Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Steeds terugkeerende Trojan Horse

None
28 antwoorden
  • Sinds een tijdje krijg ik bijna dagelijks de melding over een Trojan Horse die is gevonden, maar ook al verwijder ik het of plaats ik het in quarantaine met AVG het blijft terugkeren en soms ook in een andere vorm (bijv. UE i.p.v. QU). Als ik de betreffende map wil openen krijg ik de melding dat ik er geen toegang tot heb. Iemand een idee hoe ik er vanaf kom?

    [b:3be4da37f9]Details:[/b:3be4da37f9]
    2008/01/02 00:42:19 SYSTEM Virus @HL_ReportFindRS C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP1010\A0153876.exe
    2008/01/02 00:42:19 SYSTEM Virus @HL_ReportFindRS @EID_Id_trj
    2008/01/02 00:42:19 SYSTEM Virus @HL_ReportFindRS BackDoor.Bifrose.QU
    2008/01/02 01:42:19 SYSTEM Virus @HL_ReportFindRS C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP1010\A0153876.exe
    2008/01/02 01:42:19 SYSTEM Virus @HL_ReportFindRS @EID_Id_trj
    2008/01/02 01:42:19 SYSTEM Virus @HL_ReportFindRS BackDoor.Bifrose.QU

    [b:3be4da37f9]HijackThis logfile[/b:3be4da37f9]
    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 2:17:18, on 2-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\HP\KBD\KBD.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\HP_Eigenaar\Mijn documenten\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs
    dr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs
    dr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Helperobject voor Encarta Winkler Prins Webassistent - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Encarta Winkler Prins Webassistent - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O15 - Trusted Zone: http://toolbar.imageshack.us
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120179775847
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138299821260
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    End of file - 8194 bytes
  • Geen idee hoe het komt, maar deze is dubbel.
  • [quote:5e98508b8d="Stefan NL"]Geen idee hoe het komt, maar deze is dubbel.[/quote:5e98508b8d]
    Nu niet meer… :wink:
  • Je gebruikt een verouderde versie van Hijackthis, download deze versie en gebruik vanaf nu
    deze versie: http://nucia.nl/forum/showthread.php?t=28820

    Download [b:1c5c327f09]Combofix[/b:1c5c327f09] naar je [b:1c5c327f09]bureaublad[/b:1c5c327f09]

    Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate.

    OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:1c5c327f09]download Combofix opnieuw[/b:1c5c327f09]. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

    Dubbelklik op [u:1c5c327f09]combofix.exe[/u:1c5c327f09]
    Kies voor "Continue" door [b:1c5c327f09]1[/b:1c5c327f09] te typen gevolgd door [b:1c5c327f09]ENTER[/b:1c5c327f09].
    Tijdens het runnen van de fix, [b:1c5c327f09]NIET[/b:1c5c327f09] in het venster klikken, want dit zal je pc doen vasthangen.

    Wanneer de fix voltooid is en na herstart, zal de log [b:1c5c327f09]combofix.txt[/b:1c5c327f09] openen.
    [i:1c5c327f09]Plaats in je volgende antwoord het logje van combofix (combofix.txt) tesamen met een vers Hijackthis log. [/i:1c5c327f09]

    Succes!
    Pim
  • [b:35771332fe]HijackThis logfile:[/b:35771332fe]
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:13:34, on 2-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\HP\KBD\KBD.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs
    dr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs
    dr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Helperobject voor Encarta Winkler Prins Webassistent - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Encarta Winkler Prins Webassistent - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://toolbar.imageshack.us
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120179775847
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138299821260
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    End of file - 7968 bytes


    [b:35771332fe]Combofix log:[/b:35771332fe]
    ComboFix 07-12-31.4 - HP_Eigenaar 2008-01-02 13:18:25.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1291 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Mijn documenten\combofix.exe
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\drivers\services.exe
    C:\WINDOWS\system32\setup.exe.tmp
    D:\Autorun.inf

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-02 to 2008-01-02 ))))))))))))))))))))))))))))))
    .

    2008-01-02 13:17 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2008-01-02 13:13 . 2008-01-02 13:13 <DIR> d——– C:\Program Files\Trend Micro

