Vraag & Antwoord

Beveiliging & privacy

Trojan.Win32.Pakes.cc

25 antwoorden
  • Hoi, Ik heb al enkele dagen een probleem met mijn pc en kan er zelf niet uit komen. Elke keer als ik mijn pc opstart dan doet 'ie het maar even en dan start ie overnieuw op. Ik kreeg dinsdag een virus binnen en die werd opgepikt door mijn scanner, heb 'm verwijderd en had gehoopt dat alles weg was. Maar de volgende dag startte hij al niet meer goed op en ook in de veilige modus doet ie het amper. Ik kan nu nog wel op internet, maar ook niet voor lang. Het virus dat ik binnenkreeg was Trojan.Win32.Pakes.cc. Ook werd hier nog het volgende bij aangegeven: C://Windows/System32/nyoldfsa.dll. Ik heb een beetje met google gezocht, maar kan het echt niet vinden. Wie weet wat ik moet doen?
  • Hallo, Het lijkt me het beste om hier een Hijackthis logje te plaatsen, anders wordt het lastig. Zie: [url]http://forum.computertotaal.nl/phpBB2/viewtopic.php?p=765174#765174[/url]
  • hierbij de logfile. ik hoop dat jullie er wat mee kunnen. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:11:23, on 31-8-2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\D-Tools\daemon.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {10C2AB4E-8894-455F-AD43-F007F1452119} - c:\windows\system32\fmlafml.dll O2 - BHO: (no name) - {4D8BAEB1-6664-41CA-AB7D-6649D7F37299} - c:\windows\system32\rtxzpcai.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {DF332CEC-2741-4E69-9758-9EB74B9FAF1C} - C:\WINDOWS\System32\dfrgsna.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "D:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mbvigaaa] C:\WINDOWS\System32\mbvigaaa.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [mbvigaaa] C:\WINDOWS\System32\mbvigaaa.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/components/CycloScopeLite.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll O20 - Winlogon Notify: meqnjzje - C:\WINDOWS\SYSTEM32\fmlafml.dll O21 - SSODL: FgQHWLXjBG - {341C3C78-9EB6-96D2-9DF2-8A7063A4210E} - (no file) O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Active Virus Shield (AVP) - AOL - D:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: FireDaemon Service: ecure (ecure) - Unknown owner - C:\WINDOWS\Temp\FireDaemon.EXE (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: FireDaemon Service: svchost1 (svchost1) - Unknown owner - C:\WINDOWS\Temp\FireDaemon.EXE (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 8603 bytes
  • Download [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][b:cc69ea4bf4]Combofix[/b:cc69ea4bf4][/url] naar je Bureaublad.[list:cc69ea4bf4] Dubbelklik op [b:cc69ea4bf4]Combofix.exe[/b:cc69ea4bf4] Volg de instructies, aanvaard de disclaimer door [b:cc69ea4bf4]1[/b:cc69ea4bf4] (continue) te typen gevolgd door [b:cc69ea4bf4]ENTER[/b:cc69ea4bf4]. Tijdens het runnen van de fix, [b:cc69ea4bf4]NIET[/b:cc69ea4bf4] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:cc69ea4bf4] Wanneer de fix voltooid is en na herstart, zal de log [b:cc69ea4bf4]combofix.txt[/b:cc69ea4bf4] openen. [i:cc69ea4bf4]Plaats dit log in je volgende post tesamen met een nieuw HijackThis log.[/i:cc69ea4bf4] Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.
  • Combofix log: ComboFix 07-08-30.3 - "Rik Steverink" 2007-08-31 19:47:13.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.211 [GMT 2:00] * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\3.exe C:\WINDOWS\system32\regscan.exe ((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 ))))))))))))))))))))))))))))))) 2007-08-31 12:08 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-28 17:28 <DIR> d-------- C:\WINDOWS\LogFiles 2007-08-27 19:29 98,304 --a------ C:\WINDOWS\system32\llnjvmiu.dll 2007-08-27 19:29 64,512 --a------ C:\WINDOWS\system32\rtxzpcai.dll 2007-08-27 19:29 44,544 --a------ C:\WINDOWS\system32\rdysjale.dll 2007-08-27 19:29 43,520 --a------ C:\WINDOWS\system32\lxiwchos.dll 2007-08-27 19:29 126,976 --a------ C:\WINDOWS\system32\tkndkvsz.dll 2007-08-27 19:19 77,312 --a------ C:\WINDOWS\system32\fmlafml.dll 2007-08-27 19:19 17,024 C:\WINDOWS\system32\drivers\neurwdoq.sys 2007-08-27 19:18 76,395 --a------ C:\WINDOWS\system32\dfrgsna.dll 2007-08-27 18:16 <DIR> d-------- C:\Program Files\Tams11 2007-08-22 21:20 <DIR> d-------- C:\Bdienst 2007-08-11 15:23 <DIR> d-------- C:\Program Files\Firefly Studios 2007-07-16 17:10 <DIR> d-------- C:\DOCUME~1\RIKSTE~1\APPLIC~1\ATI 2007-07-16 17:04 6,451,200 --a------ C:\WINDOWS\system32\atioglxx.dll 2007-07-16 17:04 484,064 --a------ C:\WINDOWS\system32\ativvaxx.dll 2007-07-16 17:04 294,912 -ra------ C:\WINDOWS\system32\atiiiexx.dll 2007-07-16 17:04 17,408 --a------ C:\WINDOWS\system32\atitvo32.dll 2007-07-16 17:04 135,168 -ra------ C:\WINDOWS\system32\ATIDEMGR.dll 2007-07-16 17:04 118,784 --a------ C:\WINDOWS\system32\atipdlxx.dll 2007-07-16 17:04 102,400 --a------ C:\WINDOWS\system32\Oemdspif.dll 2007-07-16 17:02 <DIR> d-------- C:\ATI 2007-07-16 16:51 <DIR> d-------- C:\Program Files\SiSoftware 2007-07-16 16:18 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll 2007-07-16 16:18 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll 2007-07-16 16:02 <DIR> d-------- C:\Program Files\Radical Games 2007-07-12 19:25 <DIR> d-------- C:\Program Files\BearFlix 2007-07-02 21:07 <DIR> d-------- C:\Program Files\Jasc Software Inc (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-30 23:36 2393480 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-08-30 23:36 178759200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-08-30 23:36 1096224 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-08-30 23:36 103184 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-08-28 17:14 --------- d-------- C:\Program Files\Spyware Doctor 2007-08-28 15:57 --------- d-------- C:\Program Files\Hitman Pro 2007-08-28 14:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-08-28 11:40 --------- d-------- C:\Program Files\SpywareBlaster 2007-08-20 21:08 --------- d-------- C:\Program Files\Broderbund 2007-08-20 21:07 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-20 21:07 --------- d-------- C:\Program Files\Nokia 2007-08-20 21:06 --------- d--h----- C:\DOCUME~1\RIKSTE~1\APPLIC~1\Move Networks 2007-08-20 21:06 --------- d-------- C:\Program Files\DivX 2007-08-11 15:21 --------- d-------- C:\Program Files\ACE Mega CoDecS Pack 2007-07-16 17:05 --------- d-------- C:\Program Files\ATI Technologies 2007-07-07 17:39 --------- d-------- C:\Program Files\Google 2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe 2006-11-25 17:56:21 2,932 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C2AB4E-8894-455F-AD43-F007F1452119}] 2007-08-30 22:51 77312 --a------ c:\windows\system32\fmlafml.