Vraag & Antwoord

Beveiliging & privacy

gidvnprs.dll

28 antwoorden
  • In de afgelopen tijd nogal wat problemen gehad. Diverse malen computer moeten herinrichten enz. Laatste grote probleem: malware, zoals Vundo, errosafe en downloader, die regelmatig terugkeerden, maar wel werden gevonden door Norton. Na gebruik van o.a hitmanpro lijkt mijn computer nu vrij van deze troep. Ze komen tenminste niet meer naar voren. Blijft er nog een probleempje over. Krijg bij het opstarten de melding, dat het bestand [u:ea6b6ef5d5][b:ea6b6ef5d5]gidvnprs.dll [/b:ea6b6ef5d5][/u:ea6b6ef5d5]niet gevonden wordt en dus niet kan worden opgestart. Heb gezocht naar de naam van dit bestand, maar kom het nergens tegen. Geprobeerd om het uit het register te verwijderen, zowel handmatig als m.b.v. cccleaner, maar het komt steeds weer terug. Heeft iemand een idee hoe ik dit laatste probleempje ook kan oplossen? Bij voorbaat dank Peter
  • Kijk eens met startupcpl. http://www.mlin.net/StartupCPL.shtml
  • [quote:d5d2cb2add]Kijk eens met startupcpl. http://www.mlin.net/StartupCPL.shtml[/quote:d5d2cb2add] Dank je voor de tip. Helaas werkt dit niet. Vrijwel onmiddellijk, nadat ik de verwijzing heb verwijderd of uitgeschakeld, staat hij er weer opnieuw in. Het gaat overigens om de volgende verwijzing: [quote:d5d2cb2add]rundll32.exe "C:\WINDOWS\system32\gidvnprs.dll",sitypnow[/quote:d5d2cb2add]
  • Dan is er nog iets anders actief. Denk dat je het beste even een hijackthis log kunt plaatsen.
  • Bij deze het logfile van HjackThis. Suggesties zijn van harte welkom! Logfile of HijackThis v1.99.1 Scan saved at 19:15:23, on 8-8-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\keyhook.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Norton Password Manager\AcctMgr.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE C:\WINDOWS\system32\sistray.exe C:\Program Files\palmOne\HOTSYNC.EXE C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe C:\PROGRA~1\RVS\WCOM\SYSTEM\ADBSERV.EXE C:\Program Files\RVS\WCOM\SYSTEM\RVSRmd.exe C:\Program Files\RVS\WCOM\SYSTEM\CCSRV.EXE C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE H:\Downloads\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.petersantbergen.tk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {ACAC634E-01B0-4355-82E4-3CF94474CE17} - C:\WINDOWS\system32\ddcca.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\ilbqxqtj.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [UniPrint] C:\Program Files\UniPrint\Client\SetDfltSettings.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\gidvnprs.dll",sitypnow O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - HKCU\..\RunOnce: [CommCenter] "C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe" O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: NU.nl Nieuwslezer.lnk = H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Toevoegen aan bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: RVS CommCenter (RvsCC) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE O23 - Service: RvscomSv - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • Wacht even op een specialist, maar volgens mij zie ik zo al een vundo infectie. http://www.spywaredata.com/spyware/malware/ddcca.dll.php Deze vertrouw ik ook niet: ilbqxqtj.dll
  • Hallo Peter, Vundo is inderdaad nog actief. Probeer dit even: Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Plaats het op je bureaublad. Dubbelklik er op om het programma te starten. In het scherm dat verschijnt tik je een Y in om het cleaningsprocess te starten. Volg de instructies op het scherm. Als het tooltje klaar is, opent er een logfile (combofix.txt). Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.
