Vraag & Antwoord

Beveiliging & privacy

Trojan Vundo en Trojan Duntek

15 antwoorden
  • Ik heb al enige tijd last van ongewenste popups in mijn computer, vrijwel alleen bij explorer (ik gebruik voornamelijk firefox). Norton antivirus gaf melding van trojan.vundo en trojan.duntek In andere topics zag ik wat de eerste stappen zijn om trojan.vundo te verhelpen, waarbij de gebruikers werd gevraagd logs te plaatsen. Ik heb zojuist vundofix en hijachthis laten lopen en heb daar de logs van. Ik hoop dat iemand hier me nu verder kan helpen. Tevens hoop ik dat er iemand is die weet wat ik het beste aan trojan.duntek kan doen. Virusscan van Norton en scan van Hitman Pro hebben nog niks uitgehaald. De logs: [b:887f884e95]VundoFix V6.5.7[/b:887f884e95] Checking Java version... Java version is 1.5.0.2 Old versions of java are exploitable and should be removed. Scan started at 23:57:37 26-8-2007 Listing files found while scanning.... C:\windows\system32\comsam.dll C:\WINDOWS\system32\tmp13D.tmp.dll C:\WINDOWS\system32\tmp3.tmp.dll C:\WINDOWS\system32\tmp4.tmp.dll Beginning removal... Attempting to delete C:\windows\system32\comsam.dll C:\windows\system32\comsam.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\tmp13D.tmp.dll C:\WINDOWS\system32\tmp13D.tmp.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\tmp3.tmp.dll C:\WINDOWS\system32\tmp3.tmp.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\tmp4.tmp.dll C:\WINDOWS\system32\tmp4.tmp.dll Has been deleted! Performing Repairs to the registry. Done! [b:887f884e95]Logfile of Trend Micro HijackThis v2.0.2[/b:887f884e95] Scan saved at 0:04:09, on 27-8-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1794d56a-6303-4a1f-b947-c5dd828aad4b} - C:\WINDOWS\system32\comsam.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\RunServices: [p2pnetworking] p2pnetworking.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-21-1547161642-1500820517-682003330-1004\..\Run: [PowerBar] (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomgames.com/activex/zylomgamesplayer.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 8959 bytes Alvast bedankt![/b]
  • Download combofix.exe: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Plaats het op je bureaublad. Dubbelklik er op om het programma te starten. In het scherm dat verschijnt tik je een Y in om het cleaningsprocess te starten. Volg de instructies op het scherm. Als het tooltje klaar is, opent er een logfile (combofix.txt). Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.
  • Ik krijg een 404melding voor die pagina.. Misschien zit er een spelfout in de url? edit: Ik heb even gegoogled en merk dat de url wel klopt, het bestand is blijkbaar verwijderd.. Ik kan zelf geen andere online vinden, misschien dat jij weet waar ik het bestand kan downloaden?
  • neem deze: http://www.techsupportforum.com/sectools/combofix.exe
  • je was me al voor :) Ik heb dat bestand gedownload, ik krijg dan een tekstbestand met de volgende melding: [quote:e7b9c8b3c4]You have used an invalid url to download ComboFix.exe. Please be advised that these are the correct links to use http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe [/quote:e7b9c8b3c4] Beide links werken niet.. [/quote]
  • Beide links liggen er inderdaad uit. Ik hoor even bij de maker van de tool wat er juist aan de hand is.
  • Er blijken wat problemen te zijn met combofix. Download Brute Force Uninstaller: http://www.merijn.org/files/bfu.zip Unzip/pak het uit naar zijn eigen map op je C:\ (c:\BFU). Lees hier hoe je op de juiste wijze moet unzippen/uitpakken: http://home.planet.nl/~kleyn080/unzippenXPuitleg.html Dubbelklik op BFU.exe om the Brute Force Uninstaller te starten. Naast 'scriptfile to execute'-venster zal je een klein icoontje zien: [img:a916d7dcb2]http://users.telenet.be/bluepatchy/miekiemoes/images/bfuicon.JPG[/img:a916d7dcb2] Klik op dat icoontje en een nieuw venster zal openen. Bovenaan zie je staan: 'Please enter the full URL to the script you want to execute' In het venster kopieer en plak je volgende url: [url]http://home.planet.nl/~kleyn080/alcanshorty.bfu[/url] Klik op OK Daarna klik je op [b:a916d7dcb2]execute[/b:a916d7dcb2] in Brute Force Uninstaller. Wacht tot je de boodschap [b:a916d7dcb2]complete script execution[/b:a916d7dcb2] te zien krijgt en klik daarna op [b:a916d7dcb2]OK[/b:a916d7dcb2]. Klik [b:a916d7dcb2]exit[/b:a916d7dcb2] om het programma te beeïndigen. Herstart de computer, maak een nieuwe hijackthislog en post deze.