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D8BAEB1-6664-41CA-AB7D-6649D7F37299}] 2007-08-27 19:29 64512 --a------ c:\windows\system32\rtxzpcai.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF332CEC-2741-4E69-9758-9EB74B9FAF1C}] 2001-09-07 14:00 76395 --a------ C:\WINDOWS\System32\dfrgsna.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30] "LWBKEYBOARD"="C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe" [2004-05-27 04:37] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-17 17:25] "aol"="D:\Program Files\AOL\Active Virus Shield\avp.exe" [2006-05-30 13:13] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-05 17:03] "mbvigaaa"="C:\WINDOWS\System32\mbvigaaa.exe" [] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 14:00] "mbvigaaa"="C:\WINDOWS\System32\mbvigaaa.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\meqnjzje] fmlafml.dll 2007-08-30 22:51 77312 C:\WINDOWS\system32\fmlafml.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\System32\wmfhotfix.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BTTray.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Adobe LM Service"=3 (0x3) R0 reaucigj;reaucigj;C:\WINDOWS\System32\drivers\neurwdoq.sys R2 odzpqoil;IPX Traffic Forwarder Monitor;C:\WINDOWS\System32\svchost.exe -k netsvcs S2 ecure;FireDaemon Service: ecure;C:\WINDOWS\Temp\FireDaemon.EXE S2 svchost1;FireDaemon Service: svchost1;C:\WINDOWS\Temp\FireDaemon.EXE S3 Maplom;Maplom;C:\WINDOWS\System32\drivers\Maplom.sys S3 NTSIM;NTSIM;\??\C:\WINDOWS\System32\ntsim.sys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs odzpqoil *Newly Created Service* - CATCHME ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-31 19:51:26 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\AppCert C:\WINDOWS\system32\drivers\hd_dirs.cfg C:\WINDOWS\system32\drivers\hd_files.cfg C:\WINDOWS\system32\drivers\hd_rkeys.cfg C:\WINDOWS\system32\drivers\hd_rvals.cfg C:\WINDOWS\system32\drivers\hd_self.cfg C:\WINDOWS\system32\drivers\ippflt.sys scan completed successfully hidden files: 7 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\ippflt] "ImagePath"="System32\Drivers\ippflt.sys" Completion time: 2007-08-31 19:52:36 C:\ComboFix-quarantined-files.txt ... 2007-08-31 19:52 C:\ComboFix2.txt ... 2007-04-24 20:02 --- E O F --- hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:59:28, on 31-8-2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {10C2AB4E-8894-455F-AD43-F007F1452119} - c:\windows\system32\fmlafml.dll O2 - BHO: (no name) - {4D8BAEB1-6664-41CA-AB7D-6649D7F37299} - c:\windows\system32\rtxzpcai.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {DF332CEC-2741-4E69-9758-9EB74B9FAF1C} - C:\WINDOWS\System32\dfrgsna.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "D:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mbvigaaa] C:\WINDOWS\System32\mbvigaaa.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [mbvigaaa] C:\WINDOWS\System32\mbvigaaa.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/components/CycloScopeLite.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll O20 - Winlogon Notify: meqnjzje - C:\WINDOWS\SYSTEM32\fmlafml.dll O21 - SSODL: FgQHWLXjBG - {341C3C78-9EB6-96D2-9DF2-8A7063A4210E} - (no file) O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Active Virus Shield (AVP) - AOL - D:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: FireDaemon Service: ecure (ecure) - Unknown owner - C:\WINDOWS\Temp\FireDaemon.EXE (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: FireDaemon Service: svchost1 (svchost1) - Unknown owner - C:\WINDOWS\Temp\FireDaemon.EXE (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 8557 bytes Overigens komt t ook vaak voor sinds een paar dagen dat als ik in explorer een adres typ, dat ie dan naar search-daily gaat...miss heeft dit er ook mee te maken?
  • Open Kladblok, kopiëer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster: [list:493f456e32][b:493f456e32][color=blue:493f456e32] File:: C:\WINDOWS\system32\llnjvmiu.dll C:\WINDOWS\system32\rtxzpcai.dll C:\WINDOWS\system32\rdysjale.dll C:\WINDOWS\system32\lxiwchos.dll C:\WINDOWS\system32\tkndkvsz.dll C:\WINDOWS\system32\fmlafml.dll C:\WINDOWS\System32\mbvigaaa.exe Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C2AB4E-8894-455F-AD43-F007F1452119}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D8BAEB1-6664-41CA-AB7D-6649D7F37299}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF332CEC-2741-4E69-9758-9EB74B9FAF1C}] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\meqnjzje] [/color:493f456e32][/b:493f456e32][/list:u:493f456e32]Sla dit op op je Bureaublad als [b:493f456e32]CFScript.txt[/b:493f456e32] Sleep [b:493f456e32]CFScript.txt[/b:493f456e32] in [b:493f456e32]ComboFix.exe[/b:493f456e32] zoals getoond in onderstaand voorbeeld : [img:493f456e32]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:493f456e32] Dit zal [b:493f456e32]ComboFix[/b:493f456e32] doen herstarten. Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de [b:493f456e32]Combofix.txt[/b:493f456e32] in je volgende antwoord samen met een nieuw HijackThislogje.