  • Alvast bedankt voor je reactie. ComboFix 07-08-09.3 - "Peter Santbergen" 2007-08-09 16:34:08.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.348 [GMT 2:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\accdd.bak1 C:\WINDOWS\system32\accdd.bak2 C:\WINDOWS\system32\accdd.ini C:\WINDOWS\system32\accdd.ini2 C:\WINDOWS\system32\accdd.tmp C:\WINDOWS\system32\ilbqxqtj.dll C:\WINDOWS\system32\system C:\WINDOWS\system32\system\msxml4.dll C:\WINDOWS\system32\system\msxml4r.dll ((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 ))))))))))))))))))))))))))))))) 2007-08-09 16:33 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-08 22:09 159,744 --a------ C:\WINDOWS\system32\hasher.dll 2007-08-08 22:09 <DIR> d-------- C:\Program Files\Trisnap Technologies 2007-08-08 16:36 <DIR> dr-h----- C:\DOCUME~1\PETERS~1\Onlangs geopend 2007-08-08 16:33 <DIR> d-------- C:\Program Files\CCleaner 2007-08-07 21:06 <DIR> d-------- C:\DOCUME~1\PETERS~1\Phone Browser 2007-08-07 17:24 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys 2007-08-07 17:24 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys 2007-08-07 17:24 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys 2007-08-07 17:24 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys 2007-08-07 17:24 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot 2007-08-07 17:23 164 --a------ C:\install.dat 2007-08-07 17:23 <DIR> d-------- C:\Program Files\Webroot 2007-08-07 17:23 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-07 17:23 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Webroot 2007-08-07 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot 2007-08-07 16:24 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy 2007-08-07 16:23 <DIR> d-------- C:\Program Files\Hitman Pro 2007-08-07 14:33 <DIR> d-------- C:\WINDOWS\pss 2007-08-06 21:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Verzendmap van Share-to-Web 2007-08-06 20:40 <DIR> d-------- C:\Program Files\Windows Defender 2007-08-06 17:23 574,508 --a------ C:\WINDOWS\system32\trdrwlub.exe 2007-08-06 16:24 <DIR> dr-h----- C:\DOCUME~1\LOCALS~1\Onlangs geopend 2007-08-06 16:23 <DIR> dr------- C:\DOCUME~1\LOCALS~1\Favorieten 2007-07-30 12:17 <DIR> d-------- C:\Program Files\MSXML 4.0 2007-07-30 10:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-07-30 09:48 <DIR> d-------- C:\Program Files\Lavasoft 2007-07-30 09:48 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Lavasoft 2007-07-29 23:54 <DIR> d-------- C:\Program Files\Microsoft Works 2007-07-29 23:53 <DIR> d-------- C:\WINDOWS\SHELLNEW 2007-07-29 23:53 <DIR> d-------- C:\Program Files\Microsoft.NET 2007-07-29 21:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead 2007-07-29 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero 2007-07-28 20:49 <DIR> d-------- C:\DOCUME~1\PETERS~1\Contacts 2007-07-28 20:47 <DIR> d-------- C:\Program Files\MSN Messenger 2007-07-28 17:42 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Nokia Multimedia Player 2007-07-28 17:39 4,194,304 --a------ C:\DOCUME~1\PETERS~1\ntuser.dat 2007-07-28 17:39 1,310,720 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat 2007-07-28 17:26 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Nokia 2007-07-28 17:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite 2007-07-28 17:25 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll 2007-07-28 17:25 <DIR> d-------- C:\Program Files\PC Connectivity Solution 2007-07-28 17:25 <DIR> d-------- C:\Program Files\Nokia 2007-07-28 17:25 <DIR> d-------- C:\Program Files\DIFX 2007-07-28 17:25 <DIR> d-------- C:\Program Files\Common Files\PCSuite 2007-07-28 17:25 <DIR> d-------- C:\Program Files\Common Files\Nokia 2007-07-28 17:25 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\PC Suite 2007-07-28 17:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations 2007-07-28 17:23 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll 2007-07-28 17:23 8,192 --a------ C:\WINDOWS\system32\wshirda.dll 2007-07-28 17:23 28,160 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll 2007-07-28 17:23 28,160 --a------ C:\WINDOWS\system32\irmon.dll 2007-07-28 17:23 154,112 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe 2007-07-28 17:23 154,112 --a------ C:\WINDOWS\system32\irftp.exe 2007-07-28 11:46 53,760 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys 2007-07-27 12:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6 2007-07-27 12:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Verzendmap van Share-to-Web 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\TMF 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Nu.nl 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Logitech 2007-07-27 11:16 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat 2007-07-27 11:16 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Onlangs geopend 2007-07-27 11:16 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Mijn documenten 2007-07-27 11:16 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start 