  • Ok, ik heb brute force laten lopen, dit is het nieuwe log van hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:11:34, on 27-8-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1794d56a-6303-4a1f-b947-c5dd828aad4b} - C:\WINDOWS\system32\comsam.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-21-1547161642-1500820517-682003330-1004\..\Run: [PowerBar] (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomgames.com/activex/zylomgamesplayer.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 8898 bytes
  • Kan je een je nu een logje maken met de nieuwe versie van Combofix? (de tool is weer beschikbaar)
  • misschien doe ik iets verkeerd, maar ik kan combofix nog steeds niet downloaden..
  • Moet toch lukken nu hoor.
  • Ok, nu deed hij het wel. Hij had wel wat instellingen veranderd toen ik weer opstartte.. De firewall was uitgeschakeld, m'n virusscanner werd niet herkend en explorer was weer de standaardbrowser (ik heb firefox als standaard ingesteld). Ik heb dit hersteld, ik hoop dat dat goed is.. Dit is de log:ComboFix 07-08-30.1 - "****" 2007-08-29 23:39:12.1 - NTFSx86 ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\****\APPLIC~1\macromedia\Flash Player\#SharedObjects\JC48FZ8J\www.broadcaster.com C:\DOCUME~1\****\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\WINDOWS\system32\_000005_.tmp.dll C:\WINDOWS\tuutvw.ini C:\WINDOWS\wvtuut.dll ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 ))))))))))))))))))))))))))))))) 2007-08-29 23:38 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-29 08:28 <DIR> d-------- C:\WINDOWS\LastGood.Tmp 2007-08-27 18:07 <DIR> d-------- C:\bintheredunthat 2007-08-27 18:04 <DIR> d-------- C:\bfu 2007-08-27 00:03 <DIR> d-------- C:\HJT 2007-08-26 23:57 <DIR> d-------- C:\VundoFix Backups 2007-08-25 11:40 <DIR> d-------- C:\DOCUME~1\****\ppPokerDir 2007-07-10 17:39 737,280 --a------ C:\WINDOWS\iun6002.exe 2007-07-10 17:39 19 --a------ C:\WINDOWS\popcinfo.dat 2007-07-10 17:39 <DIR> d-------- C:\Program Files\PopCap Games 2007-07-09 10:34 <DIR> d-------- C:\Program Files\Common Files\Sandlot Shared 2007-07-09 10:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games 2007-07-09 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia 2007-07-09 09:46 <DIR> d-------- C:\Program Files\BFG 2007-07-08 19:17 <DIR> d-------- C:\DOCUME~1\****\APPLIC~1\Eyeblaster 2007-07-08 19:13 <DIR> d-------- C:\Program Files\Zylom Games 2007-07-08 09:50 <DIR> d-------- C:\DOCUME~1\****\APPLIC~1\PlayFirst 2007-07-08 09:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-29 08:31 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-27 21:09 --------- d-------- C:\DOCUME~1\****\APPLIC~1\Ahead 2007-08-25 21:01 --------- d-------- C:\DOCUME~1\****\APPLIC~1\uTorrent 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-12 11:28 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-07-08 19:13 --------- d-------- C:\DOCUME~1\****\APPLIC~1\Zylom 2007-07-07 13:26 --------- d-------- C:\Program Files\Norton AntiVirus 2007-07-07 13:24 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-07-07 13:24 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-07-07 13:24 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-07-07 13:24 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-07-07 13:24 --------- d-------- C:\Program Files\Symantec 2007-07-07 13:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec 2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-19 15:33 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-13 15:24 1036800 --a------ C:\WINDOWS\explorer.exe 2007-03-09 22:06 87608 --a------ C:\DOCUME~1\****\APPLIC~1\ezpinst.exe 2007-03-09 22:06 47360 --a------ C:\DOCUME~1\****\APPLIC~1\pcouffin.sys 2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe 2001-10-05 12:53 21866 --a------ C:\Program Files\Common Files\tppupd2k.dll 2007-03-17 14:28:37 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1794d56a-6303-4a1f-b947-c5dd828aad4b}] C:\WINDOWS\system32\comsam.