Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Nokia_19

pimvandenderen
20 antwoorden
  • Jullie hebben nog iemand geholpen met hetzelfde probleem. Ik heb op msn het bestand Nokia_19 geopend dat ik van iemand had aangekregen en sindsdien wordt dat bestand constant naar iedereen die online is op msn verder doorgestuurd. Kunnen jullie mij helpen?

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:58:47, on 2-11-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32
    vsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\Norman\bin\ZLH.EXE
    C:\WINDOWS\mrofinu1148.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinAble\winable.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Norman\NPF
    pfmsg.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: mycpmads.com Browser Optimizer - {582FDCF0-A82E-4fc1-A6F6-0D2F36881F63} - C:\WINDOWS\system32\br_rt.dll (file missing)
    O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
    O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool
    sb40.dll (file missing)
    O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {98BF3E25-F7C6-8940-BB20-8F8A42F97EB0} - C:\WINDOWS\system32\iuviks.dll
    O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
    O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll (file missing)
    O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [mbjvqdkxsct] C:\WINDOWS\system32\ofkgaf.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Ytbrupuc] C:\Program Files\Cpodduz\Asbjb.exe
    O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
    O4 - HKLM\..\Run: [k2loagpv] C:\WINDOWS\system32\k2loagpv.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [adstart] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\br_rt.dll" DllVerify
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [LBTWiz.exe] C:\WINDOWS\LBTWiz.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1148.exe 61A847B5BBF72813339F30466188719AB689201522886B092CBD44BD8689220221DD3257
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - HKCU\..\Run: [MSNCleaner] C:\DOCUME~1\sigrid\LOCALS~1\Temp\Rar$EX00.031\MSNCleaner.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: NPF Messenger.lnk = ?
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm119YYBE
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http:/
    edirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail
    esources/MsnPUpld.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com
    adio/ampx/ampx2.6.1.11_en_dl.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN
    ipsvc.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin
    vcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    End of file - 11234 bytes


    ———- BENDEBOYS MSNFIX RAPORT ———-
    - Version: 3.6.0.0 - Last Update: 31/10/07
    - Scan performed on: vr 02-11-2007 - 13:17:15,40 By sigrid
    - Bootmode: Normal Mode

    ((((((((((((((( CREATED FILES LAST MONTH )))))))))))))))


    ((((((((((((((( FOUND FILES )))))))))))))))

    !! BEFORE FIX !!


    !! AFTER FIX !!


    ((((((((((((((( ShellServiceObjectDelayLoad )))))))))))))))

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
    "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

    ———- END OF LOG ———-








  • Ik ga even kijken voor je!
  • Best dat je onderstaande instructies even uitprint, want je moet zodadelijk in veilige modus gaan
    werken en daar heb je geen internet verbinding tot je beschikking dus kan je dit niet teruglezen.

    1. Ga naar start –> configuratiescherm –> software en verwijder daar, indien aanwezig:
    [b:8ff1b5ddb6]
    MyWebSearch
    P2P Networking
    WebRebates
    SurfAccuracy
    180searchassistant
    Media Gateway
    ISTsvc
    Internet Optimizer
    WhenUSave
    Winable
    Kazaa
    RXtoolbar
    [/b:8ff1b5ddb6]

    [i:8ff1b5ddb6]Indien een van de programma's er niet instaat, gewoon doorgaan met de rest[/i:8ff1b5ddb6]

    2. Laat verborgen mappen en bestanden weergeven:
    http://users.telenet.be/marcvn/spyware/1117602.htm

    3. Start je PC in veilige modus: http://users.telenet.be/marcvn/spyware/1378056.htm

    4. Start Hijackthis, kies voor 'Do a system scan only' en vink onderstaande regels aan, [b:8ff1b5ddb6]indien nog aanwezig[/b:8ff1b5ddb6]:
    [b:8ff1b5ddb6]
    R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: mycpmads.com Browser Optimizer - {582FDCF0-A82E-4fc1-A6F6-0D2F36881F63} - C:\WINDOWS\system32\br_rt.dll (file missing)
    O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
    O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool
    sb40.dll (file missing)
    O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {98BF3E25-F7C6-8940-BB20-8F8A42F97EB0} - C:\WINDOWS\system32\iuviks.dll
    O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
    O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll (file missing)
    O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
    O4 - HKLM\..\Run: [mbjvqdkxsct] C:\WINDOWS\system32\ofkgaf.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [Ytbrupuc] C:\Program Files\Cpodduz\Asbjb.exe
    O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
    O4 - HKLM\..\Run: [k2loagpv] C:\WINDOWS\system32\k2loagpv.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [adstart] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\br_rt.dll" DllVerify
    O4 - HKLM\..\Run: [LBTWiz.exe] C:\WINDOWS\LBTWiz.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1148.exe 61A847B5BBF72813339F30466188719AB689201522886B092CBD44BD8689220221DD3257
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - HKCU\..\Run: [MSNCleaner] C:\DOCUME~1\sigrid\LOCALS~1\Temp\Rar$EX00.031\MSNCleaner.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm119YYBE
    [/b:8ff1b5ddb6]
    Indien je onderstaande trused zones niet zelf heb ingestelt, ook aanvinken.
    [b:8ff1b5ddb6]
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http:/
    edirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    [/b:8ff1b5ddb6]
    Vink ook nog onderstaande regels aan:
    [b:8ff1b5ddb6]
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com
    adio/ampx/ampx2.6.1.11_en_dl.cab
    O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
    [/b:8ff1b5ddb6]

    Sluit alle openstaande vensters, behalve Hijackthis en klik op Fix checked.

