Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

cp1041.NLS

pimvandenderen
8 antwoorden
  • Beste,

    Ik sukkel al een tijdje met PC problemen. Aangezien ik geen computertechneut ben, ben ik er nu pas achtergekomen dat ik besmet ben met een virus/malware die "Win32:Trojan-gen. {other}" noemt.
    Deze heeft ook een bestandje "cp1041.nls" onder mijn root c:\ geplaatst.

    Als gevolg van de besmetting kan ik geen nieuwe programma's meer installeren en reboot mijn PC willekeurig…

    Is er iemand die al gelijkaardige problemen ondervond en mij eventueel kan helpen om dit op te lossen? Wanneer ik cp1041.nls gewoon verwijder, geeft mijn PC geen teken van leven meer…

    Alvast bedankt op voorhand

    Stijn

    styndedecker@hotmail.com
  • Plaats even een Hijackthis logje, dan zullen we eens kijken:
    http://forum.computertotaal.nl/phpBB2/viewtopic.php?t=115358

    succes!

    Pim
  • Thx voor je snelly reply Pim!
    Hieronder de HijackThis log (sounds like Chinese)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:20:33, on 18/08/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32
    slsvice.exe
    C:\WINDOWS\system32
    sl.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\Dit.exe
    C:\PROGRA~1\TELENE~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\PDF Printer\vspdfprsrv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\WINDOWS\vsnpstd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MI3AA1~1\wcescomm.exe
    C:\Program Files\Telenet EasyCare\bin\mpbtn.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telenet.be
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telenet.be
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telenet Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELENE~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Program Files\PDF Printer\vspdfprsrv.exe –background
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RemoveWGA] C:\Documents and Settings\Stijn\Local Settings\Temporary Internet Files\Content.IE5\CXMV052F\RemoveWGA.exe -startup
    O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Systeemvak van ATI CATALYST.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: Telenet EasyCare.lnk = C:\Program Files\Telenet EasyCare\bin\matcli.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Mobiele favorieten maken - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://secure.pwc.be/Citrix/MetaFrame/ICAWEB_common/en/ica32/wficat.cab,DanaInfo=be-citrix10+
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133989010109
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://vpn.ontexinternational.com/termservices/msrdp.cab,DanaInfo=homer+
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.pwc.be/dana-cached/setup/JuniperSetupSP1.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5029/mcfscan.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32
    slsvice.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


    End of file - 8651 bytes
  • 1. Start Hijackthis, kies voor [i:29bd693cf4]'Do a system scan only'[/i:29bd693cf4] en vink onderstaande regels aan:
    [b:29bd693cf4]
    R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [RemoveWGA] C:\Documents and Settings\Stijn\Local Settings\Temporary Internet Files\Content.IE5\CXMV052F\RemoveWGA.exe -startup
    [/b:29bd693cf4]

    Sluit nu [u:29bd693cf4]alle[/u:29bd693cf4] openstaande vensters, behalve Hijackthis en klik op [b:29bd693cf4]Fix Checked[/b:29bd693cf4].

    2. Download Combofix naar je [b:29bd693cf4]bureaublad[/b:29bd693cf4]

    Dubbelklik op [u:29bd693cf4]combofix.exe[/u:29bd693cf4]
    Volg de instructies, aanvaard de disclaimer door y of Y te typen.
    Tijdens het runnen van de fix, [b:29bd693cf4]NIET[/b:29bd693cf4] in het venster klikken, want dit zal je pc doen vasthangen.

    Wanneer de fix voltooid is en na herstart, zal de log [b:29bd693cf4]combofix.txt[/b:29bd693cf4] openen. Bewaar dit logje.

    NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.

    Plaats in je volgende antwoord het logje van combofix ([i:29bd693cf4]combofix.txt[/i:29bd693cf4]) tesamen met een vers Hijackthis log.

    Succes!

    Pim
  • hi Pim,

    Hieronder een kopie van het ComboFix log en het Hijackthis log.

    Alvast bedankt voor je moeite en tijd!!!

    mvg,
    Stijn



    ComboFix 07-08-14.4 - "Stijn" 2007-08-18 18:49:17.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.216 [GMT 2:00]
    * Created a new restore point


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



    Infected copy of C:\WINDOWS\system32\drivers
    dis.sys was found & disinfected
    C:\WINDOWS\system32\svcp.csv
    C:\WINDOWS\system32\winsub.xml
    Restored copy from - c:\WINDOWS\ServicePackFiles\i386
    dis.sys[/color:038b2626ba]


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    ——-\LEGACY_NTLDR.SYS
    ——-
    tldr.sys


    ((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))