2007-07-27 11:16 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Favorieten 2007-07-27 11:16 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Sjablonen 2007-07-27 11:16 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Netwerkprinteromgeving 2007-07-27 11:16 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Bureaublad 2007-07-26 18:50 <DIR> d-------- C:\Program Files\UniPrint 2007-07-26 18:45 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\ICAClient 2007-07-26 18:44 <DIR> d-------- C:\Program Files\Citrix 2007-07-26 09:49 54,784 --a------ C:\WINDOWS\system32\INETWH32.DLL 2007-07-26 09:49 37,136 --a------ C:\WINDOWS\system32\MSJINT35.DLL 2007-07-26 09:49 368,912 --a------ C:\WINDOWS\system32\VBAR332.DLL 2007-07-26 09:49 251,664 --a------ C:\WINDOWS\system32\MSRD2X35.DLL 2007-07-26 09:49 24,336 --a------ C:\WINDOWS\system32\MSJTER35.DLL 2007-07-26 09:49 233,472 --a------ C:\WINDOWS\system32\ILDA32.DLL 2007-07-26 09:49 22,528 --a------ C:\WINDOWS\system32\WSC32.DLL 2007-07-26 09:49 182,784 --a------ C:\WINDOWS\system32\DDAO35.DLL 2007-07-26 09:49 17,408 --a------ C:\WINDOWS\system32\MIO32.DLL 2007-07-26 09:49 1,045,776 --a------ C:\WINDOWS\system32\MSJET35.DLL 2007-07-26 09:49 <DIR> d-------- C:\Program Files\Davilex 2007-07-26 09:49 <DIR> d-------- C:\Program Files\Borland 2007-07-26 09:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-07-26 09:30 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-07-26 08:43 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-07-26 08:41 750,080 --a------ C:\WINDOWS\system32\nusaver.scr 2007-07-25 20:59 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\WinRAR 2007-07-25 20:59 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\GrabIt 2007-07-25 20:37 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2007-07-25 20:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet 2007-07-25 19:43 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Ahead 2007-07-25 19:42 <DIR> d-------- C:\Program Files\Nero 2007-07-25 19:42 <DIR> d-------- C:\Program Files\Common Files\Ahead 2007-07-25 19:11 <DIR> d-------- C:\Program Files\FTDv3.7.3 2007-07-25 18:56 <DIR> d-------- C:\WINDOWS\A5W_DATA 2007-07-25 17:56 <DIR> d-------- C:\Program Files\Palm Inc 2007-07-25 17:40 <DIR> d-------- C:\Program Files\Documents To Go (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-07 21:01 90206 --a------ C:\WINDOWS\system32\perfc013.dat 2007-08-07 21:01 506504 --a------ C:\WINDOWS\system32\perfh013.dat 2007-07-25 10:14 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2007-07-25 10:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf 2007-07-25 10:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf 2007-07-03 18:43 132904 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys 2007-07-03 18:43 11304 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe 2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe 2007-06-08 08:11 831048 --a------ C:\WINDOWS\system32\WudfUpdate_01005.dll 2007-05-16 17:19 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-16 17:19 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-16 17:19 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-16 17:19 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-16 17:19 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll 2007-05-16 09:18 95864 --a------ C:\WINDOWS\system32\NeroCo.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACAC634E-01B0-4355-82E4-3CF94474CE17}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-04-01 02:46] "SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-11 04:15] "SoundMan"="SOUNDMAN.EXE" [2004-09-13 22:39 C:\WINDOWS\SOUNDMAN.EXE] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33] "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42] "AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-03-03 16:49] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46] "UniPrint"="C:\Program Files\UniPrint\Client\SetDfltSettings.exe" [2006-08-23 17:26] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:03 C:\WINDOWS\system32\bthprops.cpl] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57] "NWEReboot"="" [] "MemoryManager"="C:\WINDOWS\system32\gidvnprs.dll" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03] "AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "CommCenter"="C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog C:\Documents and Settings\Peter Santbergen\Menu Start\Programma's\Opstarten\ HotSync Manager.lnk - C:\Program Files\palmOne\HOTSYNC.EXE [2004-04-13 17:03:10] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-25 10:14:04] NU.nl Nieuwslezer.lnk - H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe [2006-11-10 12:30:02] Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2007-07-25 10:05:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" R0 SSFS0509;Spy Sweeper File System Filer Driver: 0509;C:\WINDOWS\system32\Drivers\SSFS0509.SYS R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\system32\Drivers\SSHRMD.SYS