  • Combolog: ComboFix 07-08-30.3 - "Rik Steverink" 2007-09-01 13:04:44.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.209 [GMT 2:00] Command switches used :: C:\Documents and Settings\Rik Steverink\Bureaublad\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\llnjvmiu.dll C:\WINDOWS\system32\rtxzpcai.dll C:\WINDOWS\system32\rdysjale.dll C:\WINDOWS\system32\lxiwchos.dll C:\WINDOWS\system32\tkndkvsz.dll C:\WINDOWS\system32\fmlafml.dll C:\WINDOWS\System32\mbvigaaa.exe ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\fmlafml.dll . . . . failed to delete C:\WINDOWS\system32\llnjvmiu.dll C:\WINDOWS\system32\lxiwchos.dll C:\WINDOWS\system32\rdysjale.dll C:\WINDOWS\system32\rtxzpcai.dll C:\WINDOWS\system32\tkndkvsz.dll ((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 ))))))))))))))))))))))))))))))) 2007-09-01 12:56 753,664 --a------ C:\WINDOWS\system32\nyoldfsa.dll 2007-09-01 12:56 684,567 --a------ C:\WINDOWS\system32\libeay32.dll 2007-09-01 12:56 147,729 --a------ C:\WINDOWS\system32\libssl32.dll 2007-08-31 12:08 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-28 17:28 <DIR> d-------- C:\WINDOWS\LogFiles 2007-08-27 19:19 78,848 --------- C:\WINDOWS\system32\fmlafml.dll 2007-08-27 19:19 17,280 C:\WINDOWS\system32\drivers\neurwdoq.sys 2007-08-27 19:18 76,395 --a------ C:\WINDOWS\system32\dfrgsna.dll 2007-08-27 18:16 <DIR> d-------- C:\Program Files\Tams11 2007-08-22 21:20 <DIR> d-------- C:\Bdienst 2007-08-11 15:23 <DIR> d-------- C:\Program Files\Firefly Studios (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-01 13:09 2395112 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-09-01 13:09 178759200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-09-01 13:09 1096224 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-09-01 13:09 103784 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-08-28 17:14 --------- d-------- C:\Program Files\Spyware Doctor 2007-08-28 15:57 --------- d-------- C:\Program Files\Hitman Pro 2007-08-28 14:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-08-28 11:40 --------- d-------- C:\Program Files\SpywareBlaster 2007-08-20 21:08 --------- d-------- C:\Program Files\Broderbund 2007-08-20 21:07 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-20 21:07 --------- d-------- C:\Program Files\Nokia 2007-08-20 21:06 --------- d--h----- C:\DOCUME~1\RIKSTE~1\APPLIC~1\Move Networks 2007-08-20 21:06 --------- d-------- C:\Program Files\DivX 2007-08-20 21:05 --------- d-------- C:\Program Files\BearFlix 2007-08-11 15:21 --------- d-------- C:\Program Files\ACE Mega CoDecS Pack 2007-07-16 17:10 --------- d-------- C:\DOCUME~1\RIKSTE~1\APPLIC~1\ATI 2007-07-16 17:05 --------- d-------- C:\Program Files\ATI Technologies 2007-07-16 16:51 --------- d-------- C:\Program Files\SiSoftware 2007-07-16 16:02 --------- d-------- C:\Program Files\Radical Games 2007-07-07 17:39 --------- d-------- C:\Program Files\Google 2007-07-07 17:36 --------- d-------- C:\Program Files\Jasc Software Inc 2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe 2006-11-25 17:56:21 2,932 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((( snapshot_2007-08-31_195159,45 ))))))))))))))))))))))))))))))))))))))))) ----a-w 241,664 2007-09-01 11:04:14 C:\WINDOWS\system32\config\systemprofile\ntuser.dat ----a-w 32,768 2007-09-01 10:46:22 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-09-01 10:46:22 C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat ----a-w 32,768 2007-09-01 10:46:22 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ----a-w 57,344 2007-09-01 10:56:11 C:\WINDOWS\Temp\zvbpgqei.dll ----a-w 241,664 2007-08-31 17:46:38 C:\WINDOWS\system32\config\systemprofile\ntuser.dat ----a-w 32,768 2007-08-31 16:58:12 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-08-31 16:58:12 C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat ----a-w 32,768 2007-08-31 16:58:12 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C2AB4E-8894-455F-AD43-F007F1452119}] 2007-09-01 12:56 78848 --------- c:\windows\system32\fmlafml.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30] "LWBKEYBOARD"="C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe" [2004-05-27 04:37] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-17 17:25] "aol"="D:\Program Files\AOL\Active Virus Shield\avp.exe" [2006-05-30 13:13] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-05 17:03] "mbvigaaa"="C:\WINDOWS\System32\mbvigaaa.exe" [] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 14:00] "mbvigaaa"="C:\WINDOWS\System32\mbvigaaa.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\meqnjzje] fmlafml.dll 2007-09-01 12:56 78848 C:\WINDOWS\system32\fmlafml.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\System32\wmfhotfix.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BTTray.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Adobe LM Service"=3 (0x3) R0 reaucigj;reaucigj;C:\WINDOWS\System32\drivers\neurwdoq.sys S2 ecure;FireDaemon Service: ecure;C:\WINDOWS\Temp\FireDaemon.EXE S2 odzpqoil;IPX Traffic Forwarder Monitor;C:\WINDOWS\System32\svchost.exe -k netsvcs S2 svchost1;FireDaemon Service: svchost1;C:\WINDOWS\Temp\FireDaemon.EXE S3 Maplom;Maplom;C:\WINDOWS\System32\drivers\Maplom.sys S3 NTSIM;NTSIM;\??