - Anniversary
    2007-06-19 19:04 <DIR> d——– C:\DOCUME~1\s060366\APPLIC~1\.purple
    2007-06-19 19:03 <DIR> d——– C:\Program Files\Common Files\GTK
    2007-06-18 14:00 <DIR> d——– C:\WINDOWS\system32\recover
    2007-06-15 13:08 <DIR> d——– C:\DOCUME~1\s060366\APPLIC~1\Skype
    2007-06-15 13:07 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
    2007-06-14 09:16 <DIR> d——– C:\Program Files\gs
    2007-06-14 09:16 <DIR> d——– C:\Program Files\Ghostgum
    2007-06-14 09:15 <DIR> d——– C:\Program Files\WinEdt Team
    2007-06-14 09:12 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\MiKTeX
    2007-06-14 09:09 <DIR> d——– C:\Program Files\MiKTeX 2.5
    2007-06-11 08:26 125,504 –a—— C:\WINDOWS\system32\wkykrelt.dll
    2007-06-11 08:23 2,624 –a—— C:\WINDOWS\system32\qwonqmsd.exe
    2007-06-08 16:20 <DIR> d——– C:\DOCUME~1\s060366\Contacts
    2007-06-08 16:08 147,456 –a—— C:\WINDOWS\spee.exe


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-02 07:14:30 12 —-a-w C:\WINDOWS\bthservsdp.dat
    2007-06-20 22:08:29 108,144 —-a-w C:\WINDOWS\system32\CmdLineExt.dll
    2007-06-19 17:08:25 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\.purple
    2007-06-19 16:44:16 ——– d—–w C:\Program Files\Corel
    2007-06-19 16:44:16 ——– d—–w C:\Program Files\Common Files\Corel
    2007-06-16 15:02:56 ——– d—–w C:\Program Files\Mozilla Thunderbird
    2007-06-15 10:39:07 ——– d—–w C:\Program Files\plugins
    2007-06-15 10:36:46 ——– d—–w C:\Program Files\Opera
    2007-06-14 14:17:01 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\WinEdt
    2007-06-12 12:45:56 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\Corel
    2007-06-12 12:35:04 1,056 –sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    2007-06-08 14:18:39 ——– d—–w C:\Program Files\MSN Messenger
    2007-05-29 06:10:47 ——– d—–w C:\Program Files\Google
    2007-05-28 11:56:20 ——– d—–w C:\Program Files\Common Files\Synacast
    2007-05-28 11:56:03 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\ppstream
    2007-05-21 13:28:25 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\uTorrent
    2007-05-16 15:12:02 683,520 —-a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-16 10:29:39 ——– d—–w C:\Program Files\Darts Score
    2007-05-14 14:59:18 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\PlayFirst
    2007-05-14 14:58:34 ——– d—–w C:\Program Files\ReflexiveArcade
    2007-05-10 13:18:21 ——– d—–w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-05-08 09:12:41 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\GameHouse
    2007-04-25 14:21:15 144,896 —-a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 —-a-w C:\WINDOWS\system32\msi.dll
    2007-04-16 20:47:36 33,624 —-a-w C:\WINDOWS\system32\wups.dll
    2007-04-16 20:45:54 1,710,936 —-a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-16 20:45:48 549,720 —-a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-16 20:45:42 325,976 —-a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-16 20:45:36 203,096 —-a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-16 20:45:28 92,504 —-a-w C:\WINDOWS\system32\cdm.dll
    2007-04-16 20:45:20 53,080 —-a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-16 20:45:20 43,352 —-a-w C:\WINDOWS\system32\wups2.dll
    2007-04-16 20:44:20 271,224 —-a-w C:\WINDOWS\system32\mucltui.dll
    2007-04-16 20:44:18 208,248 —-a-w C:\WINDOWS\system32\muweb.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
    {5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-08-01 05:10]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" [2005-12-07 11:33]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 01:15]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
    "pdfSaver3"="C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 18:20]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablecad"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    otify\tpfnf2]
    notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    otify\tphotkey]
    tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "LogitechCameraAssistant"=C:\Program Files\Logitech\Video\CameraAssistant.exe
    "LogitechCameraService(E)"=C:\WINDOWS\system32\ElkCtrl.exe /automation
    "BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    "HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    "QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs BthServ