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-01 12:04] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PowerBar"="" [] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 20:34] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Spyware Doctor"= [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BlueSoleil.lnk backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Snelstart HP Image Zone.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Snelstart HP Image Zone.lnk backup=C:\WINDOWS\pss\Snelstart HP Image Zone.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access] C:\Program Files\Media Access\MediaAccK.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msxct] msxct.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking] p2pnetworking.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan] C:\Program Files\Power Scan\powerscan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHBundle] C:\DOCUME~1\****\LOCALS~1\Temp\sahagent-cdt1004.exe run [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm] c:\temp\salm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup] rundll32.exe "C:\WINDOWS\wvtuut.dll",realset [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPP Auto Loader] C:\WINDOWS\tppaldr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] %systemroot%\system32\dumprep 0 -u [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate] C:\Program Files\winupdate\winupdate.exe /auto Contents of the 'Scheduled Tasks' folder 2006-04-04 19:56:47 C:\WINDOWS\Tasks\Norton AntiVirus - Norton QuickScan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\NAVW32.EXE 2007-07-06 18:00:14 C:\WINDOWS\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\Navw32.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-30 23:43:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run PowerBar = ????<???D??sh??????w????h???Z??w(???*??wD?@?<?@?0?c???????????????????????????2????????????????????w????g??w0??w????*??w???w????D??s@??????????w????<?@????????w????D?@???b?????????<?@?<?@????????w????D?@?????<?@???@?<?@?3??s??????????????????????@?_??s??@???@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-30 23:45:01 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-30 23:44 --- E O F --- (Ik heb ivm mijn privacy in de bestandsnamen en op wat andere plekken wat sterretjes gezet. Hier stond mijn achternaam (dit is de naam van mijn account in windows).)
  • Open een kladblokbestand. Kopieer onderstaande code in dit kladblokbestand. Ga naar Bestand - Opslaan als. Bij "Opslaan in" kies je: Bureaublad Bij "Bestandsnaam" zet je: fix.reg Bij "Opslaan als type" selecteer je: Alle bestanden (*.*). Klik op de knop Opslaan. [code:1:073d5ad73b]REGEDIT4 [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHBundle] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msxct] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1794d56a-6303-4a1f-b947-c5dd828aad4b}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{1794d56a-6303-4a1f-b947-c5dd828aad4b}] [/code:1:073d5ad73b] Dubbelklik op de fix.reg file en laat de wijzigingen aan het register toevoegen. Download [url=http://www.atribune.org/ccount/click.php?id=1]ATF cleaner[/url] (gemaakt door Atribune) Dubbelklik op ATF cleaner om het programma te starten. In het venster "Main", plaats je een vinkje bij [b:073d5ad73b]Select All[/b:073d5ad73b]. Klik op de knop [b:073d5ad73b]Empty Selected[/b:073d5ad73b]. Gebruik je ook Firefox als browser: Klik op het tabblad "Firefox" en plaats een vinkje bij [b:073d5ad73b]Select All[/b:073d5ad73b]. Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No". (dit haalt het vinkje weer weg bij "Firefox saved passwords") Klik op de knop [b:073d5ad73b]Empty Selected[/b:073d5ad73b]. Gebruik je ook Opera als browser: Klik op het tabblad "Opera" en plaats een vinkje bij [b:073d5ad73b]Select All[/b:073d5ad73b]. Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No". Klik op de knop [b:073d5ad73b]Empty Selected[/b:073d5ad73b]. Ga naar het menu "Main" en klik op de knop [b:073d5ad73b]Exit[/b:073d5ad73b] om het programma af te sluiten. Herstart de computer, maak een nieuwe log met combofix en post deze.