    5. Verwijder onderstaande mappen:
    C:\Program Files\[b:8ff1b5ddb6]MyWebSearch[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]RXToolBar[/b:8ff1b5ddb6]
    C:\WINDOWS\system32\[b:8ff1b5ddb6]SearchTool[/b:8ff1b5ddb6]
    C:\WINDOWS\system32\[b:8ff1b5ddb6]P2P Networking[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]Cpodduz[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]WebRebates4[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]SurfAccuracy[/b:8ff1b5ddb6]
    c:\program files\[b:8ff1b5ddb6]180searchassistant[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]Media Gateway[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]ISTsvc[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]Internet Optimizer[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]BullsEye Network[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]Kazaa[/b:8ff1b5ddb6]
    C:\WINDOWS\[b:8ff1b5ddb6]kdx[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]Save[/b:8ff1b5ddb6]
    C:\Program Files\[b:8ff1b5ddb6]WinAble[/b:8ff1b5ddb6]

    6. Verwijder onderstaande bestanden:
    C:\WINDOWS\system32\[b:8ff1b5ddb6]ofkgaf.exe[/b:8ff1b5ddb6]
    C:\WINDOWS\system32\[b:8ff1b5ddb6]k2loagpv.exe[/b:8ff1b5ddb6]
    C:\WINDOWS\system32\[b:8ff1b5ddb6]br_rt.dll[/b:8ff1b5ddb6]
    C:\WINDOWS\[b:8ff1b5ddb6]LBTWiz.exe[/b:8ff1b5ddb6]
    C:\WINDOWS\[b:8ff1b5ddb6]mrofinu1148.exe[/b:8ff1b5ddb6]

    7. Leeg je Temp-mappen (Let op : de mappen leegmaken, niet verwijderen !!):


    C:\Windows\[b:8ff1b5ddb6]Temp[/b:8ff1b5ddb6]
    C:\Documents and Settings\hp_Eigenaar\Local Settings\[b:8ff1b5ddb6]Temp[/b:8ff1b5ddb6]
    C:\Documents and Settings\hp_Eigenaar\Local Settings\[b:8ff1b5ddb6]Temporary Internet Files[/b:8ff1b5ddb6]
    C:\Documents and Settings\hp_Eigenaar\Local Settings\Temporary Internet Files\[b:8ff1b5ddb6]content.ie5[/b:8ff1b5ddb6]

    Als de laatste map niet wordt weergegeven, ga dan naar de map Temporary Internet Files en type er [b:8ff1b5ddb6]\content.ie5 [/b:8ff1b5ddb6]/achter in de adresbalk en klik enter.

    8. Maak je prullenbak leeg!

    9. Herstart je PC in normale modus.

    10. Download Combofix naar je Bureaublad.
    [list:8ff1b5ddb6]
    Dubbelklik [b:8ff1b5ddb6]Combofix.exe[/b:8ff1b5ddb6]
    Volg de instructies, aanvaard de disclaimer door "[b:8ff1b5ddb6]1[/b:8ff1b5ddb6]" te typen en te bevestigen via "[b:8ff1b5ddb6]Enter[/b:8ff1b5ddb6]".
    Tijdens het runnen van de fix, [b:8ff1b5ddb6]NIET[/b:8ff1b5ddb6] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:8ff1b5ddb6]

    Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
    [i:8ff1b5ddb6]Plaats deze log in je volgende post samen met een nieuw HijackThis log.[/i:8ff1b5ddb6]

    [b:8ff1b5ddb6]Note:[/b:8ff1b5ddb6] Indien je virusscanner reageert tijdens het downloaden of gebruik van Combofix, mag je dit negeren.


    Heel veel succes!

    Pim :)


  • Alvast bedankt!

    ComboFix 07-11-02.3 - sigrid 2007-11-02 19:30:53.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.119 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\sanders\Menu Start\Programma's\Outerinfo
    C:\Documents and Settings\sanders\Menu Start\Programma's\Outerinfo\Terms.lnk
    C:\Documents and Settings\sanders\Menu Start\Programma's\Outerinfo\Uninstall.lnk
    C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
    C:\Program Files\FunWebProducts
    C:\Program Files\FunWebProducts\Shared\[u:3a8e091507]0[/u:3a8e091507]00F5EE0.dat
    C:\Program Files\FunWebProducts\Shared\[u:3a8e091507]0[/u:3a8e091507]0FED8F7.dat
    C:\Program Files\inetget2
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\OiUninstaller.exe
    C:\Program Files\outerinfo\outerinfo.ico
    C:\Program Files\outerinfo\Terms.rtf
    C:\Program Files\SideFind
    C:\Program Files\SideFind\sfexd001
    C:\Program Files\Temporary
    C:\Program Files\Temporary\wininstall.exe
    C:\WINDOWS\b128.exe
    C:\WINDOWS\crosof~1.net
    C:\WINDOWS\crosof~1.net\dvdplay.exe
    C:\WINDOWS\crosof~1.net\s?stem32\
    C:\WINDOWS\system32\instsrv.exe
    C:\WINDOWS\system32\scurit~1
    C:\WINDOWS\system32\scurit~1\w?nspool.exe
    C:\WINDOWS\system32\wnstssv32.exe

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2007-10-02 to 2007-11-02 ))))))))))))))))))))))))))))))
    .