    Contents of the 'Scheduled Tasks' folder
    2007-07-01 15:34:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-02 09:15:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001105-0000-1000-8000-00805f9b34fb}]


    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


    Completion time: 2007-07-02 9:16:46 - machine was rebooted
    C:\ComboFix-quarantined-files.txt … 2007-07-02 09:16

    — E O F —

    En hier het HijackThis logje:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 09:26, on 2007-07-02
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
    C:\Program Files\Opera\Opera.exe
    D:\My Documents\HijackThis\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to AMV Convert Tool… - C:\Program Files\MP3 Player Utilities 3.79\AMVConverter\grab.html
    O8 - Extra context menu item: Add to Media Manager… - C:\Program Files\MP3 Player Utilities 3.79\MediaManager\grab.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.tue.nl
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151909746906
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151909978546
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = campus.tue.nl
    O17 - HKLM\Software\..\Telephony: DomainName = campus.tue.nl
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = campus.tue.nl
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


    End of file - 7870 bytes

    groetjes,

    Leroy
  • Open Kladblok, kopiëer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster: [list:2e67738d40][b:2e67738d40]
    File::
    C:\WINDOWS\system32\sfsync02.dll
    C:\WINDOWS\system32\wkykrelt.dll
    C:\WINDOWS\system32\qwonqmsd.exe


    [/color:2e67738d40][/b:2e67738d40]
    [/list:u:2e67738d40]Sla dit op op je Bureaublad als [b:2e67738d40]ComboFix-Do.txt[/b:2e67738d40].

    Sleep [b:2e67738d40]ComboFix-Do.txt[/b:2e67738d40] in [b:2e67738d40]ComboFix.exe[/b:2e67738d40] zoals getoond in onderstaand voorbeeld :

    [img:2e67738d40]http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif[/img:2e67738d40]

    Dit zal [b:2e67738d40]ComboFix[/b:2e67738d40] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt,
    en post de inhoud van de [b:2e67738d40]Combofix.txt[/b:2e67738d40] in je volgende antwoord.



    Start Hijackthis op en kies voor 'Do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:
    [b:2e67738d40]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    [/b:2e67738d40]
    Klik op 'Fix checked' om de items te verwijderen.

    Download: [b:2e67738d40]RemoveVideoActiveXObject.exe[/b:2e67738d40][/color:2e67738d40]
    Sla het bestand op je bureaublad op, daarna dubbelklikken.
    Mogelijk start de uninstaller van een rogue scanner op, sluit deze niet af maar laat deze zijn werk doen.

    Daarna de [b:2e67738d40]PC herstarten[/b:2e67738d40] en nogmaals RemoveVideoActiveXObject.exe dubbelklikken.
    Post daarna het logje C:\[b:2e67738d40]RVAXO-results.log[/b:2e67738d40] in je volgende bericht tesamen met een nieuw logje van HijackThis.
  • Ik heb ComboFix zijn werk laten doen, hier is de log:

    "s060366" - 2007-07-02 16:12:48 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
    Command switches used :: C:\Documents and Settings\s060366\Desktop\ComboFix-Do.txt


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\qwonqmsd.exe
    C:\WINDOWS\system32\sfsync02.dll
    C:\WINDOWS\system32\wkykrelt.dll


    ((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))