\C:\WINDOWS\System32\ntsim.sys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs odzpqoil ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-01 13:11:15 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\AppCert C:\WINDOWS\system32\drivers\hd_dirs.cfg C:\WINDOWS\system32\drivers\hd_files.cfg C:\WINDOWS\system32\drivers\hd_rkeys.cfg C:\WINDOWS\system32\drivers\hd_rvals.cfg C:\WINDOWS\system32\drivers\hd_self.cfg C:\WINDOWS\system32\drivers\ippflt.sys scan completed successfully hidden files: 7 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\ippflt] "ImagePath"="System32\Drivers\ippflt.sys" Completion time: 2007-09-01 13:14:08 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-01 13:14 C:\ComboFix2.txt ... 2007-08-31 19:52 C:\ComboFix3.txt ... 2007-04-24 20:02 --- E O F --- hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:15:41, on 1-9-2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\osk.exe C:\WINDOWS\system32\MSSWCHX.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {10C2AB4E-8894-455F-AD43-F007F1452119} - c:\windows\system32\fmlafml.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "D:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [mbvigaaa] C:\WINDOWS\System32\mbvigaaa.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [mbvigaaa] C:\WINDOWS\System32\mbvigaaa.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/components/CycloScopeLite.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll O20 - Winlogon Notify: meqnjzje - C:\WINDOWS\SYSTEM32\fmlafml.dll O21 - SSODL: FgQHWLXjBG - {341C3C78-9EB6-96D2-9DF2-8A7063A4210E} - (no file) O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Active Virus Shield (AVP) - AOL - D:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: FireDaemon Service: ecure (ecure) - Unknown owner - C:\WINDOWS\Temp\FireDaemon.EXE (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: FireDaemon Service: svchost1 (svchost1) - Unknown owner - C:\WINDOWS\Temp\FireDaemon.EXE (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 8367 bytes
  • Kun je eens [b:8406389c08] C:\WINDOWS\System32\mbvigaaa.exe [/b:8406389c08] http://www.bleepingcomputer.com/subm....php?channel=9 Hoe ? : · 1. In het eerste venstertje (Link to topic where this file was requested: ) kopieer en plak je deze link : o http://forum.computertotaal.nl/phpBB2/viewtopic.php?p=1231941#1231941 2. In het tweede venstertje (Browse to the file you want to submit: ) kopieer en plak je dit : o C:\ pad naar het bestand 3. Klik op de Send file knop bij voorbaat dank
  • Ik snap niet helemaal wat de bedoeling is... je zinnen lijken incompleet. Als ik op de link klik, dan krijg ik: sorry, the page you have requested cannot be found. Verkeerde link? Ik kan iig op die pagina alleen maar zoeken, verder niets.
  • http://www.bleepingcomputer.com/submit-malware.php?channel=9 bij mij deed hij het gewoon ? Ik hoop dat het nu wel lukt. laat maar zitten, het zal niet gaan volgens de gegevens is het bestand al niet meer actief.
  • /Hallo, [b:8684126339][color=red:8684126339]momentje ik pas even de fix aan .[/b:8684126339][/color:8684126339] [b:8684126339]Verwijder de huidige versie van je combofix <<< belangrijk. Start daarna opnieuw op.[/b:8684126339] Dan <<<<<<< Download http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe naar je Bureaublad, niet laten runnen aub dus even niks mee doen. . Open Kladblok, kopiëer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster: [list][b:8684126339][color=blue:8684126339] Collect::[9] C:\WINDOWS\system32\nyoldfsa.dll C:\WINDOWS\system32\fmlafml.dll C:\WINDOWS\system32\drivers\neurwdoq.sys C:\WINDOWS\system32\dfrgsna.dll Driver:: reaucigj ecure odzpqoil svchost1 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10C2AB4E-8894-455F-AD43-F007F1452119}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "mbvigaaa"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "mbvigaaa"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\meqnjzje][/b:8684126339][/color:8684126339] Sleep [b:8684126339]CFScript.txt[/b:8684126339] in [b:8684126339]ComboFix.exe[/b:8684126339] zoals getoond in onderstaand voorbeeld : [img:8684126339]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:8684126339] Dit zal [b:8684126339]ComboFix[/b:8684126339] doen herstarten. Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de [b:8684126339]Combofix.txt[/b:8684126339] in je volgende antwoord samen met een nieuw HijackThislogje. Aanvullend zal ComboFix een gezipt bestand op je Bureaublad plaatsen, met de naam [b:8684126339][4]-Submit_Date_Time.zip[/b:8684126339] Tevens wordt na afloop van de scan een venstertje met de titel "Submit files for further analysis" geopend, klik op [b:8684126339]OK[/b:8684126339] om de upload-pagina te openen, [b:8684126339]kopieër[/b:8684126339] de vetgedrukte padbeschrijving op deze pagina, [b:8684126339]en plak[/b:8684126339] het in het invulvenster. Klik op [b:8684126339]Send File[/b:8684126339]. :wink: Dit zal nu wel goed gaan. veel succes Juisterr