  • Dit alles gedaan. Nieuwe log: ComboFix 07-08-30.1 - "****" 2007-08-31 9:45:24.2 - NTFSx86 ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 ))))))))))))))))))))))))))))))) 2007-08-29 23:38 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-27 18:07 <DIR> d-------- C:\bintheredunthat 2007-08-27 18:04 <DIR> d-------- C:\bfu 2007-08-27 00:03 <DIR> d-------- C:\HJT 2007-08-26 23:57 <DIR> d-------- C:\VundoFix Backups 2007-08-25 11:40 <DIR> d-------- C:\DOCUME~1\****\ppPokerDir 2007-07-10 17:39 737,280 --a------ C:\WINDOWS\iun6002.exe 2007-07-10 17:39 19 --a------ C:\WINDOWS\popcinfo.dat 2007-07-10 17:39 <DIR> d-------- C:\Program Files\PopCap Games 2007-07-09 10:34 <DIR> d-------- C:\Program Files\Common Files\Sandlot Shared 2007-07-09 10:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sandlot Games 2007-07-09 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia 2007-07-09 09:46 <DIR> d-------- C:\Program Files\BFG 2007-07-08 19:17 <DIR> d-------- C:\DOCUME~1\****\APPLIC~1\Eyeblaster 2007-07-08 19:13 <DIR> d-------- C:\Program Files\Zylom Games 2007-07-08 09:50 <DIR> d-------- C:\DOCUME~1\****\APPLIC~1\PlayFirst 2007-07-08 09:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-29 08:31 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-08-27 21:09 --------- d-------- C:\DOCUME~1\****\APPLIC~1\Ahead 2007-08-25 21:01 --------- d-------- C:\DOCUME~1\****\APPLIC~1\uTorrent 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-12 11:28 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-07-08 19:13 --------- d-------- C:\DOCUME~1\****\APPLIC~1\Zylom 2007-07-07 13:26 --------- d-------- C:\Program Files\Norton AntiVirus 2007-07-07 13:24 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-07-07 13:24 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-07-07 13:24 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-07-07 13:24 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-07-07 13:24 --------- d-------- C:\Program Files\Symantec 2007-07-07 13:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec 2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-19 15:33 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-13 15:24 1036800 --a------ C:\WINDOWS\explorer.exe 2007-03-09 22:06 87608 --a------ C:\DOCUME~1\****\APPLIC~1\ezpinst.exe 2007-03-09 22:06 47360 --a------ C:\DOCUME~1\****\APPLIC~1\pcouffin.sys 2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe 2001-10-05 12:53 21866 --a------ C:\Program Files\Common Files\tppupd2k.dll 2007-03-17 14:28:37 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((( snapshot_2007-08-30_234439.56 ))))))))))))))))))))))))))))))))))))))))) ----a-w 13,536 2005-06-28 08:20:24 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\spmsg.dll ----a-w 216,800 2005-06-28 08:23:40 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\spuninst.exe ----a-w 317,952 2007-06-27 13:57:10 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\unregmp2.exe ----a-w 725,728 2005-06-28 08:25:04 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\update\update.exe ----a-w 371,424 2005-06-28 08:23:54 C:\WINDOWS\SoftwareDistribution\Download\b6030cc9bdf016294e4bc50904635316\update\updspapi.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-01 12:04] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PowerBar"="" [] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 20:34] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Spyware Doctor"= [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BlueSoleil.lnk backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Snelstart HP Image Zone.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Snelstart HP Image Zone.lnk backup=C:\WINDOWS\pss\Snelstart HP Image Zone.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPP Auto Loader] C:\WINDOWS\tppaldr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] %systemroot%\system32\dumprep 0 -u Contents of the 'Scheduled Tasks' folder 2006-04-04 19:56:47 C:\WINDOWS\Tasks\Norton AntiVirus - Norton QuickScan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\NAVW32.EXE 2007-08-30 18:53:35 C:\WINDOWS\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - ****.job - C:\PROGRA~1\NORTON~1\Navw32.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-31 09:47:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run PowerBar = ????<???D??sh??????w????h???Z??w(???*??wD?@?<?@?0?c???????????????????????????2????????????????????w????g??w0??w????*??w???w????D??s@??????????w????<?@????????w????D?@???b?????????<?@?<?@????????w????D?@?????<?@???@?<?@?3??s??????????????????????@?_??s??@???@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-31 9:47:46 C:\ComboFix-quarantined-files.txt ... 2007-08-31 09:47 C:\ComboFix2.txt ... 2007-08-30 23:45 --- E O F ---
  • Zijn er nog problemen?

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.