    2007-08-18 18:48 51,200 –a—— C:\WINDOWS
    ircmd.exe
    2007-08-17 16:44 59,264 –a–c— C:\WINDOWS\system32\dllcache\usbaudio.sys
    2007-08-17 16:44 59,264 –a—— C:\WINDOWS\system32\drivers\USBAUDIO.sys
    2007-08-17 16:44 54,272 –a–c— C:\WINDOWS\system32\dllcache\vfwwdm32.dll
    2007-08-17 16:44 54,272 –a—— C:\WINDOWS\system32\vfwwdm32.dll
    2007-08-17 16:44 31,616 –a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
    2007-08-17 16:44 31,616 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-08-17 16:43 53,248 –a—— C:\WINDOWS\system32\dsnpstd2.dll
    2007-08-17 16:43 53,248 –a—— C:\WINDOWS\amcap.exe
    2007-08-17 16:43 40,960 –a—— C:\WINDOWS\vsnpstd2.exe
    2007-08-17 16:42 61,440 –a—— C:\WINDOWS\system32\csnpstd2.dll
    2007-08-17 16:42 40,960 –a—— C:\WINDOWS\system32\rsnpstd2.dll
    2007-08-17 16:42 36,864 –a—— C:\WINDOWS\system32\vsnpstd2.dll
    2007-08-17 16:42 302,720 –a—— C:\WINDOWS\system32\drivers\snpstd2.sys
    2007-08-17 16:42 20,480 –a—— C:\WINDOWS\usnpstd2.exe
    2007-08-17 16:42 <DIR> d——– C:\Program Files\Common Files\snpstd2
    2007-08-16 11:54 <DIR> d——– C:\Program Files\SLD Codec Pack
    2007-08-15 11:36 221,184 –a—— C:\WINDOWS\system32\wmpns.dll
    2007-08-04 14:49 <DIR> d——– C:\DVDs
    2007-08-01 16:20 <DIR> d——– C:\Program Files\DVDFab Decrypter 3


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-08-18 16:46 17408 –a—— C:\WINDOWS\system32\drivers\USBCRFT.SYS
    2007-08-17 16:42 ——— d–h—– C:\Program Files\InstallShield Installation Information
    2007-07-28 00:07 783224 –a—— C:\WINDOWS\system32\aswBoot.exe
    2007-07-28 00:02 94416 –a—— C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-07-28 00:02 92848 –a—— C:\WINDOWS\system32\drivers\aswmon.sys
    2007-07-28 00:00 23152 –a—— C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-07-27 23:59 42912 –a—— C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-07-27 23:58 26624 –a—— C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-07-27 23:57 95608 –a—— C:\WINDOWS\system32\AVASTSS.scr
    2007-07-17 00:55 ——— d——– C:\Program Files\TomTom HOME
    2007-07-16 15:03 ——— d——– C:\DOCUME~1\Stijn\APPLIC~1\InstallShield
    2007-07-16 15:01 ——— d——– C:\Program Files\TomTom DesktopSuite
    2007-07-15 10:06 ——— d——– C:\Program Files\Spyware Doctor
    2007-07-08 10:30 ——— d——– C:\Program Files\Outlook Express Backup Restore
    2007-06-26 16:15 662016 —–c— C:\WINDOWS\system32\dllcache\wininet.dll
    2007-06-26 15:58 851968 —–c— C:\WINDOWS\system32\dllcache\vgx.dll
    2007-06-26 08:10 1104896 –a—— C:\WINDOWS\system32\msxml3.dll
    2007-06-26 08:10 1104896 —–c— C:\WINDOWS\system32\dllcache\msxml3.dll
    2007-06-19 15:33 282112 –a—— C:\WINDOWS\system32\gdi32.dll
    2007-06-19 15:33 282112 —–c— C:\WINDOWS\system32\dllcache\gdi32.dll
    2007-06-16 07:50 716800 –a—— C:\WINDOWS\iun6002ev.exe
    2007-06-14 20:11 96768 —–c— C:\WINDOWS\system32\dllcache\inseng.dll
    2007-06-14 20:11 616960 —–c— C:\WINDOWS\system32\dllcache\urlmon.dll
    2007-06-14 20:11 55808 —–c— C:\WINDOWS\system32\dllcache\extmgr.dll
    2007-06-14 20:11 532480 —–c— C:\WINDOWS\system32\dllcache\mstime.dll
    2007-06-14 20:11 474624 —–c— C:\WINDOWS\system32\dllcache\shlwapi.dll
    2007-06-14 20:11 449024 —–c— C:\WINDOWS\system32\dllcache\mshtmled.dll
    2007-06-14 20:11 39424 —–c— C:\WINDOWS\system32\dllcache\pngfilt.dll
    2007-06-14 20:11 357888 —–c— C:\WINDOWS\system32\dllcache\dxtmsft.dll
    2007-06-14 20:11 3079680 —–c— C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-06-14 20:11 251392 —–c— C:\WINDOWS\system32\dllcache\iepeers.dll
    2007-06-14 20:11 205312 —–c— C:\WINDOWS\system32\dllcache\dxtrans.dll
    2007-06-14 20:11 16384 —–c— C:\WINDOWS\system32\dllcache\jsproxy.dll
    2007-06-14 20:11 151552 —–c— C:\WINDOWS\system32\dllcache\cdfview.dll
    2007-06-14 20:11 1494528 —–c— C:\WINDOWS\system32\dllcache\shdocvw.dll
    2007-06-14 20:11 146432 —–c— C:\WINDOWS\system32\dllcache\msrating.dll
    2007-06-14 20:11 1057280 —–c— C:\WINDOWS\system32\dllcache\danim.dll
    2007-06-14 20:11 1023488 —–c— C:\WINDOWS\system32\dllcache\browseui.dll
    2007-06-14 16:07 18432 —–c— C:\WINDOWS\system32\dllcache\iedw.exe
    2007-06-13 15:24 1036800 –a—— C:\WINDOWS\explorer.exe
    2007-06-13 15:24 1036800 —–c— C:\WINDOWS\system32\dllcache\explorer.exe
    2007-05-26 23:27 2864 –a–c— C:\WINDOWS\system32\dllcache\winsock.dll
    2007-05-26 23:27 2864 –a—— C:\WINDOWS\system32\winsock.dll
    2002-07-26 17:02 153088 –a—— C:\Program Files\UNWISE.EXE