R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\system32\Drivers\SSIDRV.SYS R0 WDMCAPI;ISDN PCI CAPI;C:\WINDOWS\system32\DRIVERS\WDMCAPI.sys R2 rvsport;RVS Virtual COM Port;C:\WINDOWS\system32\drivers\rvsport.sys R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys R3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys R3 WDMWANMP;NDIS WAN miniport;C:\WINDOWS\system32\DRIVERS\wdmwanmp.sys S3 BTHMODEM;Communicatiestuurprogramma voor Bluetooth-modem;C:\WINDOWS\system32\DRIVERS\bthmodem.sys S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" S3 L8042Kbd;Logitech SetPoint Keyboard Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys S3 L8042mou;SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys S3 LMouKE;SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys S3 RFCOMM;Bluetooth-apparaat (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys S3 RvscomSv;RvscomSv;C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bbd6ad6-3b4a-11dc-89d9-487444737531}] AutoRun\command- setup.exe Contents of the 'Scheduled Tasks' folder 2007-08-09 07:38:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe 2007-08-07 22:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job 2007-08-09 07:50:14 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BBF09104-3509-4B8B-8679-0A6355097348}.job - C:\WINDOWS\system32\msfeedssync.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-09 16:37:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-09 16:39:20 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-09 16:39 --- E O F --- ogfile of HijackThis v1.99.1 Scan saved at 16:41:38, on 9-8-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE C:\WINDOWS\System32\keyhook.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Norton Password Manager\AcctMgr.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\WINDOWS\system32\sistray.exe C:\Program Files\palmOne\HOTSYNC.EXE C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe C:\PROGRA~1\RVS\WCOM\SYSTEM\ADBSERV.EXE C:\Program Files\RVS\WCOM\SYSTEM\RVSRmd.exe C:\Program Files\RVS\WCOM\SYSTEM\CCSRV.EXE C:\WINDOWS\system32\wuauclt.exe H:\Downloads\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.petersantbergen.tk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {ACAC634E-01B0-4355-82E4-3CF94474CE17} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [UniPrint] C:\Program Files\UniPrint\Client\SetDfltSettings.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\gidvnprs.dll",sitypnow O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - HKCU\..\RunOnce: [CommCenter] "C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe" O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: NU.nl Nieuwslezer.lnk = H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Toevoegen aan bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: ddcca - C:\WINDOWS\ O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: RVS CommCenter (RvsCC) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE O23 - Service: RvscomSv - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing) O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • Sluit alle open vensters. Start HijackThis nog een keer en plaats een vinkje bij de volgende items: [b:b78f5aa388]O2 - BHO: (no name) - {ACAC634E-01B0-4355-82E4-3CF94474CE17} - (no file) O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\gidvnprs.dll",sitypnow O20 - Winlogon Notify: ddcca - C:\WINDOWS\[/b:b78f5aa388] Klik daarna op "Fix checked" en sluit HijackThis af. Daarna doe je dit: Opruiming van cookies en tijdelijke internetbestanden: Sluit alle open vensters van Internet Explorer. Ga naar Start en klik op "Configuratiescherm" en dubbelklik op "Internet-opties". Het venster "Eigenschappen voor Internet" zal openen. Ga naar het tabblad "Algemeen". Bij "Browsergeschiedenis" klik je op de knop "Verwijderen". Een nieuw venster zal open: Browsergeschiedenis verwijderen. Klik onderaan op de knop "Alles verwijderen". In het venster dat nu opent plaats je een vinkje bij "Ook bestanden en instellingen die door invoegtoepassingen zijn opgeslagen, verwijderen". Klik op Ja. Dit verwijdert de tijdelijke internetbestanden, de cookies, de surfgeschiedenis, de opgeslagen informatie die je in formulieren hebt opgegeven en de opgeslagen wachtwoorden die automatisch worden ingevuld als je je aanmeldt bij een website die je eerder hebt bezocht. Indien je deze laatste 2 (formuliergegevens en wachtwoorden) liever niet verwijderd, dan klik je niet op alles verwijderen maar enkel op deze: - bij Tijdelijke internetbestanden op Bestanden verwijderen. - bij Cookies op Cookies verwijderen. - bij Geschiedenis op Geschiedenis verwijderen. Blokkeer ook nog de indirecte of third party cookies: Op het tabblad Privacy klik je op de knop geavanceerd. Plaats een vinkje bij "Automatische cookie-verwerking opheffen". Bij Directe cookies zorg je dat "Accepteren" aangeduid is. Bij Indirecte cookies kies je voor "Blokkeren". Klik op OK. Wanneer dit gebeurd is, sluit je het venster "Eigenschappen voor