Vraag & Antwoord

Beveiliging & privacy

Nokia_19

20 antwoorden
  • Jullie hebben nog iemand geholpen met hetzelfde probleem. Ik heb op msn het bestand Nokia_19 geopend dat ik van iemand had aangekregen en sindsdien wordt dat bestand constant naar iedereen die online is op msn verder doorgestuurd. Kunnen jullie mij helpen? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:58:47, on 2-11-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TomTom HOME\TomTomHOME.exe C:\Norman\bin\ZLH.EXE C:\WINDOWS\mrofinu1148.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinAble\winable.exe C:\WINDOWS\system32\mqtgsvc.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\WgaTray.exe C:\Program Files\Norman\NPF\npfmsg.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O2 - BHO: mycpmads.com Browser Optimizer - {582FDCF0-A82E-4fc1-A6F6-0D2F36881F63} - C:\WINDOWS\system32\br_rt.dll (file missing) O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing) O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool\nsb40.dll (file missing) O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {98BF3E25-F7C6-8940-BB20-8F8A42F97EB0} - C:\WINDOWS\system32\iuviks.dll O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing) O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll (file missing) O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing) O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [mbjvqdkxsct] C:\WINDOWS\system32\ofkgaf.exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Ytbrupuc] C:\Program Files\Cpodduz\Asbjb.exe O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe O4 - HKLM\..\Run: [k2loagpv] C:\WINDOWS\system32\k2loagpv.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [adstart] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\br_rt.dll" DllVerify O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [LBTWiz.exe] C:\WINDOWS\LBTWiz.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1148.exe 61A847B5BBF72813339F30466188719AB689201522886B092CBD44BD8689220221DD3257 O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe O4 - HKCU\..\Run: [MSNCleaner] C:\DOCUME~1\sigrid\LOCALS~1\Temp\Rar$EX00.031\MSNCleaner.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O4 - Global Startup: NPF Messenger.lnk = ? O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm119YYBE O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail/resources/MsnPUpld.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 11234 bytes ---------- BENDEBOYS MSNFIX RAPORT ---------- - Version: 3.6.0.0 - Last Update: 31/10/07 - Scan performed on: vr 02-11-2007 - 13:17:15,40 By sigrid - Bootmode: Normal Mode ((((((((((((((( CREATED FILES LAST MONTH ))))))))))))))) ((((((((((((((( FOUND FILES ))))))))))))))) !! BEFORE FIX !! !! AFTER FIX !! ((((((((((((((( ShellServiceObjectDelayLoad ))))))))))))))) Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" ---------- END OF LOG ----------
  • Ik ga even kijken voor je!
  • Best dat je onderstaande instructies even uitprint, want je moet zodadelijk in veilige modus gaan werken en daar heb je geen internet verbinding tot je beschikking dus kan je dit niet teruglezen. 1. Ga naar start --> configuratiescherm --> software en verwijder daar, indien aanwezig: [b:8ff1b5ddb6] MyWebSearch P2P Networking WebRebates SurfAccuracy 180searchassistant Media Gateway ISTsvc Internet Optimizer WhenUSave Winable Kazaa RXtoolbar [/b:8ff1b5ddb6] [i:8ff1b5ddb6]Indien een van de programma's er niet instaat, gewoon doorgaan met de rest[/i:8ff1b5ddb6] 2. Laat verborgen mappen en bestanden weergeven: http://users.telenet.be/marcvn/spyware/1117602.htm 3. Start je PC in veilige modus: http://users.telenet.be/marcvn/spyware/1378056.htm 4. Start Hijackthis, kies voor 'Do a system scan only' en vink onderstaande regels aan, [b:8ff1b5ddb6]indien nog aanwezig[/b:8ff1b5ddb6]: [b:8ff1b5ddb6] R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O2 - BHO: mycpmads.com Browser Optimizer - {582FDCF0-A82E-4fc1-A6F6-0D2F36881F63} - C:\WINDOWS\system32\br_rt.dll (file missing) O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing) O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool\nsb40.dll (file missing) O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {98BF3E25-F7C6-8940-BB20-8F8A42F97EB0} - C:\WINDOWS\system32\iuviks.dll O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing) O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll (file missing) O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing) O4 - HKLM\..\Run: [mbjvqdkxsct] C:\WINDOWS\system32\ofkgaf.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [Ytbrupuc] C:\Program Files\Cpodduz\Asbjb.exe O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe" O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe O4 - HKLM\..\Run: [k2loagpv] C:\WINDOWS\system32\k2loagpv.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY O4 - HKLM\..\Run: [adstart] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\br_rt.dll" DllVerify O4 - HKLM\..\Run: [LBTWiz.exe] C:\WINDOWS\LBTWiz.exe O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1148.exe 61A847B5BBF72813339F30466188719AB689201522886B092CBD44BD8689220221DD3257 O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe" O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe O4 - HKCU\..\Run: [MSNCleaner] C:\DOCUME~1\sigrid\LOCALS~1\Temp\Rar$EX00.031\MSNCleaner.exe O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm119YYBE [/b:8ff1b5ddb6] Indien je onderstaande trused zones niet zelf heb ingestelt, ook aanvinken. [b:8ff1b5ddb6] O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) [/b:8ff1b5ddb6] Vink ook nog onderstaande regels aan: [b:8ff1b5ddb6] O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll [/b:8ff1b5ddb6] Sluit alle openstaande vensters, behalve Hijackthis en klik op Fix checked. 