    2007-11-02 19:28 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2007-11-02 17:58 262,144 –a—— C:\Program Files\Uninstall My Web Search.dll
    2007-11-02 15:45 5 –a—— C:\NPF_USER.DAT
    2007-11-02 14:45 <DIR> d——– C:\Program Files\Kruidvat
    2007-11-02 13:57 <DIR> d——– C:\Documents and Settings\sigrid\Application Data\U3
    2007-11-02 13:19 <DIR> d——– C:\Program Files\MsnCleaner
    2007-11-02 13:15 <DIR> d——– C:\Program Files\BendeBoy
    2007-11-02 12:57 <DIR> d——– C:\Program Files\Trend Micro
    2007-11-02 01:26 31,616 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-11-02 01:26 31,616 –a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
    2007-11-02 01:25 <DIR> d——– C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3
    2007-10-30 10:48 45,056 –a—— C:\WINDOWS\system32\ftp.exe
    2007-10-30 10:48 45,056 –a–c— C:\WINDOWS\system32\dllcache\ftp.exe
    2007-10-30 10:48 17,408 –a—— C:\WINDOWS\system32\tftp.exe
    2007-10-30 10:48 17,408 –a–c— C:\WINDOWS\system32\dllcache\tftp.exe
    2007-10-09 17:29 <DIR> d——– C:\Program Files\Kruidvat - Fotoservice
    2007-10-05 21:21 <DIR> d——– C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-02 18:26 ——— d—–w C:\Program Files\Harry Potter Time-Turner
    2007-11-02 18:26 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner
    2007-11-01 08:41 ——— d—–w C:\Documents and Settings\All Users\Application Data\NPF
    2007-10-31 17:28 ——— d—–w C:\Program Files\Q-Xpress Installer
    2007-10-29 15:44 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Canon
    2007-10-26 19:19 ——— d—–w C:\Documents and Settings\sanders\Application Data\Canon
    2007-09-18 19:01 ——— d—–w C:\Program Files\Google
    2007-08-21 06:18 683,520 —-a-w C:\WINDOWS\system32\inetcomm.dll
    2007-01-08 13:47 49 —-a-w C:\Documents and Settings\sanders\Application Data\internaldb41.dat
    2007-01-08 13:47 382 —-a-w C:\Documents and Settings\sanders\Application Data\internaldb1942.dat
    2007-01-06 17:17 379 —-a-w C:\Documents and Settings\sigrid\Application Data\internaldb1942.dat
    2007-01-05 11:30 20,480 —-a-w C:\Documents and Settings\sanders\Application Data\internaldb4827.dat
    2007-01-02 10:39 20,480 —-a-w C:\Documents and Settings\sigrid\Application Data\internaldb8082.dat
    2007-01-02 10:39 151 —-a-w C:\Documents and Settings\sigrid\Application Data\internaldb9467.dat
    2007-01-02 10:39 13,046 —-a-w C:\Documents and Settings\sigrid\Application Data\internaldb8051.dat
    2006-12-22 15:24 6,144 —-a-w C:\Documents and Settings\sigrid\Application Data\internaldb8206.dat
    2006-12-22 15:23 0 —-a-w C:\Documents and Settings\sigrid\Application Data\internaldb628.dat
    2006-12-19 10:06 9,216 —-a-w C:\Documents and Settings\sanders\Application Data\internaldb8467.dat
    2006-12-19 10:06 0 —-a-w C:\Documents and Settings\sanders\Application Data\internaldb6334.dat
    2006-12-19 10:06 0 —-a-w C:\Documents and Settings\sanders\Application Data\internaldb5436.dat
    1999-07-07 00:00:00 6 –sh–r C:\WINDOWS\@desktop@.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}"= C:\Program Files\RXToolBar\RXToolBar.dll [ ]
    "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]

    [HKEY_CLASSES_ROOT\CLSID\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}]
    [HKEY_CLASSES_ROOT\RXToolBar.TBInfo.1]
    [HKEY_CLASSES_ROOT\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464}]
    [HKEY_CLASSES_ROOT\RXToolBar.TBInfo]

    [HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
    [HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27]
    "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26]
    "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34]
    "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
    "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32
    wiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34]
    "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
    "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34]
    "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
    "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
    NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ZESOFT"=2 (0x2)
    "SAVScan"=3 (0x3)
    "ISEXEng"=2 (0x2)
    "iPodService"=3 (0x3)

    R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys
    R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
    R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
    R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
    S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin
    vcfsr.sys
    S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin
    vcoafl51.sys
    S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin
    vcoaft51.sys
    S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin
    vcoarc51.sys
    S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin
    vcoas.exe
    S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE

    *Newly Created Service* - CATCHME
    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-02 19:35:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    **************************************************************************
    .
    Voltooingstijd: 2007-11-02 19:36:44
    .
    — E O F —




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:51:48, on 2-11-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\Norman\bin\ZLH.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Norman\NPF
    pfmsg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: NPF Messenger.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail
    esources/MsnPUpld.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN
    ipsvc.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin
    vcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    End of file - 7495 bytes











  • Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
    [b:6bc57ffeec]
    File::
    C:\Program Files\Uninstall My Web Search.dll
    C:\Documents and Settings\sanders\Application Data\internaldb41.dat
    C:\Documents and Settings\sanders\Application Data\internaldb1942.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb1942.dat
    C:\Documents and Settings\sanders\Application Data\internaldb4827.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb8082.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb9467.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb8051.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb8206.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb628.dat
    C:\Documents and Settings\sanders\Application Data\internaldb8467.dat
    C:\Documents and Settings\sanders\Application Data\internaldb6334.dat
    C:\Documents and Settings\sanders\Application Data\internaldb5436.dat
    C:\WINDOWS\@desktop@.dat
    C:\WINDOWS\sxtkl.exe