Internet". Opruiming van andere tijdelijke mappen en de prullenbak leegmaken: Sluit alle open vensters. Ga naar Start, kies Uitvoeren en tik in: cleanmgr Druk daarna op OK en Schijfopruiming zal gestart worden. Indien je meerdere partities hebt kies je de partitie waarop Windows geïnstalleerd is. Laat nu je systeem scannen op bestanden die verwijderd kunnen worden. Wanneer het overzicht verschijnt zorg je dat enkel de volgende items aangevinkt zijn: - Tijdelijke internetbestanden - Prullenbak - Tijdelijke bestanden Klik daarna op OK. Download [url=ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe]Dr. Web CureIt[/url]. Plaats het op je bureaublad. [list:b78f5aa388] [*:b78f5aa388]Dubbelklik op [b:b78f5aa388]drweb-cureit.exe[/b:b78f5aa388] en sta het programma toe om de express scan te starten. Dit is slechts een korte scan die de bestanden scant die momenteel in het geheugen geladen zijn. Wanneer er iets gevonden wordt zal de vraag gesteld worden 'cure it?'. Klik dan op de knop 'Yes to all'. [*:b78f5aa388]Klik op de knop 'Select drives' en zorg dat alle drives geselecteerd zijn om te laten scannen. De drives die gescand gaan worden zijn voorzien van een rood bolletje. [*:b78f5aa388]Klik aan de rechterkant op de grote knop met de groene pijl om de scan te starten. [*:b78f5aa388]Wanneer een geïnfecteerd bestand gevonden wordt, wordt of de vraag gesteld 'Cure It?' of 'Move?'. Klik in beide gevalle dan op de knop 'Yes to all'. [*:b78f5aa388]Wanneer de scan klaar is, kijk je of je het volgende icoontje kan aanklikken Dit staat naast in de onderste helft van programmavenster, links van lijstje (venster) met de geïnfecteerde bestanden. [img:b78f5aa388]http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif[/img:b78f5aa388] [*:b78f5aa388]Indien je dit kan aanklikken, klik je erop, en daarna klik je op het icoontje er net onder en kies je [b:b78f5aa388]Move incurable[/b:b78f5aa388]. [img:b78f5aa388]http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif[/img:b78f5aa388] Dit zal de bestanden verplaatsen naar de map %userprofile%\DoctorWeb\quarantaine-folder indien het niet gedesinfecteerd kan worden. [*:b78f5aa388]Kies in het menu File van Dr. Web CureIt voor 'Save Report List' en sla het logje op, op je bureaublad. [*:b78f5aa388]Sluit het programma Dr. Web CureIt af. [*:b78f5aa388]Herstart de computer en post het logje. [/list:u:b78f5aa388]
  • Hierbij het gevbraagde logje: C:\Program Files\Microsoft Office\OFFICE11\1043\VBAOL11.CHM Modificatie van VBS.Petik C:\Program Files\Microsoft Office\OFFICE11\1043 Archief bevat geinfecteerde objecten Verplaatst. C:\QooBox\Quarantine\C\WINDOWS\system32 Trojan.Virtumod Verwijderd. C:\System Volume Information\_restore{1AA73300-E877-43CF-8FED-56F7176C9589}\RP2 Trojan.Virtumod Verwijderd. Overigens krijg ik bij het opstarten nog steeds de melding, dat het bestand gidvnprs.dll ontbreekt. Groet Peter
  • Maak een nieuwe hijackthislog en een nieuwe log met combofix. Post beide logjes.
  • Hierbij de gevraagde logs: ComboFix 07-08-09.3 - "Peter Santbergen" 2007-08-09 22:07:39.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.487 [GMT 2:00] ((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 ))))))))))))))))))))))))))))))) 2007-08-09 17:46 <DIR> d-------- C:\DOCUME~1\PETERS~1\DoctorWeb 2007-08-09 16:33 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-08 22:09 159,744 --a------ C:\WINDOWS\system32\hasher.dll 2007-08-08 22:09 <DIR> d-------- C:\Program Files\Trisnap Technologies 2007-08-08 16:36 <DIR> dr-h----- C:\DOCUME~1\PETERS~1\Onlangs geopend 2007-08-08 16:33 <DIR> d-------- C:\Program Files\CCleaner 2007-08-07 21:06 <DIR> d-------- C:\DOCUME~1\PETERS~1\Phone Browser 2007-08-07 17:24 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys 2007-08-07 17:24 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys 2007-08-07 17:24 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys 2007-08-07 17:24 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys 2007-08-07 17:24 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot 2007-08-07 17:23 164 --a------ C:\install.dat 2007-08-07 17:23 <DIR> d-------- C:\Program Files\Webroot 2007-08-07 17:23 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-07 17:23 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Webroot 2007-08-07 17:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot 2007-08-07 16:24 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy 2007-08-07 16:23 <DIR> d-------- C:\Program Files\Hitman Pro 2007-08-07 14:33 <DIR> d-------- C:\WINDOWS\pss 2007-08-06 21:34 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Verzendmap van Share-to-Web 2007-08-06 20:40 <DIR> d-------- C:\Program Files\Windows Defender 2007-08-06 17:23 574,508 --a------ C:\WINDOWS\system32\trdrwlub.exe 2007-08-06 16:24 <DIR> dr-h----- C:\DOCUME~1\LOCALS~1\Onlangs geopend 2007-08-06 16:23 <DIR> dr------- C:\DOCUME~1\LOCALS~1\Favorieten 2007-07-30 12:17 <DIR> d-------- C:\Program Files\MSXML 4.0 2007-07-30 10:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-07-30 