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-02 00:49 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
    2007-12-17 23:38 ——— d—–w C:\Program Files\Total Video Converter
    2007-12-17 22:17 ——— d—–w C:\Documents and Settings\All Users\Application Data\Avg7
    2007-12-12 21:35 ——— d—–w C:\Program Files\SpeedFan
    2007-12-12 19:09 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\uTorrent
    2007-12-10 01:33 ——— d—–w C:\Program Files\Common Files\Real
    2007-12-10 01:16 14,461,471 —-a-w C:\WINDOWS\Internet Logs\tvDebug.zip
    2007-12-05 17:33 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-16 19:13 ——— d—–w C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-14 15:05 1,086,952 —-a-w C:\WINDOWS\system32\zpeng24.dll
    2007-11-13 10:25 20,480 —-a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-10-30 23:27 3,590,656 —-a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\quartz.dll
    2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\dllcache\quartz.dll
    2007-10-25 16:44 8,507,392 —-a-w C:\WINDOWS\system32\dllcache\shell32.dll
    2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\wmasf.dll
    2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\dllcache\wmasf.dll
    2007-10-10 23:54 824,832 —-a-w C:\WINDOWS\system32\dllcache\wininet.dll
    2007-10-10 23:53 671,232 —-a-w C:\WINDOWS\system32\dllcache\mstime.dll
    2007-10-10 23:53 63,488 ——w C:\WINDOWS\system32\dllcache\icardie.dll
    2007-10-10 23:53 6,065,664 ——w C:\WINDOWS\system32\dllcache\ieframe.dll
    2007-10-10 23:53 52,224 ——w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    2007-10-10 23:53 478,208 —-a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
    2007-10-10 23:53 459,264 ——w C:\WINDOWS\system32\dllcache\msfeeds.dll
    2007-10-10 23:53 44,544 —-a-w C:\WINDOWS\system32\dllcache\iernonce.dll
    2007-10-10 23:53 384,512 —-a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
    2007-10-10 23:53 383,488 ——w C:\WINDOWS\system32\dllcache\ieapfltr.dll
    2007-10-10 23:53 27,648 —-a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
    2007-10-10 23:53 267,776 ——w C:\WINDOWS\system32\dllcache\iertutil.dll
    2007-10-10 23:53 232,960 —-a-w C:\WINDOWS\system32\dllcache\webcheck.dll
    2007-10-10 23:53 230,400 —-a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
    2007-10-10 23:53 214,528 —-a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
    2007-10-10 23:53 193,024 —-a-w C:\WINDOWS\system32\dllcache\msrating.dll
    2007-10-10 23:53 153,088 —-a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
    2007-10-10 23:53 132,608 —-a-w C:\WINDOWS\system32\dllcache\extmgr.dll
    2007-10-10 23:53 124,928 —-a-w C:\WINDOWS\system32\dllcache\advpack.dll
    2007-10-10 23:53 105,984 —-a-w C:\WINDOWS\system32\dllcache\url.dll
    2007-10-10 23:53 102,400 —-a-w C:\WINDOWS\system32\dllcache\occache.dll
    2007-10-10 23:53 1,159,680 —-a-w C:\WINDOWS\system32\dllcache\urlmon.dll
    2007-10-10 11:02 70,656 —-a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2007-10-10 11:02 625,152 —-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
    2007-10-10 10:59 13,824 ——w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2007-10-10 05:46 161,792 —-a-w C:\WINDOWS\system32\dllcache\ieakui.dll
    2007-04-07 23:13 20,981,755 —-a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_05_18_17_22_full.dmp.zip
    2006-11-17 02:06 131 —-a-w C:\Documents and Settings\HP_Eigenaar\ecdelete.bat
    2005-05-24 16:41 123,472 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\GDIPFONTCACHEV1.DAT
    2005-05-18 19:55 0 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\wklnhst.dat
    2005-07-15 20:28 22 –sha-w C:\WINDOWS\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 22:17 90112]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 04:10 344064]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:40 579072]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 17:48 94208 C:\WINDOWS\KHALMNPR.Exe]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 21:40 219136]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "MaxRecentDocs"= 21 (0x15)

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Eigenaar^Menu Start^Programma's^Opstarten^Adobe Gamma.lnk]
    path=C:\Documents and Settings\HP_Eigenaar\Menu Start\Programma's\Opstarten\Adobe Gamma.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    ALCXMNTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
    C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
    2004-06-07 19:53 49152 –a—— c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    C:\WINDOWS\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 22:54 253952 –a—— c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 15:40 155648 –a—— C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
    C:\Program Files\Windows Media Connect 2\WMCCFG.exe /StartQuiet

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINREMOTE]
    2004-11-05 08:44 192512 –a—— C:\Program Files\InterVideo\Common\Bin\WinRemote.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-11-02 22:53 204288 ——— C:\Program Files\Windows Media Player\WMPNSCFG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "NMIndexingService"=3 (0x3)
    "NBService"=3 (0x3)
    "Adobe LM Service"=3 (0x3)
    "aawservice"=2 (0x2)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    "HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
    "Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE

    R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-10-27 21:40]
    R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-10-24 16:35]
    S3 ICAM8USB;Intel(r) PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 11:23]
    S3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 19:54]