    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}"=-
    "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}]
    [-HKEY_CLASSES_ROOT\RXToolBar.TBInfo.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464}]
    [-HKEY_CLASSES_ROOT\RXToolBar.TBInfo]
    [-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
    [-HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files\ISTsvc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files\ISTsvc\istsvc.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files\ISTsvc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files\ISTsvc\istsvc.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñC:]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñC:\Program Files]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñC:\Program Files\ISTsvc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñC:\Program Files\ISTsvc\istsvc.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]

    Folder::
    C:\Program Files\MsnCleaner
    [/b:6bc57ffeec]
    Sla dit op op je Bureaublad als [b:6bc57ffeec]CFScript.txt[/b:6bc57ffeec]

    Sleep [b:6bc57ffeec]CFScript.txt[/b:6bc57ffeec] in [b:6bc57ffeec]ComboFix.exe[/b:6bc57ffeec] zoals getoond in onderstaand voorbeeld :

    [img:6bc57ffeec]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:6bc57ffeec]

    Dit zal [b:6bc57ffeec]ComboFix[/b:6bc57ffeec] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt,
    en post de inhoud van de [b:6bc57ffeec]Combofix.txt[/b:6bc57ffeec] in je volgende antwoord samen met een nieuw HijackThislogje.

    Succes!

    Pim :)
  • Dankjewel! :wink:

    ComboFix 07-11-02.3 - sigrid 2007-11-04 11:11:46.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.119 [GMT 1:00]Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe
    Command switches used :: C:\Documents and Settings\sigrid\Bureaublad\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt

    FILE::
    C:\Documents and Settings\sanders\Application Data\internaldb1942.dat
    C:\Documents and Settings\sanders\Application Data\internaldb41.dat
    C:\Documents and Settings\sanders\Application Data\internaldb4827.dat
    C:\Documents and Settings\sanders\Application Data\internaldb5436.dat
    C:\Documents and Settings\sanders\Application Data\internaldb6334.dat
    C:\Documents and Settings\sanders\Application Data\internaldb8467.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb1942.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb628.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb8051.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb8082.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb8206.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb9467.dat
    C:\Program Files\Uninstall My Web Search.dll
    C:\WINDOWS\@desktop@.dat
    C:\WINDOWS\sxtkl.exe
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\sanders\Application Data\internaldb1942.dat
    C:\Documents and Settings\sanders\Application Data\internaldb41.dat
    C:\Documents and Settings\sanders\Application Data\internaldb4827.dat
    C:\Documents and Settings\sanders\Application Data\internaldb5436.dat
    C:\Documents and Settings\sanders\Application Data\internaldb6334.dat
    C:\Documents and Settings\sanders\Application Data\internaldb8467.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb1942.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb628.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb8051.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb8082.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb8206.dat
    C:\Documents and Settings\sigrid\Application Data\internaldb9467.dat
    C:\Program Files\MsnCleaner
    C:\Program Files\MsnCleaner\BackUpMSNCleaner\carlton.vir
    C:\Program Files\MsnCleaner\BackUpMSNCleaner\k3d3t4t8n7l.exe.vir
    C:\Program Files\MsnCleaner\BackUpMSNCleaner\LBTWiz.exe.vir
    C:\Program Files\MsnCleaner\BackUpMSNCleaner\Nokia_19_jpg.zip.vir
    C:\Program Files\MsnCleaner\MSNCleaner.txt
    C:\WINDOWS\@desktop@.dat

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2007-10-04 to 2007-11-04 ))))))))))))))))))))))))))))))
    .

    2007-11-02 19:28 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2007-11-02 15:45 5 –a—— C:\NPF_USER.DAT
    2007-11-02 14:45 <DIR> d——– C:\Program Files\Kruidvat
    2007-11-02 13:57 <DIR> d——– C:\Documents and Settings\sigrid\Application Data\U3
    2007-11-02 13:15 <DIR> d——– C:\Program Files\BendeBoy
    2007-11-02 12:57 <DIR> d——– C:\Program Files\Trend Micro
    2007-11-02 01:26 31,616 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-11-02 01:26 31,616 –a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
    2007-11-02 01:25 <DIR> d——– C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3
    2007-10-30 10:48 45,056 –a—— C:\WINDOWS\system32\ftp.exe
    2007-10-30 10:48 45,056 –a–c— C:\WINDOWS\system32\dllcache\ftp.exe
    2007-10-30 10:48 17,408 –a—— C:\WINDOWS\system32\tftp.exe
    2007-10-30 10:48 17,408 –a–c— C:\WINDOWS\system32\dllcache\tftp.exe
    2007-10-09 17:29 <DIR> d——– C:\Program Files\Kruidvat - Fotoservice
    2007-10-05 21:21 <DIR> d——– C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-04 09:02 ——— d—–w C:\Program Files\Harry Potter Time-Turner
    2007-11-04 09:02 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner
    2007-11-01 08:41 ——— d—–w C:\Documents and Settings\All Users\Application Data\NPF
    2007-10-31 17:28 ——— d—–w C:\Program Files\Q-Xpress Installer
    2007-10-29 15:44 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Canon
    2007-10-26 19:19 ——— d—–w C:\Documents and Settings\sanders\Application Data\Canon
    2007-09-18 19:01 ——— d—–w C:\Program Files\Google
    2007-08-21 06:18 683,520 —-a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27]
    "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26]
    "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34]
    "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
    "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32
    wiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34]
    "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
    "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34]
    "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
    "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
    NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ZESOFT"=2 (0x2)
    "SAVScan"=3 (0x3)
    "ISEXEng"=2 (0x2)
    "iPodService"=3 (0x3)

