Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Trojan Vundo en Trojan Duntek

None
15 antwoorden
  • Ik heb al enige tijd last van ongewenste popups in mijn computer, vrijwel alleen bij explorer (ik gebruik voornamelijk firefox).
    Norton antivirus gaf melding van trojan.vundo en trojan.duntek

    In andere topics zag ik wat de eerste stappen zijn om trojan.vundo te verhelpen, waarbij de gebruikers werd gevraagd logs te plaatsen.

    Ik heb zojuist vundofix en hijachthis laten lopen en heb daar de logs van. Ik hoop dat iemand hier me nu verder kan helpen.

    Tevens hoop ik dat er iemand is die weet wat ik het beste aan trojan.duntek kan doen.
    Virusscan van Norton en scan van Hitman Pro hebben nog niks uitgehaald.
    De logs:




    [b:887f884e95]VundoFix V6.5.7[/b:887f884e95]

    Checking Java version…

    Java version is 1.5.0.2
    Old versions of java are exploitable and should be removed.

    Scan started at 23:57:37 26-8-2007

    Listing files found while scanning….

    C:\windows\system32\comsam.dll
    C:\WINDOWS\system32\tmp13D.tmp.dll
    C:\WINDOWS\system32\tmp3.tmp.dll
    C:\WINDOWS\system32\tmp4.tmp.dll

    Beginning removal…

    Attempting to delete C:\windows\system32\comsam.dll
    C:\windows\system32\comsam.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\tmp13D.tmp.dll
    C:\WINDOWS\system32\tmp13D.tmp.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\tmp3.tmp.dll
    C:\WINDOWS\system32\tmp3.tmp.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\tmp4.tmp.dll
    C:\WINDOWS\system32\tmp4.tmp.dll Has been deleted!

    Performing Repairs to the registry.
    Done!





    [b:887f884e95]Logfile of Trend Micro HijackThis v2.0.2[/b:887f884e95]
    Scan saved at 0:04:09, on 27-8-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton AntiVirus
    avapsvc.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1794d56a-6303-4a1f-b947-c5dd828aad4b} - C:\WINDOWS\system32\comsam.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\S-1-5-21-1547161642-1500820517-682003330-1004\..\Run: [PowerBar] (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin
    pjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin
    pjpi150_02.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomgames.com/activex/zylomgamesplayer.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
    avapsvc.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


    End of file - 8959 bytes




    Alvast bedankt!





  • Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Plaats het op je bureaublad.
    Dubbelklik er op om het programma te starten.
    In het scherm dat verschijnt tik je een Y in om het cleaningsprocess te starten.
    Volg de instructies op het scherm.
    Als het tooltje klaar is, opent er een logfile (combofix.txt).
    Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.
  • Ik krijg een 404melding voor die pagina..
    Misschien zit er een spelfout in de url?

    edit: Ik heb even gegoogled en merk dat de url wel klopt, het bestand is blijkbaar verwijderd..
    Ik kan zelf geen andere online vinden, misschien dat jij weet waar ik het bestand kan downloaden?
  • neem deze: http://www.techsupportforum.com/sectools/combofix.exe
  • je was me al voor :)

    Ik heb dat bestand gedownload, ik krijg dan een tekstbestand met de volgende melding:

    [quote:e7b9c8b3c4]You have used an invalid url to download ComboFix.exe. Please be advised that these are the correct links to use

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    [/quote:e7b9c8b3c4]

    Beide links werken niet..

  • Beide links liggen er inderdaad uit.
    Ik hoor even bij de maker van de tool wat er juist aan de hand is.
  • Er blijken wat problemen te zijn met combofix.

    Download Brute Force Uninstaller: http://www.merijn.org/files/bfu.zip
    Unzip/pak het uit naar zijn eigen map op je C:\ (c:\BFU).
    Lees hier hoe je op de juiste wijze moet unzippen/uitpakken:
    http://home.planet.nl/~kleyn080/unzippenXPuitleg.html

    Dubbelklik op BFU.exe om the Brute Force Uninstaller te starten.