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABCD0CA4-D50B-A200-D031-D0B72D400330}]
    C:\WINDOWS\system32\explorer.exe
    .
    Inhoud van de 'Gedeelde Taken' map
    "2007-12-28 16:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
    "2007-12-30 18:19:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
    - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
    "2007-07-23 17:19:02 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
    - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-02 13:21:35
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-01-02 13:22:20
    C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 12:22:08
    C:\qoobox\ComboFix2.txt 2006-11-09 18:39:09
    .
    2007-12-12 21:04:46 — E O F —
  • Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
    [b:de830b002b]
    File::
    C:\WINDOWS\system32\explorer.exe

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    [/b:de830b002b]
    Sla dit op op je Bureaublad als [b:de830b002b]CFScript.txt[/b:de830b002b]

    Sleep [b:de830b002b]CFScript.txt[/b:de830b002b] in [b:de830b002b]ComboFix.exe[/b:de830b002b] zoals getoond in onderstaand voorbeeld :

    [img:de830b002b]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:de830b002b]

    Dit zal [b:de830b002b]ComboFix[/b:de830b002b] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt,
    en post de inhoud van de [b:de830b002b]Combofix.txt[/b:de830b002b] in je volgende antwoord samen met een nieuw HijackThislogje.
  • [b:8563cc8ba5]HijackThis logfile:[/b:8563cc8ba5]
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:23:32, on 2-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32
    otepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs
    dr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs
    dr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Helperobject voor Encarta Winkler Prins Webassistent - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Encarta Winkler Prins Webassistent - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://toolbar.imageshack.us
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120179775847
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138299821260
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    End of file - 7892 bytes


    [b:8563cc8ba5]Combofix log:[/b:8563cc8ba5]
    ComboFix 07-12-31.4 - HP_Eigenaar 2008-01-02 18:19:51.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1366 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Mijn documenten\combofix.exe
    Command switches used :: C:\Documents and Settings\HP_Eigenaar\Mijn documenten\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt

    FILE
    C:\WINDOWS\system32\explorer.exe
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-02 to 2008-01-02 ))))))))))))))))))))))))))))))
    .

    2008-01-02 13:17 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2008-01-02 13:13 . 2008-01-02 13:13 <DIR> d——– C:\Program Files\Trend Micro

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-02 00:49 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
    2007-12-17 23:38 ——— d—–w C:\Program Files\Total Video Converter
    2007-12-17 22:17 ——— d—–w C:\Documents and Settings\All Users\Application Data\Avg7
    2007-12-12 21:35 ——— d—–w C:\Program Files\SpeedFan
    2007-12-12 19:09 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\uTorrent
    2007-12-10 01:33 ——— d—–w C:\Program Files\Common Files\Real
    2007-12-10 01:16 14,461,471 —-a-w C:\WINDOWS\Internet Logs\tvDebug.zip
    2007-12-05 17:33 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-16 19:13 ——— d—–w C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-14 15:05 1,086,952 —-a-w C:\WINDOWS\system32\zpeng24.dll
    2007-11-13 10:25 20,480 —-a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-10-30 23:27 3,590,656 —-a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\quartz.dll
    2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\dllcache\quartz.dll
    2007-10-25 16:44 8,507,392 —-a-w C:\WINDOWS\system32\dllcache\shell32.dll
    2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\wmasf.dll
    2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\dllcache\wmasf.dll
    2007-10-10 23:54 824,832 —-a-w C:\WINDOWS\system32\dllcache\wininet.dll
    2007-10-10 23:53 671,232 —-a-w C:\WINDOWS\system32\dllcache\mstime.dll
    2007-10-10 23:53 63,488 ——w C:\WINDOWS\system32\dllcache\icardie.dll
    2007-10-10 23:53 6,065,664 ——w C:\WINDOWS\system32\dllcache\ieframe.dll
    2007-10-10 23:53 52,224 ——w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    2007-10-10 23:53 478,208 —-a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
    2007-10-10 23:53 459,264 ——w C:\WINDOWS\system32\dllcache\msfeeds.dll
    2007-10-10 23:53 44,544 —-a-w C:\WINDOWS\system32\dllcache\iernonce.dll
    2007-10-10 23:53 384,512 —-a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
    2007-10-10 23:53 383,488 ——w C:\WINDOWS\system32\dllcache\ieapfltr.dll
    2007-10-10 23:53 27,648 —-a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
    2007-10-10 23:53 267,776 ——w C:\WINDOWS\system32\dllcache\iertutil.dll
    2007-10-10 23:53 232,960 —-a-w C:\WINDOWS\system32\dllcache\webcheck.dll
    2007-10-10 23:53 230,400 —-a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
    2007-10-10 23:53 214,528 —-a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
    2007-10-10 23:53 193,024 —-a-w C:\WINDOWS\system32\dllcache\msrating.dll
    2007-10-10 23:53 153,088 —-a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
    2007-10-10 23:53 132,608 —-a-w C:\WINDOWS\system32\dllcache\extmgr.dll
    2007-10-10 23:53 124,928 —-a-w C:\WINDOWS\system32\dllcache\advpack.dll
    2007-10-10 23:53 105,984 —-a-w C:\WINDOWS\system32\dllcache\url.dll
    2007-10-10 23:53 102,400 —-a-w C:\WINDOWS\system32\dllcache\occache.dll
    2007-10-10 23:53 1,159,680 —-a-w C:\WINDOWS\system32\dllcache\urlmon.dll
    2007-10-10 11:02 70,656 —-a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2007-10-10 11:02 625,152 —-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
    2007-10-10 10:59 13,824 ——w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2007-10-10 05:46 161,792 —-a-w C:\WINDOWS\system32\dllcache\ieakui.dll
    2007-04-07 23:13 20,981,755 —-a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_05_18_17_22_full.dmp.zip
    2006-11-17 02:06 131 —-a-w C:\Documents and Settings\HP_Eigenaar\ecdelete.bat
    2005-05-24 16:41 123,472 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\GDIPFONTCACHEV1.DAT
    2005-05-18 19:55 0 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\wklnhst.dat
    2005-07-15 20:28 22 –sha-w C:\WINDOWS\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-02_13.21.48,26 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-01 16:23:07 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat
    + 2008-01-02 14:51:34 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 22:17 90112]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 04:10 344064]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:40 579072]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 17:48 94208 C:\WINDOWS\KHALMNPR.Exe]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 21:40 219136]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "MaxRecentDocs"= 21 (0x15)