  • combofix: ComboFix 07-08-30.3 - "Rik Steverink" 2007-09-01 20:40:45.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.234 [GMT 2:00] Command switches used :: C:\Documents and Settings\Rik Steverink\Bureaublad\CFScript.txt * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\dfrgsna.dll C:\WINDOWS\system32\drivers\neurwdoq.sys C:\WINDOWS\system32\fmlafml.dll C:\WINDOWS\system32\nyoldfsa.dll ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_ECURE -------\LEGACY_ODZPQOIL -------\LEGACY_REAUCIGJ -------\LEGACY_SVCHOST1 -------\ecure -------\odzpqoil -------\reaucigj -------\svchost1 ((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 ))))))))))))))))))))))))))))))) 2007-09-01 12:56 684,567 --a------ C:\WINDOWS\system32\libeay32.dll 2007-09-01 12:56 147,729 --a------ C:\WINDOWS\system32\libssl32.dll 2007-08-31 12:08 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-28 17:28 <DIR> d-------- C:\WINDOWS\LogFiles 2007-08-27 18:16 <DIR> d-------- C:\Program Files\Tams11 2007-08-22 21:20 <DIR> d-------- C:\Bdienst 2007-08-11 15:23 <DIR> d-------- C:\Program Files\Firefly Studios (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-01 20:45 2395544 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-09-01 20:45 178759200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-09-01 20:45 1096224 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-09-01 20:45 104120 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-08-28 17:14 --------- d-------- C:\Program Files\Spyware Doctor 2007-08-28 15:57 --------- d-------- C:\Program Files\Hitman Pro 2007-08-28 14:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-08-28 11:40 --------- d-------- C:\Program Files\SpywareBlaster 2007-08-20 21:08 --------- d-------- C:\Program Files\Broderbund 2007-08-20 21:07 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-20 21:07 --------- d-------- C:\Program Files\Nokia 2007-08-20 21:06 --------- d--h----- C:\DOCUME~1\RIKSTE~1\APPLIC~1\Move Networks 2007-08-20 21:06 --------- d-------- C:\Program Files\DivX 2007-08-20 21:05 --------- d-------- C:\Program Files\BearFlix 2007-08-11 15:21 --------- d-------- C:\Program Files\ACE Mega CoDecS Pack 2007-07-16 17:10 --------- d-------- C:\DOCUME~1\RIKSTE~1\APPLIC~1\ATI 2007-07-16 17:05 --------- d-------- C:\Program Files\ATI Technologies 2007-07-16 16:51 --------- d-------- C:\Program Files\SiSoftware 2007-07-16 16:02 --------- d-------- C:\Program Files\Radical Games 2007-07-07 17:39 --------- d-------- C:\Program Files\Google 2007-07-07 17:36 --------- d-------- C:\Program Files\Jasc Software Inc 2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe 2006-11-25 17:56:21 2,932 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((( snapshot_2007-08-31_195159,45 ))))))))))))))))))))))))))))))))))))))))) ----a-w 241,664 2007-09-01 11:04:14 C:\WINDOWS\system32\config\systemprofile\ntuser.dat ----a-w 32,768 2007-09-01 10:46:22 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-09-01 10:46:22 C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat ----a-w 241,664 2007-08-31 17:46:38 C:\WINDOWS\system32\config\systemprofile\ntuser.dat ----a-w 32,768 2007-08-31 16:58:12 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-08-31 16:58:12 C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 04:36] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30] "LWBKEYBOARD"="C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe" [2004-05-27 04:37] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-17 17:25] "aol"="D:\Program Files\AOL\Active Virus Shield\avp.exe" [2006-05-30 13:13] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-05 17:03] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 14:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\System32\wmfhotfix.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BTTray.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Adobe LM Service"=3 (0x3) S3 Maplom;Maplom;C:\WINDOWS\System32\drivers\Maplom.sys S3 NTSIM;NTSIM;\??\C:\WINDOWS\System32\ntsim.sys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs odzpqoil *Newly Created Service* - REAUCIGJ ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-01 20:47:38 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\AppCert C:\WINDOWS\system32\drivers\hd_dirs.cfg C:\WINDOWS\system32\drivers\hd_files.cfg C:\WINDOWS\system32\drivers\hd_rkeys.cfg C:\WINDOWS\system32\drivers\hd_rvals.cfg C:\WINDOWS\system32\drivers\hd_self.cfg C:\WINDOWS\system32\drivers\ippflt.sys scan completed successfully hidden files: 7 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\ippflt] "ImagePath"="System32\Drivers\ippflt.sys" Completion time: 2007-09-01 20:50:31 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-01 20:50 C:\ComboFix2.txt ... 2007-09-01 13:14 C:\ComboFix3.txt ... 2007-08-31 19:52 --- E O F --- hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:54:40, on 1-9-2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\osk.exe C:\WINDOWS\system32\MSSWCHX.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "D:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/components/CycloScopeLite.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll O21 - SSODL: FgQHWLXjBG - {341C3C78-9EB6-96D2-9DF2-8A7063A4210E} - (no file) O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Active Virus Shield (AVP) - AOL - D:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 7705 bytes Nadat ik combofix had laten lopen kwam er inderdaad een popupvenster met "Submit files for further analysis", ik drukte op OK, maar er opende enkel een scherm van Internet Explorer en die bleef blank. Heb iets meer dan een minuutje gewacht, maar er kwam niets. Moet ik die link in het andere berichtje van bleepingcomputer.com nog even proberen? Negeer bovenstaande. Ik zag op m'n bureaublad een link met CF-Submit en toen kwam alsnog hetgeen waar je het over had. Het bestandje is nu succesvol verstuurd.