    2007-07-02 09:11 49,152 –a—— C:\WINDOWS
    ircmd.exe
    2007-07-01 17:25 <DIR> d——– C:\Program Files\Roguescanfix
    2007-07-01 17:16 <DIR> d——– C:\WINDOWS\system32\RVAXO
    2007-07-01 13:52 <DIR> d——– C:\Program Files\Picasa2
    2007-06-26 13:54 <DIR> d——– C:\Program Files\StepMania
    2007-06-21 00:08 3,426,072 –a—— C:\WINDOWS\system32\d3dx9_32.dll
    2007-06-21 00:08 251,672 –a—— C:\WINDOWS\system32\xactengine2_5.dll
    2007-06-21 00:08 <DIR> dr-h—– C:\DOCUME~1\s060366\APPLIC~1\SecuROM
    2007-06-21 00:03 <DIR> d——– C:\Program Files\Tomb Raider - Anniversary
    2007-06-19 19:04 <DIR> d——– C:\DOCUME~1\s060366\APPLIC~1\.purple
    2007-06-19 19:03 <DIR> d——– C:\Program Files\Common Files\GTK
    2007-06-18 14:00 <DIR> d——– C:\WINDOWS\system32\recover
    2007-06-15 13:08 <DIR> d——– C:\DOCUME~1\s060366\APPLIC~1\Skype
    2007-06-15 13:07 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
    2007-06-14 09:16 <DIR> d——– C:\Program Files\gs
    2007-06-14 09:16 <DIR> d——– C:\Program Files\Ghostgum
    2007-06-14 09:15 <DIR> d——– C:\Program Files\WinEdt Team
    2007-06-14 09:12 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\MiKTeX
    2007-06-14 09:09 <DIR> d——– C:\Program Files\MiKTeX 2.5
    2007-06-08 16:20 <DIR> d——– C:\DOCUME~1\s060366\Contacts
    2007-06-08 16:08 147,456 –a—— C:\WINDOWS\spee.exe


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-02 07:14:30 12 —-a-w C:\WINDOWS\bthservsdp.dat
    2007-06-20 22:08:29 108,144 —-a-w C:\WINDOWS\system32\CmdLineExt.dll
    2007-06-19 17:08:25 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\.purple
    2007-06-19 16:44:16 ——– d—–w C:\Program Files\Corel
    2007-06-19 16:44:16 ——– d—–w C:\Program Files\Common Files\Corel
    2007-06-16 15:02:56 ——– d—–w C:\Program Files\Mozilla Thunderbird
    2007-06-15 10:39:07 ——– d—–w C:\Program Files\plugins
    2007-06-15 10:36:46 ——– d—–w C:\Program Files\Opera
    2007-06-14 14:17:01 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\WinEdt
    2007-06-12 12:45:56 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\Corel
    2007-06-12 12:35:04 1,056 –sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    2007-06-08 14:18:39 ——– d—–w C:\Program Files\MSN Messenger
    2007-05-29 06:10:47 ——– d—–w C:\Program Files\Google
    2007-05-28 11:56:20 ——– d—–w C:\Program Files\Common Files\Synacast
    2007-05-28 11:56:03 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\ppstream
    2007-05-21 13:28:25 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\uTorrent
    2007-05-16 15:12:02 683,520 —-a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-16 10:29:39 ——– d—–w C:\Program Files\Darts Score
    2007-05-14 14:59:18 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\PlayFirst
    2007-05-14 14:58:34 ——– d—–w C:\Program Files\ReflexiveArcade
    2007-05-10 13:18:21 ——– d—–w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-05-08 09:12:41 ——– d—–w C:\DOCUME~1\s060366\APPLIC~1\GameHouse
    2007-04-25 14:21:15 144,896 —-a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 —-a-w C:\WINDOWS\system32\msi.dll
    2007-04-16 20:47:36 33,624 —-a-w C:\WINDOWS\system32\wups.dll
    2007-04-16 20:45:54 1,710,936 —-a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-16 20:45:48 549,720 —-a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-16 20:45:42 325,976 —-a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-16 20:45:36 203,096 —-a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-16 20:45:28 92,504 —-a-w C:\WINDOWS\system32\cdm.dll
    2007-04-16 20:45:20 53,080 —-a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-16 20:45:20 43,352 —-a-w C:\WINDOWS\system32\wups2.dll
    2007-04-16 20:44:20 271,224 —-a-w C:\WINDOWS\system32\mucltui.dll
    2007-04-16 20:44:18 208,248 —-a-w C:\WINDOWS\system32\muweb.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
    {5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-08-01 05:10]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" [2005-12-07 11:33]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 01:15]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
    "pdfSaver3"="C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 18:20]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablecad"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    otify\tpfnf2]
    notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    otify\tphotkey]
    tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "LogitechCameraAssistant"=C:\Program Files\Logitech\Video\CameraAssistant.exe
    "LogitechCameraService(E)"=C:\WINDOWS\system32\ElkCtrl.exe /automation
    "BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    "HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    "QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs BthServ