5. Verwijder onderstaande mappen: C:\Program Files\[b:8ff1b5ddb6]MyWebSearch[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]RXToolBar[/b:8ff1b5ddb6] C:\WINDOWS\system32\[b:8ff1b5ddb6]SearchTool[/b:8ff1b5ddb6] C:\WINDOWS\system32\[b:8ff1b5ddb6]P2P Networking[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]Cpodduz[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]WebRebates4[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]SurfAccuracy[/b:8ff1b5ddb6] c:\program files\[b:8ff1b5ddb6]180searchassistant[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]Media Gateway[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]ISTsvc[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]Internet Optimizer[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]BullsEye Network[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]Kazaa[/b:8ff1b5ddb6] C:\WINDOWS\[b:8ff1b5ddb6]kdx[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]Save[/b:8ff1b5ddb6] C:\Program Files\[b:8ff1b5ddb6]WinAble[/b:8ff1b5ddb6] 6. Verwijder onderstaande bestanden: C:\WINDOWS\system32\[b:8ff1b5ddb6]ofkgaf.exe[/b:8ff1b5ddb6] C:\WINDOWS\system32\[b:8ff1b5ddb6]k2loagpv.exe[/b:8ff1b5ddb6] C:\WINDOWS\system32\[b:8ff1b5ddb6]br_rt.dll[/b:8ff1b5ddb6] C:\WINDOWS\[b:8ff1b5ddb6]LBTWiz.exe[/b:8ff1b5ddb6] C:\WINDOWS\[b:8ff1b5ddb6]mrofinu1148.exe[/b:8ff1b5ddb6] 7. Leeg je Temp-mappen (Let op : de mappen leegmaken, niet verwijderen !!): C:\Windows\[b:8ff1b5ddb6]Temp[/b:8ff1b5ddb6] C:\Documents and Settings\hp_Eigenaar\Local Settings\[b:8ff1b5ddb6]Temp[/b:8ff1b5ddb6] C:\Documents and Settings\hp_Eigenaar\Local Settings\[b:8ff1b5ddb6]Temporary Internet Files[/b:8ff1b5ddb6] C:\Documents and Settings\hp_Eigenaar\Local Settings\Temporary Internet Files\[b:8ff1b5ddb6]content.ie5[/b:8ff1b5ddb6] Als de laatste map niet wordt weergegeven, ga dan naar de map Temporary Internet Files en type er [b:8ff1b5ddb6]\content.ie5 [/b:8ff1b5ddb6]/achter in de adresbalk en klik enter. 8. Maak je prullenbak leeg! 9. Herstart je PC in normale modus. 10. Download [url=http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe]Combofix[/url] naar je Bureaublad. [list:8ff1b5ddb6] Dubbelklik [b:8ff1b5ddb6]Combofix.exe[/b:8ff1b5ddb6] Volg de instructies, aanvaard de disclaimer door "[b:8ff1b5ddb6]1[/b:8ff1b5ddb6]" te typen en te bevestigen via "[b:8ff1b5ddb6]Enter[/b:8ff1b5ddb6]". Tijdens het runnen van de fix, [b:8ff1b5ddb6]NIET[/b:8ff1b5ddb6] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:8ff1b5ddb6] Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen. [i:8ff1b5ddb6]Plaats deze log in je volgende post samen met een nieuw HijackThis log.[/i:8ff1b5ddb6] [b:8ff1b5ddb6]Note:[/b:8ff1b5ddb6] Indien je virusscanner reageert tijdens het downloaden of gebruik van Combofix, mag je dit negeren. Heel veel succes! Pim :)
  • Alvast bedankt! ComboFix 07-11-02.3 - sigrid 2007-11-02 19:30:53.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.119 [GMT 1:00] Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe * Nieuw herstelpunt werd aangemaakt . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\sanders\Menu Start\Programma's\Outerinfo C:\Documents and Settings\sanders\Menu Start\Programma's\Outerinfo\Terms.lnk C:\Documents and Settings\sanders\Menu Start\Programma's\Outerinfo\Uninstall.lnk C:\Program Files\Common Files\Yazzle1122OinAdmin.exe C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe C:\Program Files\FunWebProducts C:\Program Files\FunWebProducts\Shared\[u:3a8e091507]0[/u:3a8e091507]00F5EE0.dat C:\Program Files\FunWebProducts\Shared\[u:3a8e091507]0[/u:3a8e091507]0FED8F7.dat C:\Program Files\inetget2 C:\Program Files\outerinfo C:\Program Files\outerinfo\OiUninstaller.exe C:\Program Files\outerinfo\outerinfo.ico C:\Program Files\outerinfo\Terms.rtf C:\Program Files\SideFind C:\Program Files\SideFind\sfexd001 C:\Program Files\Temporary C:\Program Files\Temporary\wininstall.exe C:\WINDOWS\b128.exe C:\WINDOWS\crosof~1.net C:\WINDOWS\crosof~1.net\dvdplay.exe C:\WINDOWS\crosof~1.net\s?stem32\ C:\WINDOWS\system32\instsrv.exe C:\WINDOWS\system32\scurit~1 C:\WINDOWS\system32\scurit~1\w?nspool.exe C:\WINDOWS\system32\wnstssv32.exe . (((((((((((((((((((( Bestanden Gemaakt van 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))) . 2007-11-02 19:28 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-02 17:58 262,144 --a------ C:\Program Files\Uninstall My Web Search.dll 2007-11-02 15:45 5 --a------ C:\NPF_USER.DAT 2007-11-02 14:45 <DIR> d-------- C:\Program Files\Kruidvat 2007-11-02 13:57 <DIR> d-------- C:\Documents and Settings\sigrid\Application Data\U3 2007-11-02 13:19 <DIR> d-------- C:\Program Files\MsnCleaner 2007-11-02 13:15 <DIR> d-------- C:\Program Files\BendeBoy 2007-11-02 12:57 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-02 01:26 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-11-02 01:26 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-11-02 01:25 <DIR> d-------- C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3 2007-10-30 10:48 45,056 --a------ C:\WINDOWS\system32\ftp.exe 2007-10-30 10:48 45,056 --a--c--- C:\WINDOWS\system32\dllcache\ftp.exe 2007-10-30 10:48 17,408 --a------ C:\WINDOWS\system32\tftp.exe 2007-10-30 10:48 17,408 --a--c--- C:\WINDOWS\system32\dllcache\tftp.exe 2007-10-09 17:29 <DIR> d-------- C:\Program Files\Kruidvat - Fotoservice 2007-10-05 21:21 <DIR> d-------- C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-02 18:26 --------- d-----w C:\Program Files\Harry Potter Time-Turner 2007-11-02 18:26 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner 2007-11-01 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF 2007-10-31 17:28 --------- d-----w C:\Program Files\Q-Xpress Installer 2007-10-29 15:44 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Canon 2007-10-26 19:19 --------- d-----w C:\Documents and Settings\sanders\Application Data\Canon 2007-09-18 19:01 --------- d-----w C:\Program Files\Google 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-01-08 13:47 49 ----a-w C:\Documents and Settings\sanders\Application Data\internaldb41.dat 2007-01-08 13:47 382 ----a-w C:\Documents and Settings\sanders\Application Data\internaldb1942.dat 2007-01-06 17:17 379 ----a-w C:\Documents and Settings\sigrid\Application Data\internaldb1942.dat 2007-01-05 11:30 20,480 ----a-w C:\Documents and Settings\sanders\Application Data\internaldb4827.dat 2007-01-02 10:39 20,480 ----a-w C:\Documents and Settings\sigrid\Application Data\internaldb8082.dat 2007-01-02 10:39 151 ----a-w C:\Documents and Settings\sigrid\Application Data\internaldb9467.dat 2007-01-02 10:39 13,046 ----a-w C:\Documents and Settings\sigrid\Application Data\internaldb8051.dat 2006-12-22 15:24 6,144 ----a-w C:\Documents and Settings\sigrid\Application Data\internaldb8206.dat 2006-12-22 15:23 0 ----a-w C:\Documents and Settings\sigrid\Application Data\internaldb628.dat 2006-12-19 10:06 9,216 ----a-w C:\Documents and Settings\sanders\Application Data\internaldb8467.dat 2006-12-19 10:06 0 ----a-w C:\Documents and Settings\sanders\Application Data\internaldb6334.dat 2006-12-19 10:06 0 ----a-w C:\Documents and Settings\sanders\Application Data\internaldb5436.dat 1999-07-07 00:00:00 6 --sh--r C:\WINDOWS\@desktop@.dat . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}"= C:\Program Files\RXToolBar\RXToolBar.dll [ ] "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ] [HKEY_CLASSES_ROOT\CLSID\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}] [HKEY_CLASSES_ROOT\RXToolBar.TBInfo.1] [HKEY_CLASSES_ROOT\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464}] [HKEY_CLASSES_ROOT\RXToolBar.TBInfo] [HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}] [HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [] "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36] "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34] "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24] "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZESOFT"=2 (0x2) "SAVScan"=3 (0x3) "ISEXEng"=2 (0x2) "iPodService"=3 (0x3) R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE *Newly Created Service* - CATCHME . Inhoud van de 'Gedeelde Taken' map "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-02 19:35:27 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... ************************************************************************** . Voltooingstijd: 2007-11-02 19:36:44 . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:51:48, on 2-11-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TomTom HOME\TomTomHOME.exe C:\Norman\bin\ZLH.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Norman\NPF\npfmsg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: NPF Messenger.lnk = ? O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail/resources/MsnPUpld.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 7495 bytes
  • Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster: [b:6bc57ffeec] File:: C:\Program Files\Uninstall My Web Search.dll C:\Documents and Settings\sanders\Application Data\internaldb41.dat C:\Documents and Settings\sanders\Application Data\internaldb1942.dat C:\Documents and Settings\sigrid\Application Data\internaldb1942.dat C:\Documents and Settings\sanders\Application Data\internaldb4827.dat C:\Documents and Settings\sigrid\Application Data\internaldb8082.dat C:\Documents and Settings\sigrid\Application Data\internaldb9467.dat C:\Documents and Settings\sigrid\Application Data\internaldb8051.dat C:\Documents and Settings\sigrid\Application Data\internaldb8206.dat C:\Documents and Settings\sigrid\Application Data\internaldb628.dat C:\Documents and Settings\sanders\Application Data\internaldb8467.dat C:\Documents and Settings\sanders\Application Data\internaldb6334.dat C:\Documents and Settings\sanders\Application Data\internaldb5436.dat C:\WINDOWS\@desktop@.dat C:\WINDOWS\sxtkl.exe Registry:: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}"=- "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"=- [-HKEY_CLASSES_ROOT\CLSID\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}] [-HKEY_CLASSES_ROOT\RXToolBar.TBInfo.1] [-HKEY_CLASSES_ROOT\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464}] [-HKEY_CLASSES_ROOT\RXToolBar.TBInfo] [-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}] [-HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files\ISTsvc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aÆ+À¼C:\Program Files\ISTsvc\istsvc.exe] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files\ISTsvc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõgFC:\Program Files\ISTsvc\istsvc.exe] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñC:] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñC:\Program Files] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñC:\Program Files\ISTsvc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñC:\Program Files\ISTsvc\istsvc.exe] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] Folder:: C:\Program Files\MsnCleaner [/b:6bc57ffeec] Sla dit op op je Bureaublad als [b:6bc57ffeec]CFScript.txt[/b:6bc57ffeec] Sleep [b:6bc57ffeec]CFScript.txt[/b:6bc57ffeec] in [b:6bc57ffeec]ComboFix.exe[/b:6bc57ffeec] zoals getoond in onderstaand voorbeeld : [img:6bc57ffeec]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:6bc57ffeec] Dit zal [b:6bc57ffeec]ComboFix[/b:6bc57ffeec] doen herstarten. Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de [b:6bc57ffeec]Combofix.txt[/b:6bc57ffeec] in je volgende antwoord samen met een nieuw HijackThislogje. Succes! Pim :)
  • Dankjewel! :wink: ComboFix 07-11-02.3 - sigrid 2007-11-04 11:11:46.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.119 [GMT 1:00]Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe Command switches used :: C:\Documents and Settings\sigrid\Bureaublad\CFScript.txt * Nieuw herstelpunt werd aangemaakt FILE:: C:\Documents and Settings\sanders\Application Data\internaldb1942.dat C:\Documents and Settings\sanders\Application Data\internaldb41.dat C:\Documents and Settings\sanders\Application Data\internaldb4827.dat C:\Documents and Settings\sanders\Application Data\internaldb5436.dat C:\Documents and Settings\sanders\Application Data\internaldb6334.dat C:\Documents and Settings\sanders\Application Data\internaldb8467.dat C:\Documents and Settings\sigrid\Application Data\internaldb1942.dat C:\Documents and Settings\sigrid\Application Data\internaldb628.dat C:\Documents and Settings\sigrid\Application Data\internaldb8051.dat C:\Documents and Settings\sigrid\Application Data\internaldb8082.dat C:\Documents and Settings\sigrid\Application Data\internaldb8206.dat C:\Documents and Settings\sigrid\Application Data\internaldb9467.dat C:\Program Files\Uninstall My Web Search.dll C:\WINDOWS\@desktop@.dat C:\WINDOWS\sxtkl.exe . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\sanders\Application Data\internaldb1942.dat C:\Documents and Settings\sanders\Application Data\internaldb41.dat C:\Documents and Settings\sanders\Application Data\internaldb4827.dat C:\Documents and Settings\sanders\Application Data\internaldb5436.dat C:\Documents and Settings\sanders\Application Data\internaldb6334.dat C:\Documents and Settings\sanders\Application Data\internaldb8467.dat C:\Documents and Settings\sigrid\Application Data\internaldb1942.dat C:\Documents and Settings\sigrid\Application Data\internaldb628.dat C:\Documents and Settings\sigrid\Application Data\internaldb8051.dat C:\Documents and Settings\sigrid\Application Data\internaldb8082.dat C:\Documents and Settings\sigrid\Application Data\internaldb8206.dat C:\Documents and Settings\sigrid\Application Data\internaldb9467.dat C:\Program Files\MsnCleaner C:\Program Files\MsnCleaner\BackUpMSNCleaner\carlton.vir C:\Program Files\MsnCleaner\BackUpMSNCleaner\k3d3t4t8n7l.exe.vir C:\Program Files\MsnCleaner\BackUpMSNCleaner\LBTWiz.exe.vir C:\Program Files\MsnCleaner\BackUpMSNCleaner\Nokia_19_jpg.zip.vir C:\Program Files\MsnCleaner\MSNCleaner.txt C:\WINDOWS\@desktop@.dat . (((((((((((((((((((( Bestanden Gemaakt van 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))) . 2007-11-02 19:28 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-02 15:45 5 --a------ C:\NPF_USER.DAT 2007-11-02 14:45 <DIR> d-------- C:\Program Files\Kruidvat 2007-11-02 13:57 <DIR> d-------- C:\Documents and Settings\sigrid\Application Data\U3 2007-11-02 13:15 <DIR> d-------- C:\Program Files\BendeBoy 2007-11-02 12:57 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-02 01:26 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-11-02 01:26 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-11-02 01:25 <DIR> d-------- C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3 2007-10-30 10:48 45,056 --a------ C:\WINDOWS\system32\ftp.exe 2007-10-30 10:48 45,056 --a--c--- C:\WINDOWS\system32\dllcache\ftp.exe 2007-10-30 10:48 17,408 --a------ C:\WINDOWS\system32\tftp.exe 2007-10-30 10:48 17,408 --a--c--- C:\WINDOWS\system32\dllcache\tftp.exe 2007-10-09 17:29 <DIR> d-------- C:\Program Files\Kruidvat - Fotoservice 2007-10-05 21:21 <DIR> d-------- C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-04 09:02 --------- d-----w C:\Program Files\Harry Potter Time-Turner 2007-11-04 09:02 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner 2007-11-01 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF 2007-10-31 17:28 --------- d-----w C:\Program Files\Q-Xpress Installer 2007-10-29 15:44 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Canon 2007-10-26 19:19 --------- d-----w C:\Documents and Settings\sanders\Application Data\Canon 2007-09-18 19:01 --------- d-----w C:\Program Files\Google 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [] "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36] "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34] "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24] "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZESOFT"=2 (0x2) "SAVScan"=3 (0x3) "ISEXEng"=2 (0x2) "iPodService"=3 (0x3) R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE . Inhoud van de 'Gedeelde Taken' map "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-04 11:15:48 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... ************************************************************************** . Voltooingstijd: 2007-11-04 11:17:07 C:\ComboFix2.txt ... 2007-11-02 19:36 . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:19:46, on 4-11-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TomTom HOME\TomTomHOME.exe C:\Norman\bin\ZLH.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\mqtgsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\WgaTray.exe C:\Program Files\Norman\NPF\npfmsg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: NPF Messenger.lnk = ? O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail/resources/MsnPUpld.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 7313 bytes
  • Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster: [b:3d45edf7cb] Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] Folder:: C:\Program Files\ISTsvc File:: C:\WINDOWS\sxtkl.exe [/b:3d45edf7cb] Sla dit op op je Bureaublad als [b:3d45edf7cb]CFScript.txt[/b:3d45edf7cb] Sleep [b:3d45edf7cb]CFScript.txt[/b:3d45edf7cb] in [b:3d45edf7cb]ComboFix.exe[/b:3d45edf7cb] zoals getoond in onderstaand voorbeeld : [img:3d45edf7cb]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:3d45edf7cb] Dit zal [b:3d45edf7cb]ComboFix[/b:3d45edf7cb] doen herstarten. Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de [b:3d45edf7cb]Combofix.txt[/b:3d45edf7cb] in je volgende antwoord. Succes! Pim :)
  • ComboFix 07-11-02.3 - sigrid 2007-11-04 19:47:19.3 - NTFSx86 Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe Command switches used :: C:\Documents and Settings\sigrid\Bureaublad\CFScript.txt * Nieuw herstelpunt werd aangemaakt FILE:: C:\WINDOWS\sxtkl.exe . (((((((((((((((((((( Bestanden Gemaakt van 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))) . 