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Eigenaar^Menu Start^Programma's^Opstarten^Adobe Gamma.lnk]
    path=C:\Documents and Settings\HP_Eigenaar\Menu Start\Programma's\Opstarten\Adobe Gamma.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    ALCXMNTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
    C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
    2004-06-07 19:53 49152 –a—— c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 22:54 253952 –a—— c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 15:40 155648 –a—— C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
    C:\Program Files\Windows Media Connect 2\WMCCFG.exe /StartQuiet

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINREMOTE]
    2004-11-05 08:44 192512 –a—— C:\Program Files\InterVideo\Common\Bin\WinRemote.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-11-02 22:53 204288 ——— C:\Program Files\Windows Media Player\WMPNSCFG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "NMIndexingService"=3 (0x3)
    "NBService"=3 (0x3)
    "Adobe LM Service"=3 (0x3)
    "aawservice"=2 (0x2)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    "HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
    "Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE

    R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-10-27 21:40]
    R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-10-24 16:35]
    S3 ICAM8USB;Intel(r) PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 11:23]
    S3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 19:54]


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABCD0CA4-D50B-A200-D031-D0B72D400330}]
    C:\WINDOWS\system32\explorer.exe
    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-02 18:20:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-01-02 18:21:30
    C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 17:21:22
    C:\qoobox\ComboFix2.txt 2008-01-02 12:22:22
    C:\qoobox\ComboFix3.txt 2006-11-09 18:39:09
    .
    2007-12-12 21:04:46 — E O F —

    Wat is er nu eigenlijk precies gebeurt en veranderd als ik vragen mag? :)
  • [quote:36106f0558]
    Wat is er nu eigenlijk precies gebeurt en veranderd als ik vragen mag?
    [/quote:36106f0558]

    Je had te maken met enkele trojan horses die op het eerste gezicht niet zichtbaar waren in Hijackthis.
    Omdat je toch aangaf problemen te hebben, heb ik dieper gekeken met Combofix, deze heeft er een aantal
    verwijderd, daarna nog een paar verwijderd d.m.v. een script, doch is het nog steeds niet helemaal weg!

    Download SDFix naar je [b:36106f0558]Bureaublad[/b:36106f0558].

    Dubbelklik om te openen, selecteer alle bestanden en pak ze uit naar een eigen map met de naam [u:36106f0558]SDFix[/u:36106f0558].
    Start je computer op in veilige modus.
    Open de map SDfix en dubbelklik op [b:36106f0558]runthis.bat[/b:36106f0558] om de tool te starten.
    Computer laten herstarten wanneer dit gevraagd wordt.
    SDfix loopt verder en opent na afloop een rapportje!
    Post dit rapport in je volgende antwoord.

    Succes!

    Pim :)
  • Ok, dank je. Maar welke waardes zijn dan de Trojans/schadelijke bestanden in die logs nu?