    R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys
    R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
    R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
    R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
    S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin
    vcfsr.sys
    S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin
    vcoafl51.sys
    S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin
    vcoaft51.sys
    S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin
    vcoarc51.sys
    S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin
    vcoas.exe
    S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE

    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-04 11:15:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    **************************************************************************
    .
    Voltooingstijd: 2007-11-04 11:17:07
    C:\ComboFix2.txt … 2007-11-02 19:36
    .
    — E O F —



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:19:46, on 4-11-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\Norman\bin\ZLH.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Norman\NPF
    pfmsg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: NPF Messenger.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail
    esources/MsnPUpld.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN
    ipsvc.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin
    vcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    End of file - 7313 bytes











  • Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
    [b:3d45edf7cb]
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]

    Folder::
    C:\Program Files\ISTsvc

    File::
    C:\WINDOWS\sxtkl.exe
    [/b:3d45edf7cb]
    Sla dit op op je Bureaublad als [b:3d45edf7cb]CFScript.txt[/b:3d45edf7cb]

    Sleep [b:3d45edf7cb]CFScript.txt[/b:3d45edf7cb] in [b:3d45edf7cb]ComboFix.exe[/b:3d45edf7cb] zoals getoond in onderstaand voorbeeld :

    [img:3d45edf7cb]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:3d45edf7cb]

    Dit zal [b:3d45edf7cb]ComboFix[/b:3d45edf7cb] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt,
    en post de inhoud van de [b:3d45edf7cb]Combofix.txt[/b:3d45edf7cb] in je volgende antwoord.

    Succes!

    Pim :)
  • ComboFix 07-11-02.3 - sigrid 2007-11-04 19:47:19.3 - NTFSx86
    Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe
    Command switches used :: C:\Documents and Settings\sigrid\Bureaublad\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt

    FILE::
    C:\WINDOWS\sxtkl.exe
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-10-04 to 2007-11-04 ))))))))))))))))))))))))))))))
    .

    2007-11-02 19:28 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2007-11-02 15:45 5 –a—— C:\NPF_USER.DAT
    2007-11-02 14:45 <DIR> d——– C:\Program Files\Kruidvat
    2007-11-02 13:57 <DIR> d——– C:\Documents and Settings\sigrid\Application Data\U3
    2007-11-02 13:15 <DIR> d——– C:\Program Files\BendeBoy
    2007-11-02 12:57 <DIR> d——– C:\Program Files\Trend Micro
    2007-11-02 01:26 31,616 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-11-02 01:26 31,616 –a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
    2007-11-02 01:25 <DIR> d——– C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3
    2007-10-30 10:48 45,056 –a—— C:\WINDOWS\system32\ftp.exe
    2007-10-30 10:48 45,056 –a–c— C:\WINDOWS\system32\dllcache\ftp.exe
    2007-10-30 10:48 17,408 –a—— C:\WINDOWS\system32\tftp.exe
    2007-10-30 10:48 17,408 –a–c— C:\WINDOWS\system32\dllcache\tftp.exe
    2007-10-09 17:29 <DIR> d——– C:\Program Files\Kruidvat - Fotoservice
    2007-10-05 21:21 <DIR> d——– C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-04 18:39 ——— d—–w C:\Program Files\Harry Potter Time-Turner
    2007-11-04 18:39 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner
    2007-11-01 08:41 ——— d—–w C:\Documents and Settings\All Users\Application Data\NPF
    2007-10-31 17:28 ——— d—–w C:\Program Files\Q-Xpress Installer
    2007-10-29 15:44 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Canon
    2007-10-26 19:19 ——— d—–w C:\Documents and Settings\sanders\Application Data\Canon
    2007-09-18 19:01 ——— d—–w C:\Program Files\Google
    2007-08-21 06:18 683,520 —-a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27]
    "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26]
    "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34]
    "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
    "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32
    wiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34]
    "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
    "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34]
    "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
    "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
    NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ZESOFT"=2 (0x2)
    "SAVScan"=3 (0x3)
    "ISEXEng"=2 (0x2)
    "iPodService"=3 (0x3)

    R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys
    R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
    R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
    R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
    S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin
    vcfsr.sys
    S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin
    vcoafl51.sys
    S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin
    vcoaft51.sys
    S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin
    vcoarc51.sys
    S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin
    vcoas.exe
    S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE

    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-04 19:51:30
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    **************************************************************************
    .
    Voltooingstijd: 2007-11-04 19:52:53
    C:\ComboFix2.txt … 2007-11-04 11:17
    C:\ComboFix3.txt … 2007-11-02 19:36
    .
    — E O F —


    :)





  • Met dank aan Juisterr :)

    Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
    [b:cdae6c81e4]
    File::
    C:\Program Files\ISTsvc
    C:\Program Files\ISTsvc\istsvc.exe
    C:\WINDOWS\sxtkl.exe


    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc\istsvc.exe]



    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³# L"h'þ9Óœð3rÅ WC:]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³# L"h'þ9Óœð3rÅ WC:\Program Files]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³# L"h'þ9Óœð3rÅ WC:\Program Files\ISTsvc]

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³# L"h'þ9Óœð3rÅ WC:\Program Files\ISTsvc\istsvc.exe]

    [/b:cdae6c81e4]

    Sla dit op op je Bureaublad als [b:cdae6c81e4]CFScript.txt[/b:cdae6c81e4]

    Sleep [b:cdae6c81e4]CFScript.txt[/b:cdae6c81e4] in [b:cdae6c81e4]ComboFix.exe[/b:cdae6c81e4] zoals getoond in onderstaand voorbeeld :
    [img:cdae6c81e4]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:cdae6c81e4]

    Dit zal [b:cdae6c81e4]ComboFix[/b:cdae6c81e4] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje.