2007-11-02 19:28 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-02 15:45 5 --a------ C:\NPF_USER.DAT 2007-11-02 14:45 <DIR> d-------- C:\Program Files\Kruidvat 2007-11-02 13:57 <DIR> d-------- C:\Documents and Settings\sigrid\Application Data\U3 2007-11-02 13:15 <DIR> d-------- C:\Program Files\BendeBoy 2007-11-02 12:57 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-02 01:26 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-11-02 01:26 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-11-02 01:25 <DIR> d-------- C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3 2007-10-30 10:48 45,056 --a------ C:\WINDOWS\system32\ftp.exe 2007-10-30 10:48 45,056 --a--c--- C:\WINDOWS\system32\dllcache\ftp.exe 2007-10-30 10:48 17,408 --a------ C:\WINDOWS\system32\tftp.exe 2007-10-30 10:48 17,408 --a--c--- C:\WINDOWS\system32\dllcache\tftp.exe 2007-10-09 17:29 <DIR> d-------- C:\Program Files\Kruidvat - Fotoservice 2007-10-05 21:21 <DIR> d-------- C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-04 18:39 --------- d-----w C:\Program Files\Harry Potter Time-Turner 2007-11-04 18:39 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner 2007-11-01 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF 2007-10-31 17:28 --------- d-----w C:\Program Files\Q-Xpress Installer 2007-10-29 15:44 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Canon 2007-10-26 19:19 --------- d-----w C:\Documents and Settings\sanders\Application Data\Canon 2007-09-18 19:01 --------- d-----w C:\Program Files\Google 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [] "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36] "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34] "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24] "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZESOFT"=2 (0x2) "SAVScan"=3 (0x3) "ISEXEng"=2 (0x2) "iPodService"=3 (0x3) R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE . Inhoud van de 'Gedeelde Taken' map "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-04 19:51:30 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... ************************************************************************** . Voltooingstijd: 2007-11-04 19:52:53 C:\ComboFix2.txt ... 2007-11-04 11:17 C:\ComboFix3.txt ... 2007-11-02 19:36 . --- E O F --- :)
  • Met dank aan Juisterr :) Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster: [b:cdae6c81e4] File:: C:\Program Files\ISTsvc C:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\sxtkl.exe Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc\istsvc.exe] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³# L"h'þ9Óœð3rÅ WC:] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³# L"h'þ9Óœð3rÅ WC:\Program Files] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³# L"h'þ9Óœð3rÅ WC:\Program Files\ISTsvc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á ³# L"h'þ9Óœð3rÅ WC:\Program Files\ISTsvc\istsvc.exe] [/b:cdae6c81e4] Sla dit op op je Bureaublad als [b:cdae6c81e4]CFScript.txt[/b:cdae6c81e4] Sleep [b:cdae6c81e4]CFScript.txt[/b:cdae6c81e4] in [b:cdae6c81e4]ComboFix.exe[/b:cdae6c81e4] zoals getoond in onderstaand voorbeeld : [img:cdae6c81e4]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:cdae6c81e4] Dit zal [b:cdae6c81e4]ComboFix[/b:cdae6c81e4] doen herstarten. Start opnieuw op als daarom gevraagd wordt en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje. Pim
  • :wink: ComboFix 07-11-02.3 - sigrid 2007-11-05 20:03:23.4 - NTFSx86 Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe Command switches used :: C:\Documents and Settings\sigrid\Bureaublad\CFScript.txt * Nieuw herstelpunt werd aangemaakt FILE:: C:\Program Files\ISTsvc C:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\sxtkl.exe . (((((((((((((((((((( Bestanden Gemaakt van 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))) . 2007-11-02 19:28 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-02 15:45 5 --a------ C:\NPF_USER.DAT 2007-11-02 14:45 <DIR> d-------- C:\Program Files\Kruidvat 2007-11-02 13:57 <DIR> d-------- C:\Documents and Settings\sigrid\Application Data\U3 2007-11-02 13:15 <DIR> d-------- C:\Program Files\BendeBoy 2007-11-02 12:57 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-02 01:26 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-11-02 01:26 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-11-02 01:25 <DIR> d-------- C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3 2007-10-30 10:48 45,056 --a------ C:\WINDOWS\system32\ftp.exe 2007-10-30 10:48 45,056 --a--c--- C:\WINDOWS\system32\dllcache\ftp.exe 2007-10-30 10:48 17,408 --a------ C:\WINDOWS\system32\tftp.exe 2007-10-30 10:48 17,408 --a--c--- C:\WINDOWS\system32\dllcache\tftp.exe 2007-10-09 17:29 <DIR> d-------- C:\Program Files\Kruidvat - Fotoservice 2007-10-05 21:21 <DIR> d-------- C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-05 18:51 --------- d-----w C:\Program Files\Harry Potter Time-Turner 2007-11-05 18:51 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner 2007-11-01 08:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF 2007-10-31 17:28 --------- d-----w C:\Program Files\Q-Xpress Installer 2007-10-29 15:44 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Canon 2007-10-26 19:19 --------- d-----w C:\Documents and Settings\sanders\Application Data\Canon 2007-09-18 19:01 --------- d-----w C:\Program Files\Google 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [] "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36] "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34] "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24] "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZESOFT"=2 (0x2) "SAVScan"=3 (0x3) "ISEXEng"=2 (0x2) "iPodService"=3 (0x3) R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE . Inhoud van de 'Gedeelde Taken' map "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-05 20:07:13 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... ************************************************************************** . Voltooingstijd: 2007-11-05 20:08:46 C:\ComboFix2.txt ... 2007-11-04 19:52 C:\ComboFix3.txt ... 2007-11-04 11:17 . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:11:06, on 5-11-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TomTom HOME\TomTomHOME.exe C:\Norman\bin\ZLH.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Norman\NPF\npfmsg.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: NPF Messenger.lnk = ? O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail/resources/MsnPUpld.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 7227 bytes
  • Hmm, ze willen niet echt weg :cry: Kan je eens via start --> uitvoeren --> [b:54202303f5]msconfig[/b:54202303f5] alles aanvinken en vervolgens een nieuw Hijackthis logje plaatsen + combofix logje.