    Ik had trouwens wel gemerkt dat een aantal persoonlijk voorkeuren zijn veranderd na die laatste Combofix, waaronder de screensaver. Maar goed, ik zal 't morgen even op m'n gemak doen. Er kan nu trouwens niks meer fout gaan, bijv. dat me systeem crashed of niet meer opstart doordat er iets wordt gewist met die Trojans/schadelijke bestanden?
  • Eerst heeft Combofix deze bestanden verwijderd, die waren schadelijk, google er maar eens op :wink:

    [b:b42bf9d20a]C:\WINDOWS\system32\drivers\services.exe
    C:\WINDOWS\system32\setup.exe.tmp
    D:\Autorun.inf [/b:b42bf9d20a]

    Achteraf bleef deze over, te zien in de logfile:
    [b:b42bf9d20a]C:\WINDOWS\system32\explorer.exe[/b:b42bf9d20a]
    Dit is niet de gebruikelijke explorer.exe van Windows, want die staat in de C:\Windows\ map. Dit is malware die gebruik maken van windows bestandsnamen zodat helpers er snel overheen kijken. Deze wou ik ook laten verwijderen, maar is niet gelukt, want in het laatste logje is hij nog steeds zichtbaar.

    SDfix zet ik in omdat deze controleert op andere versies van explorer.exe (malware) en deze verwijderd. Deze zou de laatste infectie dus moeten opruimen :wink:

    Pim
  • [b:d6e807b308]SDFix Report:[/b:d6e807b308]
    SDFix: Version 1.122

    Run by HP_Eigenaar on do 03-01-2008 at 20:34

    Microsoft Windows XP [versie 5.1.2600]

    Running From: C:\DOCUME~1\HP_EIG~1\BUREAU~1\SDFix\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting…


    Normal Mode:
    Checking Files:

    No Trojan Files Found





    Removing Temp Files…

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32
    toskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-03 20:55:12
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes …

    IPC error: 2 Het systeem kan het opgegeven bestand niet vinden.
    scanning hidden services & system hive …

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d3073be]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b0d3073be]

    scanning hidden registry entries …

    scanning hidden files …

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ——————



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    Remaining Files:
    —————


    Files with Hidden Attributes:

    Wed 4 May 2005 213 A.SHR — "C:\BOOT.BAK"
    Wed 13 Oct 2004 1,694,208 ..SH. — "C:\Program Files\Messenger\msmsgs.exe"
    Fri 15 Jul 2005 22 A.SH. — "C:\WINDOWS\SMINST\HPCD.sys"
    Fri 6 May 2005 4,348 A.SH. — "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Fri 17 Nov 2006 0 A.SH. — "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
    Mon 24 Sep 2007 0 A..H. — "C:\WINDOWS\SoftwareDistribution\Download\20cc0088cd851a680d48cd7c937fca62\BIT4.tmp"
    Wed 6 Jun 2007 0 …H. — "C:\Documents and Settings\HP_Eigenaar\Application Data\Microsoft\Word\~WRL0005.tmp"

    Finished!
  • Vandaag al 7x keer de melding gehad van AVG over de trojan. Elke keer is die even weg en dan komt het weer terug vanuit de map System Volume Information welke niet toegankelijk is. Hoe kom ik er in godsnaam vanaf en ik vraag me eigenlijk af wat voor schade die trojan aanricht of misschien niks aangezien die wordt verwijderd zodra het actief wordt.
  • Die trojan die AVG vind zit in je systeemherstel, dat is voor latere zorg.
    Momenteel ben ik even aan het overleggen met andere helpers over hoe ik het ga aanpakken, moment geduld aub.
  • Is er al wat bekend en is er nog meer aan de hand naast het probleem met de systeemherstel? Voor m'n gevoel draait het systeem goed zonder schadelijke troep op de achtergrond. Maar veel verstand heb ik er natuurlijk niet van! :lol:
  • Met dank aan Juisterr :)

    Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster:
    [b:65c311f41f]
    File::
    C:\WINDOWS\system32\explorer.exe

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABCD0CA4-D50B-A200-D031-D0B72D400330}]
    [/b:65c311f41f]
    Sla dit op op je Bureaublad als [b:65c311f41f]CFScript.txt[/b:65c311f41f]

    Sleep [b:65c311f41f]CFScript.txt[/b:65c311f41f] in [b:65c311f41f]ComboFix.exe[/b:65c311f41f] zoals getoond in onderstaand voorbeeld :

    [img:65c311f41f]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:65c311f41f]

    Dit zal [b:65c311f41f]ComboFix[/b:65c311f41f] doen herstarten.
    Start opnieuw op als daarom gevraagd wordt,
    en post de inhoud van de [b:65c311f41f]Combofix.txt[/b:65c311f41f] in je volgende antwoord samen met een nieuw HijackThislogje.
  • [b:47ad14d3be]HijackThis log:[/b:47ad14d3be]
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:50:00, on 6-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs
    dr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs
    dr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q105&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.nl/0SENLNL/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Helperobject voor Encarta Winkler Prins Webassistent - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Encarta Winkler Prins Webassistent - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O15 - Trusted Zone: http://toolbar.imageshack.us
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120179775847
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138299821260
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    End of file - 7849 bytes


    [b:47ad14d3be]ComboFix log:[/b:47ad14d3be]
    ComboFix 07-12-31.4 - HP_Eigenaar 2008-01-06 18:26:11.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1414 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\HP_Eigenaar\Mijn documenten\combofix.exe
    Command switches used :: C:\Documents and Settings\HP_Eigenaar\Bureaublad\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt

    FILE
    C:\WINDOWS\system32\explorer.exe
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))
    .