  • Heel goed, ik weet zeker dat ze er blij mee zijn op bleepingcomputer. Ziet er niet verkeerd uit , doe onderstaande nog even aub. Ik ga nog 1 ding even navragen, daar kom ik dus nog op terug. Hoe gaat het verder met de pc? Start Hijackthis op en kies voor 'Do a system scan only' Selecteer alleen de items die hieronder zijn genoemd: [b:c0c4ac96b1] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O21 - SSODL: FgQHWLXjBG - {341C3C78-9EB6-96D2-9DF2-8A7063A4210E} - (no file) [/b:c0c4ac96b1] Sluit alle vensters behalve Hijackthis Klik op 'Fix checked' om de items te verwijderen. [b:c0c4ac96b1][color=blue:c0c4ac96b1]Je Java software is verouderd.[/color:c0c4ac96b1][/b:c0c4ac96b1] oudere versies hebben lekken die malware de kans geeft om zich te installeren op je systeem. [b:c0c4ac96b1]Doe eerst deze stappen om Java te de-installeren en de nieuwere versie te installeren:[/b:c0c4ac96b1][list:c0c4ac96b1] Download [url=http://java.sun.com/javase/downloads/index.jsp][b:c0c4ac96b1][color=blue:c0c4ac96b1]Java Runtime Environment (JRE) 6u2[/color:c0c4ac96b1][/b:c0c4ac96b1][/url]. [*:c0c4ac96b1]Scroll omlaag naar : "[i:c0c4ac96b1]Java Runtime Environment (JRE) 6u2[/i:c0c4ac96b1]". [*:c0c4ac96b1]Klik op de "[b:c0c4ac96b1]Download[/b:c0c4ac96b1]" knop aan de rechterkant. [*:c0c4ac96b1]Vink aan: "[b:c0c4ac96b1][i:c0c4ac96b1]Accept[/b:c0c4ac96b1] License Agreement[/i:c0c4ac96b1]". [*:c0c4ac96b1]De pagina zal herladen. [*:c0c4ac96b1]Klik op de link om [i:c0c4ac96b1]Windows [b:c0c4ac96b1]Offline[/b:c0c4ac96b1] Installation[/i:c0c4ac96b1] te downloaden met Meerdere-talen, en bewaar het naar je Bureaublad. [*:c0c4ac96b1]Sluit alle programma's die eventueel open zijn - Zeker je web browser! [*:c0c4ac96b1]Ga dan naar [b:c0c4ac96b1]Start[/b:c0c4ac96b1] > [b:c0c4ac96b1]Configuratiescherm[/b:c0c4ac96b1] > [b:c0c4ac96b1]Software[/b:c0c4ac96b1] en verwijder alle oudere versies van Java uit de Softwarelijst. [*:c0c4ac96b1]Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam. [*:c0c4ac96b1]Klik dan op [b:c0c4ac96b1]Verwijderen[/b:c0c4ac96b1] of op de [b:c0c4ac96b1]Wijzig/Verwijder[/b:c0c4ac96b1] knop. [*:c0c4ac96b1]Herhaal dit tot alle oudere versies verdwenen zijn. [*:c0c4ac96b1]Na het verwijderen van alle oudere versies, [b:c0c4ac96b1]herstart[/b:c0c4ac96b1] je pc. [*:c0c4ac96b1]Dubbelklik vervolgens op [b:c0c4ac96b1]jre-6u2-windows-i586-p.exe[/b:c0c4ac96b1] op je Bureaublad om de nieuwste versie van Java te installeren. [/list:u:c0c4ac96b1] plaats nog even een nieuw logje en beantwoord de vragen even.
  • Hoi, heb bovenstaande uitgevoerd. Met de pc gaat 't nog niet veel beter heb ik 't idee. Ik kan wel weer langer internetten, maar dat is het ook zo'n beetje. Als ik bijvoorbeeld mijn hotmail wil openen, kom ik in Postvak IN, maar zodra ik een bericht aanklik springt 'ie er weer uit. Eveneens hetzelfde met spelletjes zoals GTA SA. Hij laadt 't spel, maar komt niet in het menu. Hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:53:08, on 2-9-2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "D:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - http://www.cyclomedia.nl/download/components/CycloScopeLite.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Active Virus Shield (AVP) - AOL - D:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 7710 bytes
  • Start Hijackthis op en kies voor 'Do a system scan only' Selecteer alleen de items die hieronder zijn genoemd: [b:2820832ce3] O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [/b:2820832ce3] Klik op 'Fix checked' om de items te verwijderen. Download [b:2820832ce3]Dr.Web CureIt[/b:2820832ce3] naar je bureaublad: [url=ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe]ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe[/url] Dubbelklik [b:2820832ce3]drweb-cureit.exe[/b:2820832ce3] en sta het toe om de express scan te starten. Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt, klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan. Eenmaal de korte scan is beeïndigd, Klik [b:2820832ce3]Options[/b:2820832ce3] > Change Settings Kies de "Scan"-tab en verwijder het vinkje bij "Heuristic analyse" Terug in het hoofdvenster kan je de drives selecteren die je wilt laten scannen. Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen. Klik daarna de [b:2820832ce3]groene pijl[/b:2820832ce3] rechts om de scan te starten. Klik 'Yes to all' wanneer er gevraagd wordt om cure of move uit te voeren. Wanneer de scan gedaan is, kijk of je volgende icoontje kan aanklikken dat staat naast hetgeen gevonden werd: [img:2820832ce3]http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif[/img:2820832ce3] Indien wel, klik erop en daarna klik op het icoontje er net onder en kies: [b:2820832ce3]Move incurable[/b:2820832ce3] zoals je zal zien in volgende afbeelding: [img:2820832ce3]http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif[/img:2820832ce3] Dit zal de bestanden verplaatsen naar volgende map %userprofile%\DoctorWeb\quarantaine-folder indien het niet gedesinfecteerd kan worden. (dit in het geval dat we samples nodig hebben) Na bovenstaande te selecteren, in het menu bovenaan van Dr.Web CureIt, klik [b:2820832ce3]file[/b:2820832ce3] en kies [b:2820832ce3]save report list[/b:2820832ce3]. Bewaar de log op je bureaublad. Sluit daarna Dr.Web Cureit. [b:2820832ce3]Herstart[/b:2820832ce3] je computer!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart. Na het herstarten, Kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post. Download F-Secure Blacklight: [url]https://europe.f-secure.com/blacklight/try.shtml[/url] Plaats het op je bureaublad. Dubbelklik op [b:2820832ce3]blbeta.exe[/b:2820832ce3]. Klik op "I accept the agreement". Klik op "Next". Klik op "Scan" en als het programma klaar is klik je daarna op "Next". Indien Blacklight iets vindt, zal het een lijst van bestanden weergeven. Laat nog niks hernoemen. Op je bureaublad staat een bestand met de naam fsbl.xxxxxxx.log (de x-en staan voor getallen) Dit is het logje dat blacklight gemaakt heeft. Post het. succes
  • Dr.Web log: vncviewer.exe C:\Program Files\RealVNC\VNC4 Program.RemoteAdmin Niet repareerbaar.Verplaatst. wm_hooks.dll C:\Program Files\RealVNC\VNC4 Program.RemoteAdmin Niet repareerbaar.Verplaatst. 3.exe.vir C:\QooBox\Quarantine\C\WINDOWS Trojan.DownLoader.23861 Verwijderd. rtxzpcai.dll.vir C:\QooBox\Quarantine\C\WINDOWS\system32 Trojan.Scrip Verwijderd. A0021084.exe C:\System Volume Information\_restore{96AC746A-1A86-470C-9361-CC98AEE9761B}\RP3 Trojan.StartPage.20448 Verwijderd. A0021169.dll C:\System Volume Information\_restore{96AC746A-1A86-470C-9361-CC98AEE9761B}\RP4 Trojan.Scrip Verwijderd. A0021234.exe C:\System Volume Information\_restore{96AC746A-1A86-470C-9361-CC98AEE9761B}\RP4 Trojan.StartPage.20448 Verwijderd. A0021374.exe C:\System Volume Information\_restore{96AC746A-1A86-470C-9361-CC98AEE9761B}\RP5 Trojan.StartPage.20448 Verwijderd. process.exe C:\WINDOWS\system32 Tool.Prockill Niet repareerbaar.Verplaatst. restart.exe C:\WINDOWS\system32 Tool.ShutDown.11 Niet repareerbaar.Verplaatst.