    Pim
  • :wink:

    ComboFix 07-11-02.3 - sigrid 2007-11-05 20:03:23.4 - NTFSx86
    Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe
    Command switches used :: C:\Documents and Settings\sigrid\Bureaublad\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt

    FILE::
    C:\Program Files\ISTsvc
    C:\Program Files\ISTsvc\istsvc.exe
    C:\WINDOWS\sxtkl.exe
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-10-05 to 2007-11-05 ))))))))))))))))))))))))))))))
    .

    2007-11-02 19:28 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2007-11-02 15:45 5 –a—— C:\NPF_USER.DAT
    2007-11-02 14:45 <DIR> d——– C:\Program Files\Kruidvat
    2007-11-02 13:57 <DIR> d——– C:\Documents and Settings\sigrid\Application Data\U3
    2007-11-02 13:15 <DIR> d——– C:\Program Files\BendeBoy
    2007-11-02 12:57 <DIR> d——– C:\Program Files\Trend Micro
    2007-11-02 01:26 31,616 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-11-02 01:26 31,616 –a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
    2007-11-02 01:25 <DIR> d——– C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3
    2007-10-30 10:48 45,056 –a—— C:\WINDOWS\system32\ftp.exe
    2007-10-30 10:48 45,056 –a–c— C:\WINDOWS\system32\dllcache\ftp.exe
    2007-10-30 10:48 17,408 –a—— C:\WINDOWS\system32\tftp.exe
    2007-10-30 10:48 17,408 –a–c— C:\WINDOWS\system32\dllcache\tftp.exe
    2007-10-09 17:29 <DIR> d——– C:\Program Files\Kruidvat - Fotoservice
    2007-10-05 21:21 <DIR> d——– C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-05 18:51 ——— d—–w C:\Program Files\Harry Potter Time-Turner
    2007-11-05 18:51 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner
    2007-11-01 08:41 ——— d—–w C:\Documents and Settings\All Users\Application Data\NPF
    2007-10-31 17:28 ——— d—–w C:\Program Files\Q-Xpress Installer
    2007-10-29 15:44 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Canon
    2007-10-26 19:19 ——— d—–w C:\Documents and Settings\sanders\Application Data\Canon
    2007-09-18 19:01 ——— d—–w C:\Program Files\Google
    2007-08-21 06:18 683,520 —-a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27]
    "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26]
    "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34]
    "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
    "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32
    wiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34]
    "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
    "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34]
    "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
    "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
    NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ZESOFT"=2 (0x2)
    "SAVScan"=3 (0x3)
    "ISEXEng"=2 (0x2)
    "iPodService"=3 (0x3)

    R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys
    R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
    R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
    R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
    S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin
    vcfsr.sys
    S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin
    vcoafl51.sys
    S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin
    vcoaft51.sys
    S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin
    vcoarc51.sys
    S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin
    vcoas.exe
    S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE

    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-05 20:07:13
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    **************************************************************************
    .
    Voltooingstijd: 2007-11-05 20:08:46
    C:\ComboFix2.txt … 2007-11-04 19:52
    C:\ComboFix3.txt … 2007-11-04 11:17
    .
    — E O F —


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:11:06, on 5-11-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\Norman\bin\ZLH.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Norman\NPF
    pfmsg.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: NPF Messenger.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail
    esources/MsnPUpld.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN
    ipsvc.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin
    vcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    End of file - 7227 bytes











  • Hmm, ze willen niet echt weg :cry:

    Kan je eens via start –> uitvoeren –> [b:54202303f5]msconfig[/b:54202303f5] alles aanvinken en vervolgens een nieuw Hijackthis logje plaatsen + combofix logje.
  • Alles was al aangevinkt… nog ideetjes? :(

    ComboFix 07-11-02.3 - sigrid 2007-11-06 19:49:43.5 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.125 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-10-06 to 2007-11-06 ))))))))))))))))))))))))))))))
    .

    2007-11-06 17:21 5 –a—— C:\NPF_USER.DAT
    2007-11-02 19:28 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2007-11-02 14:45 <DIR> d——– C:\Program Files\Kruidvat
    2007-11-02 13:57 <DIR> d——– C:\Documents and Settings\sigrid\Application Data\U3
    2007-11-02 13:15 <DIR> d——– C:\Program Files\BendeBoy
    2007-11-02 12:57 <DIR> d——– C:\Program Files\Trend Micro
    2007-11-02 01:26 31,616 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-11-02 01:26 31,616 –a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
    2007-11-02 01:25 <DIR> d——– C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3
    2007-10-30 10:48 45,056 –a—— C:\WINDOWS\system32\ftp.exe
    2007-10-30 10:48 45,056 –a–c— C:\WINDOWS\system32\dllcache\ftp.exe
    2007-10-30 10:48 17,408 –a—— C:\WINDOWS\system32\tftp.exe
    2007-10-30 10:48 17,408 –a–c— C:\WINDOWS\system32\dllcache\tftp.exe
    2007-10-09 17:29 <DIR> d——– C:\Program Files\Kruidvat - Fotoservice