    2008-01-03 20:31 . 2008-01-03 20:32 <DIR> d——– C:\WINDOWS\ERUNT
    2008-01-03 20:23 . 2005-01-02 04:04 <DIR> d——– C:\Documents and Settings\Administrator\WINDOWS
    2008-01-03 20:23 . 2005-01-01 09:00 <DIR> d–h—– C:\Documents and Settings\Administrator\Sjablonen
    2008-01-03 20:23 . 2005-01-01 08:59 <DIR> dr-h—– C:\Documents and Settings\Administrator\Onlangs geopend
    2008-01-03 20:23 . 2004-12-03 19:49 <DIR> d–h—– C:\Documents and Settings\Administrator\Netwerkprinteromgeving
    2008-01-03 20:23 . 2005-01-01 08:59 <DIR> dr——- C:\Documents and Settings\Administrator\Mijn documenten
    2008-01-03 20:23 . 2005-01-01 08:59 <DIR> dr——- C:\Documents and Settings\Administrator\Menu Start
    2008-01-03 20:23 . 2005-01-01 08:59 <DIR> dr——- C:\Documents and Settings\Administrator\Favorieten
    2008-01-03 20:23 . 2005-01-02 04:08 <DIR> d——– C:\Documents and Settings\Administrator\Bureaublad
    2008-01-03 20:23 . 2005-01-02 04:19 <DIR> d——– C:\Documents and Settings\Administrator\Application Data\Symantec
    2008-01-03 20:23 . 2005-01-02 04:12 <DIR> d——– C:\Documents and Settings\Administrator\Application Data\SampleView
    2008-01-03 20:23 . 2005-01-02 03:59 <DIR> d——– C:\Documents and Settings\Administrator\Application Data\Intervideo
    2008-01-03 20:23 . 2005-01-02 04:03 <DIR> d——– C:\Documents and Settings\Administrator\Application Data\Apple Computer
    2008-01-02 13:17 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2008-01-02 13:13 . 2008-01-02 13:13 <DIR> d——– C:\Program Files\Trend Micro