  • F-Secure BlackLight logje: 09/02/07 22:09:10 [Info]: BlackLight Engine 1.0.64 initialized 09/02/07 22:09:10 [Info]: OS: 5.1 build 2600 () 09/02/07 22:09:10 [Note]: 7019 4 09/02/07 22:09:10 [Note]: 7005 0 09/02/07 22:09:15 [Note]: 7006 0 09/02/07 22:09:15 [Note]: 7011 1704 09/02/07 22:09:16 [Note]: 7026 0 09/02/07 22:09:16 [Note]: 7026 0 09/02/07 22:09:21 [Note]: FSRAW library version 1.7.1022 09/02/07 22:13:02 [Info]: Hidden file: c:\WINDOWS\system32\AppCert\filter.drv 09/02/07 22:13:02 [Note]: 10002 3 09/02/07 22:13:02 [Info]: Hidden file: c:\WINDOWS\system32\AppCert\prx66b.dll 09/02/07 22:13:02 [Note]: 10002 3 09/02/07 22:13:02 [Info]: Hidden file: c:\WINDOWS\system32\AppCert\wnl32.dll 09/02/07 22:13:02 [Note]: 10002 3 09/02/07 22:13:02 [Info]: Hidden file: c:\WINDOWS\system32\AppCert\wsil32.dll 09/02/07 22:13:02 [Note]: 10002 3 09/02/07 22:13:17 [Note]: 10002 3 09/02/07 22:13:17 [Note]: 10002 3 09/02/07 22:13:17 [Note]: 10002 3 09/02/07 22:13:17 [Note]: 10002 3 09/02/07 22:13:28 [Info]: Hidden file: c:\WINDOWS\system32\drivers\hd_dirs.cfg 09/02/07 22:13:28 [Note]: 10002 1 09/02/07 22:13:29 [Info]: Hidden file: c:\WINDOWS\system32\drivers\hd_files.cfg 09/02/07 22:13:29 [Note]: 10002 1 09/02/07 22:13:29 [Info]: Hidden file: c:\WINDOWS\system32\drivers\hd_rkeys.cfg 09/02/07 22:13:29 [Note]: 10002 1 09/02/07 22:13:29 [Info]: Hidden file: c:\WINDOWS\system32\drivers\hd_rvals.cfg 09/02/07 22:13:29 [Note]: 10002 1 09/02/07 22:13:29 [Info]: Hidden file: c:\WINDOWS\system32\drivers\hd_self.cfg 09/02/07 22:13:29 [Note]: 10002 1 09/02/07 22:13:30 [Info]: Hidden file: c:\WINDOWS\system32\drivers\ippflt.sys 09/02/07 22:13:30 [Note]: 10002 1 09/02/07 22:17:31 [Note]: 7007 0
  • Deze stap nog Open Kladblok, kopiëer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster: [list][b:6eddc4bbc6][color=blue:6eddc4bbc6] Driver:: ippflt Collect:: c:\WINDOWS\system32\drivers\ippflt.sys [/b:6eddc4bbc6][/color:6eddc4bbc6] Sleep [b:6eddc4bbc6]CFScript.txt[/b:6eddc4bbc6] in [b:6eddc4bbc6]ComboFix.exe[/b:6eddc4bbc6] zoals getoond in onderstaand voorbeeld : [img:6eddc4bbc6]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:6eddc4bbc6] Dit zal [b:6eddc4bbc6]ComboFix[/b:6eddc4bbc6] doen herstarten. Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de [b:6eddc4bbc6]Combofix.txt[/b:6eddc4bbc6] in je volgende antwoord samen met een nieuw HijackThislogje. Aanvullend zal ComboFix een gezipt bestand op je Bureaublad plaatsen, met de naam [b:6eddc4bbc6][4]-Submit_Date_Time.zip[/b:6eddc4bbc6] Tevens wordt na afloop van de scan een venstertje met de titel "Submit files for further analysis" geopend, klik op [b:6eddc4bbc6]OK[/b:6eddc4bbc6] om de upload-pagina te openen, [b:6eddc4bbc6]kopieër[/b:6eddc4bbc6] de vetgedrukte padbeschrijving op deze pagina, [b:6eddc4bbc6]en plak[/b:6eddc4bbc6] het in het invulvenster. Klik op [b:6eddc4bbc6]Send File[/b:6eddc4bbc6] succes
  • Combofixlog: ComboFix 07-08-30.3 - "Rik Steverink" 2007-09-03 16:43:31.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.243 [GMT 2:00] Command switches used :: C:\Documents and Settings\Rik Steverink\Bureaublad\CFScript.txt * Created a new restore point ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_IPPFLT ((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 ))))))))))))))))))))))))))))))) 2007-09-03 16:16 58,368 --a------ C:\WINDOWS\system32\atmpvcn.dll 2007-09-03 16:10 24,064 --a------ C:\WINDOWS\system32\sws.exe 2007-09-03 16:09 58,368 --a------ C:\WINDOWS\system32\avwa.dll 2007-09-03 16:09 17,280 --a------ C:\WINDOWS\system32\drivers\neurwdoq.sys 2007-09-02 19:33 <DIR> d-------- C:\DOCUME~1\RIKSTE~1\DoctorWeb 2007-09-01 12:56 684,567 --a------ C:\WINDOWS\system32\libeay32.dll 2007-09-01 12:56 147,729 --a------ C:\WINDOWS\system32\libssl32.dll 2007-08-31 12:08 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-28 17:28 <DIR> d-------- C:\WINDOWS\LogFiles 2007-08-27 19:19 <DIR> d-------- C:\WINDOWS\system32\AppCert 2007-08-27 18:16 <DIR> d-------- C:\Program Files\Tams11 2007-08-22 21:20 <DIR> d-------- C:\Bdienst 2007-08-11 15:23 <DIR> d-------- C:\Program Files\Firefly Studios (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-09-03 16:47 2401520 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-09-03 16:47 178759200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-09-03 16:47 1096224 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-09-03 16:47 105200 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-08-28 17:14 --------- d-------- C:\Program Files\Spyware Doctor 2007-08-28 15:57 --------- d-------- C:\Program Files\Hitman Pro 2007-08-28 14:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-08-28 