  • Alles was al aangevinkt... nog ideetjes? :( ComboFix 07-11-02.3 - sigrid 2007-11-06 19:49:43.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.125 [GMT 1:00] Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe . (((((((((((((((((((( Bestanden Gemaakt van 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))) . 2007-11-06 17:21 5 --a------ C:\NPF_USER.DAT 2007-11-02 19:28 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-02 14:45 <DIR> d-------- C:\Program Files\Kruidvat 2007-11-02 13:57 <DIR> d-------- C:\Documents and Settings\sigrid\Application Data\U3 2007-11-02 13:15 <DIR> d-------- C:\Program Files\BendeBoy 2007-11-02 12:57 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-02 01:26 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-11-02 01:26 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-11-02 01:25 <DIR> d-------- C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3 2007-10-30 10:48 45,056 --a------ C:\WINDOWS\system32\ftp.exe 2007-10-30 10:48 45,056 --a--c--- C:\WINDOWS\system32\dllcache\ftp.exe 2007-10-30 10:48 17,408 --a------ C:\WINDOWS\system32\tftp.exe 2007-10-30 10:48 17,408 --a--c--- C:\WINDOWS\system32\dllcache\tftp.exe 2007-10-09 17:29 <DIR> d-------- C:\Program Files\Kruidvat - Fotoservice . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-06 18:44 --------- d-----w C:\Program Files\Harry Potter Time-Turner 2007-11-06 18:44 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner 2007-11-06 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF 2007-10-31 17:28 --------- d-----w C:\Program Files\Q-Xpress Installer 2007-10-29 15:44 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Canon 2007-10-26 19:19 --------- d-----w C:\Documents and Settings\sanders\Application Data\Canon 2007-10-05 20:21 --------- d-----w C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner 2007-09-18 19:01 --------- d-----w C:\Program Files\Google 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [] "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36] "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34] "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24] "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\<°ÜZJÝYMÝlY«Q°aüžõñ C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sxtkl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZESOFT"=2 (0x2) "SAVScan"=3 (0x3) "ISEXEng"=2 (0x2) "iPodService"=3 (0x3) R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE . Inhoud van de 'Gedeelde Taken' map "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-06 19:53:43 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... ************************************************************************** . Voltooingstijd: 2007-11-06 19:55:09 C:\ComboFix2.txt ... 2007-11-05 20:08 . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:56:08, on 6-11-2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\TomTom HOME\TomTomHOME.exe C:\Norman\bin\ZLH.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\WgaTray.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norman\NPF\npfmsg.exe C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Harry Potter Time-Turner] C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: NPF Messenger.lnk = ? O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: iWatchNow Media Center - {750A64D8-DFAA-485B-A335-F7093333FBB7} - C:\Program Files\iWatchNow, Inc.\iWatchNow Media Center\iwnvod.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C:\Program Files\PICgrabber\PICGRABBER.EXE (HKCU) O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134w.bay134.mail.live.com/mail/resources/MsnPUpld.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://sigridsanders.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 7364 bytes
  • Met dank aan Smeenk, 1) Open een kladblokbestand. 2) Kopieer onderstaande code in dit kladblokbestand. 3) Ga naar Bestand - Opslaan als. -Bij "Opslaan in" kies je: Bureaublad -Bij "Bestandsnaam" zet je: fix.reg -Bij "Opslaan als type" selecteer je: Alle bestanden (*.*). -Klik op de knop Opslaan. [code:1:9b42cc7136] REGEDIT4 [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [/code:1:9b42cc7136] 4) Dubbelklik op de fix.reg file en laat de wijzigingen aan het register toevoegen. Post een nieuw Combofix logje ter controle:) Pim
  • ComboFix 07-11-02.3 - sigrid 2007-11-07 15:23:19.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.105 [GMT 1:00] Gestart vanuit: C:\Documents and Settings\sigrid\Bureaublad\ComboFix.exe . (((((((((((((((((((( Bestanden Gemaakt van 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))) . 2007-11-06 17:21 5 --a------ C:\NPF_USER.DAT 2007-11-02 19:28 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-02 14:45 <DIR> d-------- C:\Program Files\Kruidvat 2007-11-02 13:57 <DIR> d-------- C:\Documents and Settings\sigrid\Application Data\U3 2007-11-02 13:15 <DIR> d-------- C:\Program Files\BendeBoy 2007-11-02 12:57 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-02 01:26 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-11-02 01:26 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-11-02 01:25 <DIR> d-------- C:\Documents and Settings\Gast.SANDERS-8DD8932\Application Data\U3 2007-10-30 10:48 45,056 --a------ C:\WINDOWS\system32\ftp.exe 2007-10-30 10:48 45,056 --a--c--- C:\WINDOWS\system32\dllcache\ftp.exe 2007-10-30 10:48 17,408 --a------ C:\WINDOWS\system32\tftp.exe 2007-10-30 10:48 17,408 --a--c--- C:\WINDOWS\system32\dllcache\tftp.exe 2007-10-09 17:29 <DIR> d-------- C:\Program Files\Kruidvat - Fotoservice . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-07 14:06 --------- d-----w C:\Program Files\Harry Potter Time-Turner 2007-11-07 14:06 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Harry Potter Time-Turner 2007-11-06 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\NPF 2007-10-31 17:28 --------- d-----w C:\Program Files\Q-Xpress Installer 2007-10-29 15:44 --------- d-----w C:\Documents and Settings\sigrid\Application Data\Canon 2007-10-26 19:19 --------- d-----w C:\Documents and Settings\sanders\Application Data\Canon 2007-10-05 20:21 --------- d-----w C:\Documents and Settings\sanders\Application Data\Harry Potter Time-Turner 2007-09-18 19:01 --------- d-----w C:\Program Files\Google 2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 13:27] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 17:26] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 15:16] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-25 10:05] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [] "nwiz"="nwiz.exe" [2005-04-01 15:16 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 15:16] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-11 09:34] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36] "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2006-10-30 14:34] "Norman ZANDA"="C:\Norman\bin\ZLH.exe" [2006-05-31 11:22] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:03] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24] "Harry Potter Time-Turner"="C:\Program Files\Harry Potter Time-Turner\Harry Potter Time-Turner.exe" [2004-11-11 21:15] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" [] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-23 14:28:51] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26] NPF Messenger.lnk - C:\Program Files\Norman\NPF\NPFMSG.EXE [2007-01-08 14:42:28] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ZESOFT"=2 (0x2) "SAVScan"=3 (0x3) "ISEXEng"=2 (0x2) "iPodService"=3 (0x3) R0 NDIS_RD;Firewall Engine Type-R2;C:\WINDOWS\system32\drivers\NDIS_RD.sys R1 TDI_RD;Firewall Engine Type-R;\??\C:\WINDOWS\system32\drivers\tdi_rd.sys R2 Ndiskio;Ndiskio;\??\C:\Norman\Nse\bin\NDISKIO.SYS R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys S3 nvcfsr;nvcfsr;\??\C:\Norman\Nvc\bin\nvcfsr.sys S3 nvcoafl51;nvcoafl51;\??\C:\Norman\Nvc\bin\nvcoafl51.sys S3 nvcoaft51;nvcoaft51;\??\C:\Norman\Nvc\bin\nvcoaft51.sys S3 nvcoarc51;nvcoarc51;\??\C:\Norman\Nvc\bin\nvcoarc51.sys S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE . Inhoud van de 'Gedeelde Taken' map "2007-10-27 16:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-07 15:27:04 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... ************************************************************************** . Voltooingstijd: 2007-11-07 15:28:35 C:\ComboFix2.txt ... 2007-11-06 19:55 C:\ComboFix3.txt ... 2007-11-05 20:08 . --- E O F --- :wink:
  • Eindelijk gelukt :D Download [url=http://www.atribune.org/ccount/click.php?id=1]ATF Cleaner ( van Atribune)[/url] Dubbelklik op [b:3835facdfd]ATF cleaner[/b:3835facdfd] om het programma te starten. Op het tabblad "Main", plaats je een vinkje bij Select All. Haal het vinkje weg bij Prefetch. Klik op de knop Empty Selected. Gebruik je ook [b:3835facdfd]Firefox[/b:3835facdfd] als browser: Klik op tabblad "Firefox", plaats een vinkje bij Select All. Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No". (dit verwijdert het vinkje bij "Firefox saved passwords") Klik op de knop Empty Selected. Gebruik je ook [b:3835facdfd]Opera[/b:3835facdfd] als browser: Klik op tabblad "Opera", plaats een vinkje bij Select All. Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No". Klik op de knop Empty Selected. Ga naar het tabblad "Main" en klik op de knop [b:3835facdfd]Exit[/b:3835facdfd] om het programma af te sluiten. Download [url=ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe]Dr.Web CureIt[/url] naar je Bureaublad: [list:3835facdfd] Dubbelklik [b:3835facdfd]drweb-cureit.exe[/b:3835facdfd] en sta het toe om de express scan te starten. Indien een popup verschijnt met het voorstel tot kopen/50% korting, mag je deze sluiten met het kruisje. Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt, klik de [b:3835facdfd]Yes to all[/b:3835facdfd] knop bij de vraag 'cure it?'. Dit is enkel een korte scan. Kies bovenaan in het menu voor [b:3835facdfd]Language/Taal[/b:3835facdfd] en wijzig deze naar [b:3835facdfd]Dutch (Nederlands)[/b:3835facdfd] indien deze bij jou anders staat ingesteld. Druk op [b:3835facdfd]F9[/b:3835facdfd] en kies daarna voor [b:3835facdfd]Acties[/b:3835facdfd] en stel daar het volgende in onder [b:3835facdfd]Malware[/b:3835facdfd]: [list:3835facdfd] Adware: [b:3835facdfd]Verplaats[/b:3835facdfd] Dialers: [b:3835facdfd]Verplaats[/b:3835facdfd] Jokes: [b:3835facdfd]Rapportage[/b:3835facdfd] Riskware: [b:3835facdfd]Rapportage[/b:3835facdfd] Hacktools: [b:3835facdfd]Verplaats[/b:3835facdfd] Haal dan het vinkje weg bij "[b:3835facdfd]Prompt bij actie[/b:3835facdfd]". [/list:u:3835facdfd] Druk dan op [b:3835facdfd]OK[/b:3835facdfd]. Druk op [b:3835facdfd]F9[/b:3835facdfd] en kies daarna voor [b:3835facdfd]Scan[/b:3835facdfd] en verwijder het vinkje bij [b:3835facdfd]Heuristische analyse[/b:3835facdfd] en klik op [b:3835facdfd]OK[/b:3835facdfd]. Eenmaal de korte scan is beeïndigd, kan je de drives selecteren die je wilt laten scannen (Selecteer stations). Selecteer hier [b:3835facdfd]alle stations[/b:3835facdfd]. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen. Klik daarna de [color=green:3835facdfd]groene pijl[/color:3835facdfd] rechts om de scan te starten. Gevonden bestanden worden naar de "%userprofile%\DoctorWeb\quarantaine-map" verplaatst, indien herstel niet mogelijk is. Nadat de scan gedaan is, in het menu bovenaan, klik [b:3835facdfd]Bestand[/b:3835facdfd] en kies [b:3835facdfd]Rapportage lijst opslaan[/b:3835facdfd]. Bewaar het op je Bureaublad. Sluit daarna Dr.Web Cureit. [b:3835facdfd][u:3835facdfd]Herstart[/b:3835facdfd][/u:3835facdfd] je computer!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart. Na het herstarten, [b:3835facdfd]kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post[/b:3835facdfd]. [/list:u:3835facdfd] Pim
  • 'Druk op F9 en kies daarna voor Scan en verwijder het vinkje bij Heuristische analyse en klik op OK.' Ik zit een beetje vast hier. Na op OK te hebben gedrukt gebeurt er niets, de korte scan start niet. Ik kan de volgende stappen bijgevolg niet uitvoeren.