    Contents of the 'Scheduled Tasks' folder
    2007-07-01 15:34:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-02 16:14:06
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001105-0000-1000-8000-00805f9b34fb}]


    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


    Completion time: 2007-07-02 16:14:37
    C:\ComboFix-quarantined-files.txt … 2007-07-02 16:14
    C:\ComboFix2.txt … 2007-07-02 09:16

    — E O F —


    Verder het nieuwe HJT-logje:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 16:15, on 2007-07-02
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\Program Files\Opera\Opera.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32
    otepad.exe
    D:\My Documents\HijackThis\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to AMV Convert Tool… - C:\Program Files\MP3 Player Utilities 3.79\AMVConverter\grab.html
    O8 - Extra context menu item: Add to Media Manager… - C:\Program Files\MP3 Player Utilities 3.79\MediaManager\grab.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.tue.nl
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151909746906
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151909978546
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = campus.tue.nl
    O17 - HKLM\Software\..\Telephony: DomainName = campus.tue.nl
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = campus.tue.nl
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


    End of file - 7881 bytes


    En als laatste log van RVAXO:

    —————-RemoveVideoActiveXObject.exe first run————-

    Files found:

    C:\WINDOWS\d3dx.dat

    Uninstallers Rogue scanners:


    Folders Found:


    ————–RemoveVideoActiveXObject.exe last run—————

    Files found:


    Uninstallers Rogue scanners:


    Folders Found:


    Groetjes,

    Leroy
  • Verwijder nu deze twee mappen
    C:\Program Files\[b:cdbe036e5b]Roguescanfix[/b:cdbe036e5b]
    C:\WINDOWS\system32\[b:cdbe036e5b]RVAXO [/b:cdbe036e5b]

    start opnieuw op en vertel even hoe het gaat.
  • Ik heb de mappen verwijderd. Ik merkte opzich niet veel van de rotzooi omdat ik Opera i.p.v. van Internet Explorer gebruik. Ik ga nu wel even een tijdje Internet Explorer gebruiken om te kijken of ik nog last van anti-spyware pop-ups heb. Spybot Search & Destroy vindt smitfraud-c toolbar88 ook niet meer, dus denk dat het heeft geholpen.

    Bedankt voor de hulp en deze domme fout maak ik niet nog eens :wink:

    Groetjes,

    Leroy
  • Om herinfectie via systeemherstel te voorkomen, is het raadzaam de bestaande systeemherstelpunten te verwijderen door systeemherstel tijdelijk uit te schakelen.


    - Ga naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.
    - Klik in de linkerhelft van het venster op "Instellingen van systeemherstel".
    - Zet een vinkje voor "Systeemherstel uitschakelen".
    - Klik "Toepassen".
    - Windows vraagt of je dat zeker weet.
    - Klik "Ja".
    - Klik "OK".
    - Start de pc opnieuw op.
    - Ga weer naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.
    - Je krijgt de melding: "Systeemherstel is uitgeschakeld. Wilt u systeemherstel nu inschakelen?"
    - Klik "Ja".
    - Verwijder het vinkje voor "Systeemherstel uitschakelen".
    - Klik "Toepassen".
    - Klik "OK".
    - Start de pc opnieuw op
    - Er is nu een nieuw schoon herstel punt aangemaakt

    Hier nog wat tips. tips

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.