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-06 18:44 ——— d—–w C:\Program Files\Harry Potter Time-Turner
    2007-11-06 18:44 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner
    2007-11-06 17:38 ——— d—–w C:\Documents and Settings\All Users\Application Data\NPF
    2007-10-31 17:28 ——— d—–w C:\Program Files\Q-Xpress Installer
    2007-10-29 15:44 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Canon
    2007-10-26 19:19 ——— d—–w C:\Documents and Settings\sanders\Application Data\Canon
    2007-10-05 20:21 ——— d—–w C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner
    2007-09-18 19:01 ——— d—–w C:\Program Files\Google
    2007-08-21 06:18 683,520 —-a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27]
    "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26]
    "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34]
    "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
    "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32
    wiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34]
    "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
    "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34]
    "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
    "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
    NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ
    C:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe]
    C:\WINDOWS\sxtkl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ZESOFT"=2 (0x2)
    "SAVScan"=3 (0x3)
    "ISEXEng"=2 (0x2)
    "iPodService"=3 (0x3)

    R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys
    R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
    R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
    R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
    S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin
    vcfsr.sys
    S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin
    vcoafl51.sys
    S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin
    vcoaft51.sys
    S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin
    vcoarc51.sys
    S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin
    vcoas.exe
    S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE

    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-06 19:53:43
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    **************************************************************************
    .
    Voltooingstijd: 2007-11-06 19:55:09
    C:\ComboFix2.txt … 2007-11-05 20:08
    .
    — E O F —


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:56:08, on 6-11-2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\Norman\bin\ZLH.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Norman\NPF
    pfmsg.exe
    C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32
    otepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: NPF Messenger.lnk = ?
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail
    esources/MsnPUpld.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN
    ipsvc.exe
    O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
    O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE
    O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin
    vcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    End of file - 7364 bytes












  • Met dank aan Smeenk,

    1) Open een kladblokbestand.
    2) Kopieer onderstaande code in dit kladblokbestand.
    3) Ga naar Bestand - Opslaan als.
    -Bij "Opslaan in" kies je: Bureaublad
    -Bij "Bestandsnaam" zet je: fix.reg
    -Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
    -Klik op de knop Opslaan.

    [code:1:9b42cc7136]
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
    [/code:1:9b42cc7136]

    4) Dubbelklik op de fix.reg file en laat de wijzigingen aan het register toevoegen.

    Post een nieuw Combofix logje ter controle:)
    Pim
  • ComboFix 07-11-02.3 - sigrid 2007-11-07 15:23:19.6 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.105 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-10-07 to 2007-11-07 ))))))))))))))))))))))))))))))
    .

    2007-11-06 17:21 5 –a—— C:\NPF_USER.DAT
    2007-11-02 19:28 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2007-11-02 14:45 <DIR> d——– C:\Program Files\Kruidvat
    2007-11-02 13:57 <DIR> d——– C:\Documents and Settings\sigrid\Application Data\U3
    2007-11-02 13:15 <DIR> d——– C:\Program Files\BendeBoy
    2007-11-02 12:57 <DIR> d——– C:\Program Files\Trend Micro
    2007-11-02 01:26 31,616 –a—— C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-11-02 01:26 31,616 –a–c— C:\WINDOWS\system32\dllcache\usbccgp.sys
    2007-11-02 01:25 <DIR> d——– C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3
    2007-10-30 10:48 45,056 –a—— C:\WINDOWS\system32\ftp.exe
    2007-10-30 10:48 45,056 –a–c— C:\WINDOWS\system32\dllcache\ftp.exe
    2007-10-30 10:48 17,408 –a—— C:\WINDOWS\system32\tftp.exe
    2007-10-30 10:48 17,408 –a–c— C:\WINDOWS\system32\dllcache\tftp.exe
    2007-10-09 17:29 <DIR> d——– C:\Program Files\Kruidvat - Fotoservice

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-07 14:06 ——— d—–w C:\Program Files\Harry Potter Time-Turner
    2007-11-07 14:06 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner
    2007-11-06 17:38 ——— d—–w C:\Documents and Settings\All Users\Application Data\NPF
    2007-10-31 17:28 ——— d—–w C:\Program Files\Q-Xpress Installer
    2007-10-29 15:44 ——— d—–w C:\Documents and Settings\sigrid\Application Data\Canon
    2007-10-26 19:19 ——— d—–w C:\Documents and Settings\sanders\Application Data\Canon
    2007-10-05 20:21 ——— d—–w C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner
    2007-09-18 19:01 ——— d—–w C:\Program Files\Google
    2007-08-21 06:18 683,520 —-a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27]
    "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26]
    "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34]
    "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
    "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32
    wiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34]
    "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
    "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34]
    "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
    "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
    NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ZESOFT"=2 (0x2)
    "SAVScan"=3 (0x3)
    "ISEXEng"=2 (0x2)
    "iPodService"=3 (0x3)

    R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys
    R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys
    R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS
    R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
    S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin
    vcfsr.sys
    S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin
    vcoafl51.sys
    S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin
    vcoaft51.sys
    S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin
    vcoarc51.sys
    S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin
    vcoas.exe
    S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE

    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-07 15:27:04
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    **************************************************************************
    .
    Voltooingstijd: 2007-11-07 15:28:35
    C:\ComboFix2.txt … 2007-11-06 19:55
    C:\ComboFix3.txt … 2007-11-05 20:08
    .
    — E O F —


    :wink:





  • Eindelijk gelukt :D

    Download ATF Cleaner ( van Atribune)

    Dubbelklik op [b:3835facdfd]ATF cleaner[/b:3835facdfd] om het programma te starten.
    Op het tabblad "Main", plaats je een vinkje bij Select All. Haal het vinkje weg bij Prefetch.
    Klik op de knop Empty Selected.

    Gebruik je ook [b:3835facdfd]Firefox[/b:3835facdfd] als browser:

    Klik op tabblad "Firefox", plaats een vinkje bij Select All.
    Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    (dit verwijdert het vinkje bij "Firefox saved passwords";)
    Klik op de knop Empty Selected.