09:48 <DIR> d-------- C:\Program Files\Lavasoft 2007-07-30 09:48 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Lavasoft 2007-07-29 23:54 <DIR> d-------- C:\Program Files\Microsoft Works 2007-07-29 23:53 <DIR> d-------- C:\WINDOWS\SHELLNEW 2007-07-29 23:53 <DIR> d-------- C:\Program Files\Microsoft.NET 2007-07-29 21:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead 2007-07-29 21:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero 2007-07-28 20:49 <DIR> d-------- C:\DOCUME~1\PETERS~1\Contacts 2007-07-28 20:47 <DIR> d-------- C:\Program Files\MSN Messenger 2007-07-28 17:42 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Nokia Multimedia Player 2007-07-28 17:39 4,194,304 --a------ C:\DOCUME~1\PETERS~1\ntuser.dat 2007-07-28 17:39 1,310,720 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat 2007-07-28 17:26 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Nokia 2007-07-28 17:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite 2007-07-28 17:25 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll 2007-07-28 17:25 <DIR> d-------- C:\Program Files\PC Connectivity Solution 2007-07-28 17:25 <DIR> d-------- C:\Program Files\Nokia 2007-07-28 17:25 <DIR> d-------- C:\Program Files\DIFX 2007-07-28 17:25 <DIR> d-------- C:\Program Files\Common Files\PCSuite 2007-07-28 17:25 <DIR> d-------- C:\Program Files\Common Files\Nokia 2007-07-28 17:25 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\PC Suite 2007-07-28 17:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations 2007-07-28 17:23 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll 2007-07-28 17:23 8,192 --a------ C:\WINDOWS\system32\wshirda.dll 2007-07-28 17:23 28,160 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll 2007-07-28 17:23 28,160 --a------ C:\WINDOWS\system32\irmon.dll 2007-07-28 17:23 154,112 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe 2007-07-28 17:23 154,112 --a------ C:\WINDOWS\system32\irftp.exe 2007-07-28 11:46 53,760 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys 2007-07-27 12:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6 2007-07-27 12:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Verzendmap van Share-to-Web 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\TMF 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Nu.nl 2007-07-27 12:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Logitech 2007-07-27 11:16 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat 2007-07-27 11:16 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Onlangs geopend 2007-07-27 11:16 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Mijn documenten 2007-07-27 11:16 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start 2007-07-27 11:16 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Favorieten 2007-07-27 11:16 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Sjablonen 2007-07-27 11:16 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Netwerkprinteromgeving 2007-07-27 11:16 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Bureaublad 2007-07-26 18:50 <DIR> d-------- C:\Program Files\UniPrint 2007-07-26 18:45 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\ICAClient 2007-07-26 18:44 <DIR> d-------- C:\Program Files\Citrix 2007-07-26 09:49 54,784 --a------ C:\WINDOWS\system32\INETWH32.DLL 2007-07-26 09:49 37,136 --a------ C:\WINDOWS\system32\MSJINT35.DLL 2007-07-26 09:49 368,912 --a------ C:\WINDOWS\system32\VBAR332.DLL 2007-07-26 09:49 251,664 --a------ C:\WINDOWS\system32\MSRD2X35.DLL 2007-07-26 09:49 24,336 --a------ C:\WINDOWS\system32\MSJTER35.DLL 2007-07-26 09:49 233,472 --a------ C:\WINDOWS\system32\ILDA32.DLL 2007-07-26 09:49 22,528 --a------ C:\WINDOWS\system32\WSC32.DLL 2007-07-26 09:49 182,784 --a------ C:\WINDOWS\system32\DDAO35.DLL 2007-07-26 09:49 17,408 --a------ C:\WINDOWS\system32\MIO32.DLL 2007-07-26 09:49 1,045,776 --a------ C:\WINDOWS\system32\MSJET35.DLL 2007-07-26 09:49 <DIR> d-------- C:\Program Files\Davilex 2007-07-26 09:49 <DIR> d-------- C:\Program Files\Borland 2007-07-26 09:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-07-26 09:30 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-07-26 08:43 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-07-26 08:41 750,080 --a------ C:\WINDOWS\system32\nusaver.scr 2007-07-25 20:59 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\WinRAR 2007-07-25 20:59 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\GrabIt 2007-07-25 20:37 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2007-07-25 20:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet 2007-07-25 19:43 <DIR> d-------- C:\DOCUME~1\PETERS~1\APPLIC~1\Ahead 2007-07-25 19:42 <DIR> d-------- C:\Program Files\Nero 2007-07-25 19:42 <DIR> d-------- C:\Program Files\Common Files\Ahead 2007-07-25 19:11 <DIR> d-------- C:\Program Files\FTDv3.7.3 2007-07-25 18:56 <DIR> d-------- C:\WINDOWS\A5W_DATA 2007-07-25 17:56 <DIR> d-------- C:\Program Files\Palm Inc (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-07 21:01 