11:40 --------- d-------- C:\Program Files\SpywareBlaster 2007-08-27 19:20 93 --a------ C:\WINDOWS\system32\drivers\hd_files.cfg 2007-08-27 19:20 44 --a------ C:\WINDOWS\system32\drivers\hd_rkeys.cfg 2007-08-27 19:20 27 --a------ C:\WINDOWS\system32\drivers\hd_dirs.cfg 2007-08-27 19:20 17 --a------ C:\WINDOWS\system32\drivers\hd_self.cfg 2007-08-27 19:20 155 --a------ C:\WINDOWS\system32\drivers\hd_rvals.cfg 2007-08-20 21:08 --------- d-------- C:\Program Files\Broderbund 2007-08-20 21:07 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-20 21:07 --------- d-------- C:\Program Files\Nokia 2007-08-20 21:06 --------- d--h----- C:\DOCUME~1\RIKSTE~1\APPLIC~1\Move Networks 2007-08-20 21:06 --------- d-------- C:\Program Files\DivX 2007-08-20 21:05 --------- d-------- C:\Program Files\BearFlix 2007-08-11 15:21 --------- d-------- C:\Program Files\ACE Mega CoDecS Pack 2007-07-16 17:10 --------- d-------- C:\DOCUME~1\RIKSTE~1\APPLIC~1\ATI 2007-07-16 17:05 --------- d-------- C:\Program Files\ATI Technologies 2007-07-16 16:51 --------- d-------- C:\Program Files\SiSoftware 2007-07-16 16:02 --------- d-------- C:\Program Files\Radical Games 2007-07-07 17:39 --------- d-------- C:\Program Files\Google 2007-07-07 17:36 --------- d-------- C:\Program Files\Jasc Software Inc 2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe 2006-11-25 17:56:21 2,932 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys ((((((((((((((((((((((((((((( snapshot_2007-08-31_195159,45 ))))))))))))))))))))))))))))))))))))))))) ----a-w 135,168 2007-07-11 23:22:00 C:\WINDOWS\system32\java.exe ----a-w 135,168 2007-07-11 23:22:04 C:\WINDOWS\system32\javaw.exe ----a-w 139,264 2007-07-12 00:22:38 C:\WINDOWS\system32\javaws.exe ----a-w 196,608 2007-08-28 09:33:35 C:\WINDOWS\system32\AppCert\prx66b.dll ----a-w 54,684 2001-09-07 12:00:00 C:\WINDOWS\system32\AppCert\wnl32.dll ----a-w 24,576 2001-09-07 12:00:00 C:\WINDOWS\system32\AppCert\wsil32.dll ----a-w 241,664 2007-09-03 14:43:00 C:\WINDOWS\system32\config\systemprofile\ntuser.dat ----a-w 32,768 2007-09-01 10:46:22 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-09-01 10:46:22 C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat ----a-w 87,040 2001-09-07 12:00:00 C:\WINDOWS\system32\drivers\ippflt.sys ----a-w 49,248 2005-03-04 01:06:58 C:\WINDOWS\system32\java.exe ----a-w 49,250 2005-03-04 01:07:06 C:\WINDOWS\system32\javaw.exe ----a-w 127,078 2005-03-04 02:36:48 C:\WINDOWS\system32\javaws.exe ----a-w 241,664 2007-08-31 17:46:38 C:\WINDOWS\system32\config\systemprofile\ntuser.dat ----a-w 32,768 2007-08-31 16:58:12 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ----a-w 32,768 2007-08-31 16:58:12 C:\WINDOWS\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30] "LWBKEYBOARD"="C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe" [2004-05-27 04:37] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-17 17:25] "aol"="D:\Program Files\AOL\Active Virus Shield\avp.exe" [2006-05-30 13:13] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-05 17:03] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 14:00] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\System32\wmfhotfix.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BTTray.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\BTTray.lnk backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Adobe LM Service"=3 (0x3) R0 ippflt;IP Packet Filter;C:\WINDOWS\System32\Drivers\ippflt.sys S3 Maplom;Maplom;C:\WINDOWS\System32\drivers\Maplom.sys S3 NTSIM;NTSIM;\??\C:\WINDOWS\System32\ntsim.sys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs odzpqoil *Newly Created Service* - IPPFLT ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-03 16:49:33 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-09-03 16:51:37 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-03 16:51 C:\ComboFix2.txt ... 2007-09-01 20:50 C:\ComboFix3.txt ... 2007-09-01 13:14 --- E O F --- Hijackthis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:17:07, on 3-9-2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\System32\ctfmon.exe D:\Program Files\AOL\Active Virus Shield\avp.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [aol] "D:\Program Files\AOL\Active Virus Shield\avp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Verzenden naar &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Active Virus Shield (AVP) - AOL - D:\Program Files\AOL\Active Virus Shield\avp.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 7301 bytes
  • Mag ik je vragen hoe het nu gaat met de pc ?? Werkt hij naar behoren?

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.