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-06 02:58 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\AVG7
    2008-01-04 12:15 ——— d—–w C:\Program Files\Total Video Converter
    2008-01-04 03:58 ——— d—–w C:\Documents and Settings\All Users\Application Data\Avg7
    2007-12-12 21:35 ——— d—–w C:\Program Files\SpeedFan
    2007-12-12 19:09 ——— d—–w C:\Documents and Settings\HP_Eigenaar\Application Data\uTorrent
    2007-12-10 01:33 ——— d—–w C:\Program Files\Common Files\Real
    2007-12-10 01:16 14,461,471 —-a-w C:\WINDOWS\Internet Logs\tvDebug.zip
    2007-12-05 17:33 ——— d—–w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-16 19:13 ——— d—–w C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-14 15:05 1,086,952 —-a-w C:\WINDOWS\system32\zpeng24.dll
    2007-11-13 10:25 20,480 —-a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-10-30 23:27 3,590,656 —-a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\quartz.dll
    2007-10-29 22:45 1,291,776 —-a-w C:\WINDOWS\system32\dllcache\quartz.dll
    2007-10-25 16:44 8,507,392 —-a-w C:\WINDOWS\system32\dllcache\shell32.dll
    2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\wmasf.dll
    2007-10-25 08:28 222,720 —-a-w C:\WINDOWS\system32\dllcache\wmasf.dll
    2007-10-10 23:54 824,832 —-a-w C:\WINDOWS\system32\dllcache\wininet.dll
    2007-10-10 23:53 671,232 —-a-w C:\WINDOWS\system32\dllcache\mstime.dll
    2007-10-10 23:53 63,488 ——w C:\WINDOWS\system32\dllcache\icardie.dll
    2007-10-10 23:53 6,065,664 ——w C:\WINDOWS\system32\dllcache\ieframe.dll
    2007-10-10 23:53 52,224 ——w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    2007-10-10 23:53 478,208 —-a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
    2007-10-10 23:53 459,264 ——w C:\WINDOWS\system32\dllcache\msfeeds.dll
    2007-10-10 23:53 44,544 —-a-w C:\WINDOWS\system32\dllcache\iernonce.dll
    2007-10-10 23:53 384,512 —-a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
    2007-10-10 23:53 383,488 ——w C:\WINDOWS\system32\dllcache\ieapfltr.dll
    2007-10-10 23:53 27,648 —-a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
    2007-10-10 23:53 267,776 ——w C:\WINDOWS\system32\dllcache\iertutil.dll
    2007-10-10 23:53 232,960 —-a-w C:\WINDOWS\system32\dllcache\webcheck.dll
    2007-10-10 23:53 230,400 —-a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
    2007-10-10 23:53 214,528 —-a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
    2007-10-10 23:53 193,024 —-a-w C:\WINDOWS\system32\dllcache\msrating.dll
    2007-10-10 23:53 153,088 —-a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
    2007-10-10 23:53 132,608 —-a-w C:\WINDOWS\system32\dllcache\extmgr.dll
    2007-10-10 23:53 124,928 —-a-w C:\WINDOWS\system32\dllcache\advpack.dll
    2007-10-10 23:53 105,984 —-a-w C:\WINDOWS\system32\dllcache\url.dll
    2007-10-10 23:53 102,400 —-a-w C:\WINDOWS\system32\dllcache\occache.dll
    2007-10-10 23:53 1,159,680 —-a-w C:\WINDOWS\system32\dllcache\urlmon.dll
    2007-10-10 11:02 70,656 —-a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2007-10-10 11:02 625,152 —-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
    2007-10-10 10:59 13,824 ——w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2007-10-10 05:46 161,792 —-a-w C:\WINDOWS\system32\dllcache\ieakui.dll
    2007-04-07 23:13 20,981,755 —-a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_05_18_17_22_full.dmp.zip
    2006-11-17 02:06 131 —-a-w C:\Documents and Settings\HP_Eigenaar\ecdelete.bat
    2005-05-24 16:41 123,472 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\GDIPFONTCACHEV1.DAT
    2005-05-18 19:55 0 —-a-w C:\Documents and Settings\HP_Eigenaar\Application Data\wklnhst.dat
    2005-07-15 20:28 22 –sha-w C:\WINDOWS\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-02_13.21.48,26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-02 02:44:46 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
    + 2008-01-03 19:32:54 11,382,784 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:47ad14d3be]0[/u:47ad14d3be]0000001\NTUSER.DAT
    + 2008-01-03 19:32:55 262,144 —-a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:47ad14d3be]0[/u:47ad14d3be]0000002\UsrClass.dat
    + 2008-01-02 02:44:46 163,328 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
    + 2008-01-03 19:32:11 11,382,784 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:47ad14d3be]0[/u:47ad14d3be]0000001\NTUSER.DAT
    + 2008-01-03 19:32:12 262,144 —-a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:47ad14d3be]0[/u:47ad14d3be]0000002\UsrClass.dat
    - 2008-01-01 16:23:07 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat
    + 2008-01-06 17:23:44 4,212 —h–w C:\WINDOWS\system32\zllictbl.dat
    - 2007-12-29 16:59:17 7,398,382 —-a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
    + 2008-01-03 16:59:21 7,433,042 —-a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:53 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2004-10-25 22:17 90112]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-04 04:10 344064]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 22:40 579072]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 17:48 94208 C:\WINDOWS\KHALMNPR.Exe]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 21:40 219136]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "MaxRecentDocs"= 21 (0x15)

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Snelle start.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Eigenaar^Menu Start^Programma's^Opstarten^Adobe Gamma.lnk]
    path=C:\Documents and Settings\HP_Eigenaar\Menu Start\Programma's\Opstarten\Adobe Gamma.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    ALCXMNTR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
    C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
    2004-06-07 19:53 49152 –a—— c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
    2004-10-14 22:54 253952 –a—— c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 15:40 155648 –a—— C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Media Connect 2]
    C:\Program Files\Windows Media Connect 2\WMCCFG.exe /StartQuiet

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINREMOTE]
    2004-11-05 08:44 192512 –a—— C:\Program Files\InterVideo\Common\Bin\WinRemote.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-11-02 22:53 204288 ——— C:\Program Files\Windows Media Player\WMPNSCFG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "NMIndexingService"=3 (0x3)
    "NBService"=3 (0x3)
    "Adobe LM Service"=3 (0x3)
    "aawservice"=2 (0x2)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    "HPHmon06"=C:\WINDOWS\system32\hphmon06.exe
    "Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE

    R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-10-27 21:40]
    R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-10-24 16:35]
    S3 ICAM8USB;Intel(r) PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS [2001-07-12 11:23]
    S3 PRISM_A00;Wireless PCI 802.11b/g adapter WN4201B Driver;C:\WINDOWS\system32\DRIVERS\PCTELSAP.SYS [2004-11-30 19:54]

    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-06 18:27:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-01-06 18:28:30
    C:\qoobox\ComboFix-quarantined-files.txt 2008-01-06 17:28:20
    C:\qoobox\ComboFix2.txt 2008-01-02 17:21:31
    C:\qoobox\ComboFix3.txt 2008-01-02 12:22:22
    C:\qoobox\ComboFix4.txt 2006-11-09 18:39:09
    .
    2007-12-12 21:04:46 — E O F —