90206 --a------ C:\WINDOWS\system32\perfc013.dat 2007-08-07 21:01 506504 --a------ C:\WINDOWS\system32\perfh013.dat 2007-07-25 10:14 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2007-07-25 10:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf 2007-07-25 10:14 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf 2007-07-03 18:43 132904 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys 2007-07-03 18:43 11304 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe 2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe 2007-06-08 08:11 831048 --a------ C:\WINDOWS\system32\WudfUpdate_01005.dll 2007-05-16 17:19 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-16 17:19 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-16 17:19 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-16 17:19 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-16 17:19 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll 2007-05-16 09:18 95864 --a------ C:\WINDOWS\system32\NeroCo.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-04-01 02:46] "SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-11 04:15] "SoundMan"="SOUNDMAN.EXE" [2004-09-13 22:39 C:\WINDOWS\SOUNDMAN.EXE] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33] "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42] "AcctMgr"="C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-03-03 16:49] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46] "UniPrint"="C:\Program Files\UniPrint\Client\SetDfltSettings.exe" [2006-08-23 17:26] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:03 C:\WINDOWS\system32\bthprops.cpl] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57] "NWEReboot"="" [] "MemoryManager"="C:\WINDOWS\system32\gidvnprs.dll" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03] "AWMON"="C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "CommCenter"="C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog C:\Documents and Settings\Peter Santbergen\Menu Start\Programma's\Opstarten\ HotSync Manager.lnk - C:\Program Files\palmOne\HOTSYNC.EXE [2004-04-13 17:03:10] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-25 10:14:04] NU.nl Nieuwslezer.lnk - H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe [2006-11-10 12:30:02] Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2007-07-25 10:05:55] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" R0 SSFS0509;Spy Sweeper File System Filer Driver: 0509;C:\WINDOWS\system32\Drivers\SSFS0509.SYS R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\system32\Drivers\SSHRMD.SYS R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\system32\Drivers\SSIDRV.SYS R0 WDMCAPI;ISDN PCI CAPI;C:\WINDOWS\system32\DRIVERS\WDMCAPI.sys R2 rvsport;RVS Virtual COM Port;C:\WINDOWS\system32\drivers\rvsport.sys R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys R3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys R3 WDMWANMP;NDIS WAN miniport;C:\WINDOWS\system32\DRIVERS\wdmwanmp.sys S3 BTHMODEM;Communicatiestuurprogramma voor Bluetooth-modem;C:\WINDOWS\system32\DRIVERS\bthmodem.sys S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" S3 L8042Kbd;Logitech SetPoint Keyboard Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys S3 L8042mou;SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys S3 LMouKE;SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys S3 RFCOMM;Bluetooth-apparaat (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys S3 RvscomSv;RvscomSv;C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bbd6ad6-3b4a-11dc-89d9-487444737531}] AutoRun\command- setup.exe Contents of the 'Scheduled Tasks' folder 2007-08-09 18:03:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job 2007-08-07 22:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job 2007-08-09 07:50:14 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BBF09104-3509-4B8B-8679-0A6355097348}.job - C:\WINDOWS\system32\msfeedssync.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-09 22:08:56 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-09 22:09:57 C:\ComboFix-quarantined-files.txt ... 2007-08-09 22:09 C:\ComboFix2.txt ... 2007-08-09 16:39 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 22:10:51, on 9-8-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\keyhook.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Norton Password Manager\AcctMgr.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Program Files\palmOne\HOTSYNC.EXE C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\PROGRA~1\RVS\WCOM\SYSTEM\ADBSERV.EXE C:\Program Files\RVS\WCOM\SYSTEM\RVSRmd.exe C:\Program Files\RVS\WCOM\SYSTEM\CCSRV.EXE C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe H:\Downloads\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.petersantbergen.tk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [UniPrint] C:\Program Files\UniPrint\Client\SetDfltSettings.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\gidvnprs.dll",sitypnow O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - HKCU\..\RunOnce: [CommCenter] "C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe" O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: NU.nl Nieuwslezer.lnk = H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Toevoegen aan bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: RVS CommCenter (RvsCC) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE O23 - Service: RvscomSv - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing) O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • Deze staat er nog steeds: O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\gidvnprs.dll",sitypnow