    Naast 'scriptfile to execute'-venster zal je een klein icoontje zien: [img:a916d7dcb2]http://users.telenet.be/bluepatchy/miekiemoes/images/bfuicon.JPG[/img:a916d7dcb2]
    Klik op dat icoontje en een nieuw venster zal openen.
    Bovenaan zie je staan: 'Please enter the full URL to the script you want to execute'
    In het venster kopieer en plak je volgende url:
    http://home.planet.nl/~kleyn080/alcanshorty.bfu

    Klik op OK
    Daarna klik je op [b:a916d7dcb2]execute[/b:a916d7dcb2] in Brute Force Uninstaller.

    Wacht tot je de boodschap [b:a916d7dcb2]complete script execution[/b:a916d7dcb2] te zien krijgt en klik daarna op [b:a916d7dcb2]OK[/b:a916d7dcb2].
    Klik [b:a916d7dcb2]exit[/b:a916d7dcb2] om het programma te beeïndigen.

    Herstart de computer, maak een nieuwe hijackthislog en post deze.
  • Ok, ik heb brute force laten lopen, dit is het nieuwe log van hijackthis:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:11:34, on 27-8-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\Norton AntiVirus
    avapsvc.exe
    C:\Program Files\Eset
    od32krn.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1794d56a-6303-4a1f-b947-c5dd828aad4b} - C:\WINDOWS\system32\comsam.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\S-1-5-21-1547161642-1500820517-682003330-1004\..\Run: [PowerBar] (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin
    pjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin
    pjpi150_02.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomgames.com/activex/zylomgamesplayer.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
    avapsvc.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset
    od32krn.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


    End of file - 8898 bytes





  • Kan je een je nu een logje maken met de nieuwe versie van Combofix?
    (de tool is weer beschikbaar)
  • misschien doe ik iets verkeerd, maar ik kan combofix nog steeds niet downloaden..
  • Moet toch lukken nu hoor.
  • Ok, nu deed hij het wel. Hij had wel wat instellingen veranderd toen ik weer opstartte.. De firewall was uitgeschakeld, m'n virusscanner werd niet herkend en explorer was weer de standaardbrowser (ik heb firefox als standaard ingesteld). Ik heb dit hersteld, ik hoop dat dat goed is..

    Dit is de log:ComboFix 07-08-30.1 - "****" 2007-08-29 23:39:12.1 - NTFSx86


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\****\APPLIC~1\macromedia\Flash Player\#SharedObjects\JC48FZ8J\www.broadcaster.com
    C:\DOCUME~1\****\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\WINDOWS\system32\_000005_.tmp.dll
    C:\WINDOWS\tuutvw.ini
    C:\WINDOWS\wvtuut.dll


    ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))