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 02:07]
    "SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 C:\WINDOWS\SOUNDMAN.EXE]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
    "InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 13:01]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
    "Dit"="Dit.exe" [2004-09-22 19:53 C:\WINDOWS\Dit.exe]
    "Motive SmartBridge"="C:\PROGRA~1\TELENE~1\SMARTB~1\MotiveSB.exe" [2004-04-07 10:05]
    "vspdfprsrv.exe"="C:\Program Files\PDF Printer\vspdfprsrv.exe" [2005-02-20 17:53]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-30 20:13]
    "SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-28 11:06]
    "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 16:52]
    "SNPSTD2"="C:\WINDOWS\vsnpstd2.exe" [2004-01-05 18:34]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:03]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
    "H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-27 20:25]
    "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-09-16 18:41]

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Snelle start.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
    Systeemvak van ATI CATALYST.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 02:07:30]
    Telenet EasyCare.lnk - C:\Program Files\Telenet EasyCare\bin\matcli.exe [2005-12-07 21:54:09]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

    R1 NEOFLTR_500_8897;Juniper Networks TDI Filter Driver (NEOFLTR_500_8897);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_500_8897.SYS
    R3 CardReaderFilter;Card Reader Filter;\??\C:\WINDOWS\system32\Drivers\USBCRFT.SYS
    R3 snpstd2;USB PC Camera (SN9C103);C:\WINDOWS\system32\DRIVERS\snpstd2.sys


    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-18 18:56:13
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-08-18 18:59:33 - machine was rebooted
    C:\ComboFix-quarantined-files.txt … 2007-08-18 18:59

    — E O F —

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:52:59, on 18/08/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32
    slsvice.exe
    C:\WINDOWS\system32
    sl.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\Dit.exe
    C:\PROGRA~1\TELENE~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\PDF Printer\vspdfprsrv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\WINDOWS\vsnpstd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MI3AA1~1\wcescomm.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Telenet EasyCare\bin\mpbtn.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\system32
    otepad.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telenet.be
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELENE~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Program Files\PDF Printer\vspdfprsrv.exe –background
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Systeemvak van ATI CATALYST.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: Telenet EasyCare.lnk = C:\Program Files\Telenet EasyCare\bin\matcli.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Mobiele favorieten maken - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://secure.pwc.be/Citrix/MetaFrame/ICAWEB_common/en/ica32/wficat.cab,DanaInfo=be-citrix10+
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133989010109
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://vpn.ontexinternational.com/termservices/msrdp.cab,DanaInfo=homer+
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.pwc.be/dana-cached/setup/JuniperSetupSP1.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5029/mcfscan.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32
    slsvice.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


    End of file - 8467 bytes
  • Hi Pim,

    Ik ondervind geen negatieve gevolgen meer van het virus, ik veronderstel dat je em al te pakken hebt!

    Avast is nog volop bezig met scannen, maar ik heb er vertrouwen in.

    Nogmaals hartelijk dank!!!

    mvg,
    Stijn
  • Hoi Stijn,

    Ik vind geen rare dingen meer in je logfile, laat even weten hoe het gaat:)

    Pim
  • Hi Pim,

    Nogmaals bedankt, PC loopt prima alsof er nooit iets aan de hand is geweest…

    Respect man ;-)

    merci,
    Stijn

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.