  • Ik was een weekje op vakantie! Daarom deze late reactie. [quote:d5b91f33ca]Deze staat er nog steeds: O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\gidvnprs.dll",sitypnow[/quote:d5b91f33ca] Het lukt me op geen enkele manier om deze regel weg te krijgen. Hij komt onmiddellijk terug. Heb het geprobeerd met o.a. Hijackthis, ccleaner, combofix en gewoon verwijderd uit het register. Onmiddellijk nadat ik de regel verwijderd heb, is hij er weer.
  • Probeer eens in veilige modus. Herstart de computer en maak dan een nieuwe hijackthislog. Post dat logje.
  • Hij lijkt er nu uit te zijn, na het in veilige modus geprobeerd te hebben. Bijgaand het log van Hijackthis Logfile of HijackThis v1.99.1 Scan saved at 17:23:44, on 17-8-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe H:\Downloads\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.petersantbergen.tk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [UniPrint] C:\Program Files\UniPrint\Client\SetDfltSettings.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" O4 - HKCU\..\RunOnce: [CommCenter] "C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe" O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: NU.nl Nieuwslezer.lnk = H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Toevoegen aan bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: RVS CommCenter (RvsCC) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE O23 - Service: RvscomSv - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing) O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • Dit logje is gemaakt in veilige modus. Ik vermoed dat Ad-watch de wijzigingen tegenhoud. Als na reboot in normale windowsmodus, de sleutel weer verschijnt, dan schakel je eerst Ad-Watch uit. Dan fix je de sleutel.
  • Bij de eerste keer opstarten in normale modus, ontvang ik geen melding. Nog een keer herstarten levert weer een mededeling op. Heb daarna ook nog geprobeerd om te fixen zondar dat adwatch draait. Dit geeft hetzelfde resultaat. Eerste keer opstarten: geen medling. Daarna weer wel!
  • Maak even een nieuwe hijackthislog en post deze.
  • Het lijkt me, dat adwatch de veroorzaker is. Wanneer ik adwatch uitschakel, lukt het me om gidvnprs.dll te verwijderen en deze keert ook na opstarten niet meer terug. Zodra ik echter adwatch weer opstart, begint het gedonder van voren af aan. (Adwatch wel zodanig ingestld, dat deae niet gelijk met windows opstart) Hierbij, zoals gevraagd nog een logje van hijackthis. Ik heb het gemaakt, nadat ik de melding verwijderd had en met adwatch uitgeschakeld. Logfile of HijackThis v1.99.1 Scan saved at 12:50:12, on 18-8-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\keyhook.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Norton Password Manager\AcctMgr.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\WINDOWS\system32\ctfmon.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\WINDOWS\system32\sistray.exe C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\PROGRA~1\RVS\WCOM\SYSTEM\ADBSERV.EXE C:\Program Files\RVS\WCOM\SYSTEM\RVSRmd.exe C:\Program Files\RVS\WCOM\SYSTEM\CCSRV.EXE C:\WINDOWS\system32\wuauclt.exe H:\Downloads\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.petersantbergen.tk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [UniPrint] C:\Program Files\UniPrint\Client\SetDfltSettings.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [CommCenter] "C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe" O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: NU.nl Nieuwslezer.lnk = H:\Programma's\NU.nl Nieuwslezer\nunwslzr.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Geselecteerde koppelingen converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Koppelingdoel converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Koppelingdoel converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Selectie converteren naar Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Selectie converteren naar bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Toevoegen aan bestaand PDF-bestand - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: RVS CommCenter (RvsCC) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE O23 - Service: RvscomSv - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, Munchen - C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing) O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.