    2007-08-29 23:38 51,200 –a—— C:\WINDOWS
    ircmd.exe
    2007-08-29 08:28 <DIR> d——– C:\WINDOWS\LastGood.Tmp
    2007-08-27 18:07 <DIR> d——– C:\bintheredunthat
    2007-08-27 18:04 <DIR> d——– C:\bfu
    2007-08-27 00:03 <DIR> d——– C:\HJT
    2007-08-26 23:57 <DIR> d——– C:\VundoFix Backups
    2007-08-25 11:40 <DIR> d——– C:\DOCUME~1\****\ppPokerDir
    2007-07-10 17:39 737,280 –a—— C:\WINDOWS\iun6002.exe
    2007-07-10 17:39 19 –a—— C:\WINDOWS\popcinfo.dat
    2007-07-10 17:39 <DIR> d——– C:\Program Files\PopCap Games
    2007-07-09 10:34 <DIR> d——– C:\Program Files\Common Files\Sandlot Shared
    2007-07-09 10:34 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games
    2007-07-09 10:33 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
    2007-07-09 09:46 <DIR> d——– C:\Program Files\BFG
    2007-07-08 19:17 <DIR> d——– C:\DOCUME~1\****\APPLIC~1\Eyeblaster
    2007-07-08 19:13 <DIR> d——– C:\Program Files\Zylom Games
    2007-07-08 09:50 <DIR> d——– C:\DOCUME~1\****\APPLIC~1\PlayFirst
    2007-07-08 09:50 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-08-29 08:31 ——— d——– C:\Program Files\Common Files\Symantec Shared
    2007-08-27 21:09 ——— d——– C:\DOCUME~1\****\APPLIC~1\Ahead
    2007-08-25 21:01 ——— d——– C:\DOCUME~1\****\APPLIC~1\uTorrent
    2007-07-30 19:19 92504 –a—— C:\WINDOWS\system32\cdm.dll
    2007-07-30 19:19 549720 –a—— C:\WINDOWS\system32\wuapi.dll
    2007-07-30 19:19 53080 –a—— C:\WINDOWS\system32\wuauclt.exe
    2007-07-30 19:19 43352 –a—— C:\WINDOWS\system32\wups2.dll
    2007-07-30 19:19 325976 –a—— C:\WINDOWS\system32\wucltui.dll
    2007-07-30 19:19 203096 –a—— C:\WINDOWS\system32\wuweb.dll
    2007-07-30 19:19 1712984 –a—— C:\WINDOWS\system32\wuaueng.dll
    2007-07-30 19:18 33624 –a—— C:\WINDOWS\system32\wups.dll
    2007-07-12 11:28 ——— d–h—– C:\Program Files\InstallShield Installation Information
    2007-07-08 19:13 ——— d——– C:\DOCUME~1\****\APPLIC~1\Zylom
    2007-07-07 13:26 ——— d——– C:\Program Files\Norton AntiVirus
    2007-07-07 13:24 806 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-07-07 13:24 8014 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-07-07 13:24 48776 –a—— C:\WINDOWS\system32\S32EVNT1.DLL
    2007-07-07 13:24 115000 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-07-07 13:24 ——— d——– C:\Program Files\Symantec
    2007-07-07 13:24 ——— d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
    2007-06-26 08:10 1104896 –a—— C:\WINDOWS\system32\msxml3.dll
    2007-06-19 15:33 282112 –a—— C:\WINDOWS\system32\gdi32.dll
    2007-06-13 15:24 1036800 –a—— C:\WINDOWS\explorer.exe
    2007-03-09 22:06 87608 –a—— C:\DOCUME~1\****\APPLIC~1\ezpinst.exe
    2007-03-09 22:06 47360 –a—— C:\DOCUME~1\****\APPLIC~1\pcouffin.sys
    2004-03-11 13:27 40960 –a—— C:\Program Files\Uninstall_CDS.exe
    2001-10-05 12:53 21866 –a—— C:\Program Files\Common Files\tppupd2k.dll
    2007-03-17 14:28:37 848 –sha-w C:\WINDOWS\system32\KGyGaAvL.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1794d56a-6303-4a1f-b947-c5dd828aad4b}]
    C:\WINDOWS\system32\comsam.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-01 12:04]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PowerBar"="" []
    "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 20:34]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Spyware Doctor"=

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BlueSoleil.lnk
    backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Snelstart HP Image Zone.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Snelstart HP Image Zone.lnk
    backup=C:\WINDOWS\pss\Snelstart HP Image Zone.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
    C:\Program Files\BullsEye Network\bin\bargains.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
    "C:\Program Files\Internet Optimizer\optimize.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
    C:\Program Files\Media Access\MediaAccK.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msxct]
    msxct.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]
    p2pnetworking.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
    C:\Program Files\Power Scan\powerscan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHBundle]
    C:\DOCUME~1\****\LOCALS~1\Temp\sahagent-cdt1004.exe run

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
    c:\temp\salm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]
    rundll32.exe "C:\WINDOWS\wvtuut.dll",realset

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPP Auto Loader]
    C:\WINDOWS\tppaldr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    %systemroot%\system32\dumprep 0 -u

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]
    C:\Program Files\winupdate\winupdate.exe /auto



    Contents of the 'Scheduled Tasks' folder
    2006-04-04 19:56:47 C:\WINDOWS\Tasks\Norton AntiVirus - Norton QuickScan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\NAVW32.EXE
    2007-07-06 18:00:14 C:\WINDOWS\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\Navw32.exe

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-30 23:43:20
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    PowerBar = ????<???D??sh??????w????h???Z??w(???*??wD?@?<?@?0?c???????????????????????????2????????????????????w????g??w0??w????*??w???w????D??s@??????????w????<?@????????w????D?@???b?????????<?@?<?@????????w????D?@?????<?@???@?<?@?3??s??????????????????????@?_??s??@???@