    Gebruik je ook [b:3835facdfd]Opera[/b:3835facdfd] als browser:

    Klik op tabblad "Opera", plaats een vinkje bij Select All.
    Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    Klik op de knop Empty Selected.

    Ga naar het tabblad "Main" en klik op de knop [b:3835facdfd]Exit[/b:3835facdfd] om het programma af te sluiten.


    Download Dr.Web CureIt naar je Bureaublad:
    [list:3835facdfd]
    Dubbelklik [b:3835facdfd]drweb-cureit.exe[/b:3835facdfd] en sta het toe om de express scan te starten.
    Indien een popup verschijnt met het voorstel tot kopen/50% korting, mag je deze sluiten met het kruisje.
    Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt,
    klik de [b:3835facdfd]Yes to all[/b:3835facdfd] knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
    Kies bovenaan in het menu voor [b:3835facdfd]Language/Taal[/b:3835facdfd] en wijzig deze naar [b:3835facdfd]Dutch (Nederlands)[/b:3835facdfd] indien deze bij jou anders staat ingesteld.
    Druk op [b:3835facdfd]F9[/b:3835facdfd] en kies daarna voor [b:3835facdfd]Acties[/b:3835facdfd] en stel daar het volgende in onder [b:3835facdfd]Malware[/b:3835facdfd]:
    [list:3835facdfd]
    Adware: [b:3835facdfd]Verplaats[/b:3835facdfd]
    Dialers: [b:3835facdfd]Verplaats[/b:3835facdfd]
    Jokes: [b:3835facdfd]Rapportage[/b:3835facdfd]
    Riskware: [b:3835facdfd]Rapportage[/b:3835facdfd]
    Hacktools: [b:3835facdfd]Verplaats[/b:3835facdfd]
    Haal dan het vinkje weg bij "[b:3835facdfd]Prompt bij actie[/b:3835facdfd]".
    [/list:u:3835facdfd]
    Druk dan op [b:3835facdfd]OK[/b:3835facdfd].
    Druk op [b:3835facdfd]F9[/b:3835facdfd] en kies daarna voor [b:3835facdfd]Scan[/b:3835facdfd] en verwijder het vinkje bij [b:3835facdfd]Heuristische analyse[/b:3835facdfd] en klik op [b:3835facdfd]OK[/b:3835facdfd].
    Eenmaal de korte scan is beeïndigd, kan je de drives selecteren die je wilt laten scannen (Selecteer stations).
    Selecteer hier [b:3835facdfd]alle stations[/b:3835facdfd]. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
    Klik daarna de
  • 'Druk op F9 en kies daarna voor Scan en verwijder het vinkje bij Heuristische analyse en klik op OK.'

    Ik zit een beetje vast hier. Na op OK te hebben gedrukt gebeurt er niets, de korte scan start niet. Ik kan de volgende stappen bijgevolg niet uitvoeren.
  • Hmm, ik heb het zelf net even bekeken en het werkt bij mij inderdaad ook niet, waarschijnlijk is er een update o.i.d. gekomen :oops:

    Gebruik tot die tijd deze tool even:

    Download en installeer .[list:373cc7b3e3]
    Na de installatie, open AVG Anti-Spyware:
    * onder "[b:373cc7b3e3]Status[/b:373cc7b3e3]", klik op [b:373cc7b3e3]Change state[/b:373cc7b3e3] naast "Resident shield". (wijzig van active naar [b:373cc7b3e3]inactive[/b:373cc7b3e3]!)
    * onder "[b:373cc7b3e3]Update[/b:373cc7b3e3]", klik op de [b:373cc7b3e3]Start update[/b:373cc7b3e3] knop.
    * onder "[b:373cc7b3e3]Scanner[/b:373cc7b3e3]", tab "Settings":[list:373cc7b3e3]- onder "How to act?", klik op "[u:373cc7b3e3]Recommended actions[/u:373cc7b3e3]" en selecteer [b:373cc7b3e3]Quarantine[/b:373cc7b3e3]. ([b:373cc7b3e3]ZEER BELANGRIJK![/b:373cc7b3e3])
    * onder "Reports", selecteer [b:373cc7b3e3]Automatically generate report after every scan[/b:373cc7b3e3] en [u:373cc7b3e3]verwijder[/u:373cc7b3e3] het vinkje bij [b:373cc7b3e3]Only if threats were found[/b:373cc7b3e3][/list:u:373cc7b3e3]
    Sluit AVG Anti-Spyware. Laat het [b:373cc7b3e3]nog niet[/b:373cc7b3e3] scannen.[/list:u:373cc7b3e3]
    Start op in veilige modus

    Start
  • Alles is gelukt, behalve bij het rapport had ik niet de mogelijkheid hem op te slaan.


    Ik heb vandaag een hele tijd op msn gezeten en er zijn geen problemen opgetreden. :D
  • Oke, dan zullen we er vanuit gaan dat de problemen over zijn :)

    Verwijder Combofix:
    Ga naar start –> uitvoeren en typ daar:
    [b:1fd91b5b98]Combofix /U [/b:1fd91b5b98]
    Klik op ok om te bevestigen.

    Doe dit nog even:
    Schakel systeemherstel uit, herstart je computer en schakel systeemherstel weer in: http://users.telenet.be/marcvn/spyware/1852808.htm
    Hiermee verwijder je eventuele resten van de infectie uit je systeemherstel.

    Lees ook deze beveiligingstips eens door:
    http://users.telenet.be/marcvn/spyware/1564073.htm

    Pim :)
  • Gelukt! Er zijn nog steeds geen problemen meer geweest! :D
    Bedankt Pim en de rest!

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.