  • Hmm, ik heb het zelf net even bekeken en het werkt bij mij inderdaad ook niet, waarschijnlijk is er een update o.i.d. gekomen :oops: Gebruik tot die tijd deze tool even: Download en installeer [url=http://www.ewido.net/en/download/][color=yellow:373cc7b3e3][b:373cc7b3e3]AVG Anti-Spyware[/b:373cc7b3e3][/color:373cc7b3e3][/url].[list:373cc7b3e3] Na de installatie, open AVG Anti-Spyware: * onder "[b:373cc7b3e3]Status[/b:373cc7b3e3]", klik op [b:373cc7b3e3]Change state[/b:373cc7b3e3] naast "Resident shield". (wijzig van active naar [b:373cc7b3e3]inactive[/b:373cc7b3e3]!) * onder "[b:373cc7b3e3]Update[/b:373cc7b3e3]", klik op de [b:373cc7b3e3]Start update[/b:373cc7b3e3] knop. * onder "[b:373cc7b3e3]Scanner[/b:373cc7b3e3]", tab "Settings":[list:373cc7b3e3]- onder "How to act?", klik op "[u:373cc7b3e3]Recommended actions[/u:373cc7b3e3]" en selecteer [b:373cc7b3e3]Quarantine[/b:373cc7b3e3]. ([b:373cc7b3e3]ZEER BELANGRIJK![/b:373cc7b3e3]) * onder "Reports", selecteer [b:373cc7b3e3]Automatically generate report after every scan[/b:373cc7b3e3] en [u:373cc7b3e3]verwijder[/u:373cc7b3e3] het vinkje bij [b:373cc7b3e3]Only if threats were found[/b:373cc7b3e3][/list:u:373cc7b3e3] Sluit AVG Anti-Spyware. Laat het [b:373cc7b3e3]nog niet[/b:373cc7b3e3] scannen.[/list:u:373cc7b3e3] Start op in [url=http://www.hijackthis.nl/veiligemodus.html]veilige modus[/url] Start [color=yellow:373cc7b3e3][b:373cc7b3e3]AVG Anti-Spyware[/b:373cc7b3e3][/color:373cc7b3e3].[list:373cc7b3e3]* Klik op [b:373cc7b3e3]Scan[/b:373cc7b3e3] en kies [b:373cc7b3e3]Complete System Scan[/b:373cc7b3e3]. Na de scan; volg onderstaande instructies : [color=cyan:373cc7b3e3]BELANGRIJK : Klik niet op de "Save Scan Report" knop vooraleer je de "Apply all Actions" knop hebt aangeklikt ![/color:373cc7b3e3] * Draag er zorg voor dat [b:373cc7b3e3]Set all elements to[/b:373cc7b3e3]: op [b:373cc7b3e3]Quarantine[/b:373cc7b3e3] staat [color=lime:373cc7b3e3](1)[/color:373cc7b3e3], zoniet klik op de link en kies [b:373cc7b3e3]Quarantine[/b:373cc7b3e3] in de popup menu.[color=lime:373cc7b3e3] (2)[/color:373cc7b3e3] (Dit geldt niet voor cookies, deze worden onveranderlijk gedelete !) * Onderaan het venster klik op de [b:373cc7b3e3]Apply all Actions[/b:373cc7b3e3] knop. [color=lime:373cc7b3e3](3)[/color:373cc7b3e3] [img:373cc7b3e3]http://home.scarlet.be/~topalex/ewidoscan.jpg[/img:373cc7b3e3] * Wanneer je de melding krijgt 'All actions have been applied', klik je onderaan op de knop [b:373cc7b3e3]Save Report[/b:373cc7b3e3]. * Klik in het menu bovenaan op [b:373cc7b3e3]Reports[/b:373cc7b3e3]. Kopieer het rapport van de scan en plaats dat hier in je volgende bericht.[/list:u:373cc7b3e3] Kan je ook een update geven van je problemen? Pim
  • Alles is gelukt, behalve bij het rapport had ik niet de mogelijkheid hem op te slaan. Ik heb vandaag een hele tijd op msn gezeten en er zijn geen problemen opgetreden. :D
  • Oke, dan zullen we er vanuit gaan dat de problemen over zijn :) Verwijder Combofix: Ga naar start --> uitvoeren en typ daar: [b:1fd91b5b98]Combofix /U [/b:1fd91b5b98] Klik op ok om te bevestigen. Doe dit nog even: Schakel systeemherstel uit, herstart je computer en schakel systeemherstel weer in: http://users.telenet.be/marcvn/spyware/1852808.htm Hiermee verwijder je eventuele resten van de infectie uit je systeemherstel. Lees ook deze beveiligingstips eens door: http://users.telenet.be/marcvn/spyware/1564073.htm Pim :)
  • Gelukt! Er zijn nog steeds geen problemen meer geweest! :D Bedankt Pim en de rest!

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.