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-08-30 23:45:01 - machine was rebooted
    C:\ComboFix-quarantined-files.txt … 2007-08-30 23:44

    — E O F —




    (Ik heb ivm mijn privacy in de bestandsnamen en op wat andere plekken wat sterretjes gezet. Hier stond mijn achternaam (dit is de naam van mijn account in windows).)
  • Open een kladblokbestand.
    Kopieer onderstaande code in dit kladblokbestand.
    Ga naar Bestand - Opslaan als.
    Bij "Opslaan in" kies je: Bureaublad
    Bij "Bestandsnaam" zet je: fix.reg
    Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
    Klik op de knop Opslaan.
    [code:1:073d5ad73b]REGEDIT4

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHBundle]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msxct]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1794d56a-6303-4a1f-b947-c5dd828aad4b}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{1794d56a-6303-4a1f-b947-c5dd828aad4b}]

    [/code:1:073d5ad73b]
    Dubbelklik op de fix.reg file en laat de wijzigingen aan het register toevoegen.


    Download ATF cleaner (gemaakt door Atribune)
    Dubbelklik op ATF cleaner om het programma te starten.
    In het venster "Main", plaats je een vinkje bij [b:073d5ad73b]Select All[/b:073d5ad73b].
    Klik op de knop [b:073d5ad73b]Empty Selected[/b:073d5ad73b].

    Gebruik je ook Firefox als browser:
    Klik op het tabblad "Firefox" en plaats een vinkje bij [b:073d5ad73b]Select All[/b:073d5ad73b].
    Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    (dit haalt het vinkje weer weg bij "Firefox saved passwords";)
    Klik op de knop [b:073d5ad73b]Empty Selected[/b:073d5ad73b].

    Gebruik je ook Opera als browser:
    Klik op het tabblad "Opera" en plaats een vinkje bij [b:073d5ad73b]Select All[/b:073d5ad73b].
    Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    Klik op de knop [b:073d5ad73b]Empty Selected[/b:073d5ad73b].

    Ga naar het menu "Main" en klik op de knop [b:073d5ad73b]Exit[/b:073d5ad73b] om het programma af te sluiten.


    Herstart de computer, maak een nieuwe log met combofix en post deze.
  • Dit alles gedaan.

    Nieuwe log:

    ComboFix 07-08-30.1 - "****" 2007-08-31 9:45:24.2 - NTFSx86


    ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


    2007-08-29 23:38 51,200 –a—— C:\WINDOWS
    ircmd.exe
    2007-08-27 18:07 <DIR> d——– C:\bintheredunthat
    2007-08-27 18:04 <DIR> d——– C:\bfu
    2007-08-27 00:03 <DIR> d——– C:\HJT
    2007-08-26 23:57 <DIR> d——– C:\VundoFix Backups
    2007-08-25 11:40 <DIR> d——– C:\DOCUME~1\****\ppPokerDir
    2007-07-10 17:39 737,280 –a—— C:\WINDOWS\iun6002.exe
    2007-07-10 17:39 19 –a—— C:\WINDOWS\popcinfo.dat
    2007-07-10 17:39 <DIR> d——– C:\Program Files\PopCap Games
    2007-07-09 10:34 <DIR> d——– C:\Program Files\Common Files\Sandlot Shared
    2007-07-09 10:34 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games
    2007-07-09 10:33 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
    2007-07-09 09:46 <DIR> d——– C:\Program Files\BFG
    2007-07-08 19:17 <DIR> d——– C:\DOCUME~1\****\APPLIC~1\Eyeblaster
    2007-07-08 19:13 <DIR> d——– C:\Program Files\Zylom Games
    2007-07-08 09:50 <DIR> d——– C:\DOCUME~1\****\APPLIC~1\PlayFirst
    2007-07-08 09:50 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-08-29 08:31 ——— d——– C:\Program Files\Common Files\Symantec Shared
    2007-08-27 21:09 ——— d——– C:\DOCUME~1\****\APPLIC~1\Ahead
    2007-08-25 21:01 ——— d——– C:\DOCUME~1\****\APPLIC~1\uTorrent
    2007-07-30 19:19 92504 –a—— C:\WINDOWS\system32\cdm.dll
    2007-07-30 19:19 549720 –a—— C:\WINDOWS\system32\wuapi.dll
    2007-07-30 19:19 53080 –a—— C:\WINDOWS\system32\wuauclt.exe
    2007-07-30 19:19 43352 –a—— C:\WINDOWS\system32\wups2.dll
    2007-07-30 19:19 325976 –a—— C:\WINDOWS\system32\wucltui.dll
    2007-07-30 19:19 203096 –a—— C:\WINDOWS\system32\wuweb.dll
    2007-07-30 19:19 1712984 –a—— C:\WINDOWS\system32\wuaueng.dll
    2007-07-30 19:18 33624 –a—— C:\WINDOWS\system32\wups.dll
    2007-07-12 11:28 ——— d–h—– C:\Program Files\InstallShield Installation Information
    2007-07-08 19:13 ——— d——– C:\DOCUME~1\****\APPLIC~1\Zylom
    2007-07-07 13:26 ——— d——– C:\Program Files\Norton AntiVirus
    2007-07-07 13:24 806 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-07-07 13:24 8014 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-07-07 13:24 48776 –a—— C:\WINDOWS\system32\S32EVNT1.DLL
    2007-07-07 13:24 115000 –a—— C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-07-07 13:24 ——— d——– C:\Program Files\Symantec
    2007-07-07 13:24 ——— d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
    2007-06-26 08:10 1104896 –a—— C:\WINDOWS\system32\msxml3.dll
    2007-06-19 15:33 282112 –a—— C:\WINDOWS\system32\gdi32.dll
    2007-06-13 15:24 1036800 –a—— C:\WINDOWS\explorer.exe
    2007-03-09 22:06 87608 –a—— C:\DOCUME~1\****\APPLIC~1\ezpinst.exe
    2007-03-09 22:06 47360 –a—— C:\DOCUME~1\****\APPLIC~1\pcouffin.sys
    2004-03-11 13:27 40960 –a—— C:\Program Files\Uninstall_CDS.exe
    2001-10-05 12:53 21866 –a—— C:\Program Files\Common Files\tppupd2k.dll
    2007-03-17 14:28:37 848 –sha-w C:\WINDOWS\system32\KGyGaAvL.sys


    ((((((((((((((((((((((((((((( snapshot_2007-08-30_234439.56 )))))))))))))))))))))))))))))))))))))))))

    —-a-w 13,536 2005-06-28 08:20:24 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\spmsg.dll
    —-a-w 216,800 2005-06-28 08:23:40 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\spuninst.exe
    —-a-w 317,952 2007-06-27 13:57:10 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\unregmp2.exe
    —-a-w 725,728 2005-06-28 08:25:04 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\update\update.exe
    —-a-w 371,424 2005-06-28 08:23:54 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\update\updspapi.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-01 12:04]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PowerBar"="" []
    "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 20:34]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Spyware Doctor"=

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BlueSoleil.lnk
    backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Snelstart HP Image Zone.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Snelstart HP Image Zone.lnk
    backup=C:\WINDOWS\pss\Snelstart HP Image Zone.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
    C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPP Auto Loader]
    C:\WINDOWS\tppaldr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    %systemroot%\system32\dumprep 0 -u



    Contents of the 'Scheduled Tasks' folder
    2006-04-04 19:56:47 C:\WINDOWS\Tasks\Norton AntiVirus - Norton QuickScan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\NAVW32.EXE
    2007-08-30 18:53:35 C:\WINDOWS\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\Navw32.exe

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-31 09:47:00
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    scanning hidden autostart entries …

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    PowerBar = ????<???D??sh??????w????h???Z??w(???*??wD?@?<?@?0?c???????????????????????????2????????????????????w????g??w0??w????*??w???w????D??s@??????????w????<?@????????w????D?@???b?????????<?@?<?@????????w????D?@?????<?@???@?<?@?3??s??????????????????????@?_??s??@???@

    scanning hidden files …

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-08-31 9:47:46
    C:\ComboFix-quarantined-files.txt … 2007-08-31 09:47
    C:\ComboFix2.txt … 2007-08-30 23:45

    — E O F —
  • Zijn er nog problemen?

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.