    [b:47ad14d3be]Ik weet niet of het informatief is, maar de volgende "explorer.exe"-bestanden zijn aanwezig op mijn systeem:[/b:47ad14d3be]
    [img:47ad14d3be]http://img218.imageshack.us/img218/5447/winexploreraq5.gif[/img:47ad14d3be]
  • Start Hijackthis, kies voor [i:8f19ebef1f]'Do a system scan only'[/i:8f19ebef1f] en vink onderstaande regels aan:
    [b:8f19ebef1f]
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    [/b:8f19ebef1f]
    Sluit nu [u:8f19ebef1f]alle[/u:8f19ebef1f] openstaande vensters, behalve Hijackthis en klik op [b:8f19ebef1f]Fix Checked[/b:8f19ebef1f].

    De Java software op je computer is verouderd.
    Oudere versies hebben lekken die malware de kans geeft om zich te installeren.
    Voer eerst onderstaane stappen uit om Java te deïnstalleren en de nieuwste versie te installeren:
    [list:8f19ebef1f]
    Download Java Runtime Environment (JRE) 6u3 en bewaar het op je [b:8f19ebef1f]Bureaublad[/b:8f19ebef1f]
    Sluit alle programma's die eventueel open zijn - Zeker je web browser!
    Ga dan naar [b:8f19ebef1f]Start > Configuratiescherm > Software[/b:8f19ebef1f] en verwijder alle oudere versies van Java uit de Softwarelijst.
    Vink alles aan met Java Runtime Environment (JRE of J2SE) in de naam.
    Klik dan op [b:8f19ebef1f]Verwijderen[/b:8f19ebef1f] of op de [b:8f19ebef1f]Wijzig/Verwijder[/b:8f19ebef1f] knop.
    Herhaal dit tot alle oudere versies verdwenen zijn.
    Na het verwijderen van alle oudere versies, [b:8f19ebef1f]herstart[/b:8f19ebef1f] je pc.
    Dubbelklik vervolgens op [b:8f19ebef1f]jre-6u3-windows-i586-p.exe[/b:8f19ebef1f] op je Bureaublad om de nieuwste versie van Java te installeren.
    [/list:u:8f19ebef1f]

    Hoe is het met je problemen?

    Pim :)
  • Nou, wat ik al eerder zei draait het wel stabieler en heb ik niet idee dat er nog wat schadelijks draait alleen blijft AVG wel nog steeds berichten over die Trojan. Bijna om het uur wel, maar het is wel apart dat die altijd actief wordt als er geen activiteit op het systeem is. Als ik gewoon aan het werk ben krijg ik die melding nooit alleen als ik het systeem even met rust laat wordt het actief en grijpt AVG in. Best apart en het is de eerste keer dat zoiets op me systeem heb. Normaal komt het niet steeds terug! :cry:
  • Hierna moet die melding van AVG weg zijn. Bij het verwijderen van Combofix worden namelijk al je herstelpunten verwijderd en een nieuw herstelpunt aangemaakt. Die trojan die AVG aangeeft zit in je systeemherstel.

    Download ATF Cleaner (by Atribune)

    Dubbelklik op ATF cleaner om het programma te starten.
    Op het tabblad "Main", plaats je een vinkje bij [b:5f0319d3c3]Select All[/b:5f0319d3c3].
    Klik op de knop [b:5f0319d3c3]Empty Selected[/b:5f0319d3c3].

    Het volgende doen als je ook [u:5f0319d3c3]FireFox[/u:5f0319d3c3] als browser hebt:
    Klik op tabblad "Firefox", plaats een vinkje bij [b:5f0319d3c3]Select All[/b:5f0319d3c3].
    Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    (dit haalt het vinkje weer weg bij "Firefox saved passwords")
    Klik op de knop [b:5f0319d3c3]Empty Selected.[/b:5f0319d3c3]

    Het volgende doen als je ook [u:5f0319d3c3]Opera[/u:5f0319d3c3] als browser hebt:
    Klik op tabblad "Opera", plaats een vinkje bij [b:5f0319d3c3]Select All[/b:5f0319d3c3].
    Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    Klik op de knop [b:5f0319d3c3]Empty Selected[/b:5f0319d3c3].
    Ga naar het tabblad "Main" en klik op de knop [b:5f0319d3c3]Exit[/b:5f0319d3c3] om het programma af te sluiten.

    Deinstalleer Combofix:
    Ga naar start –> uitvoeren en typ daar: [b:5f0319d3c3]combofix /u[/b:5f0319d3c3]
    Combofix wordt nu verwijderd en er wordt een nieuw herstelpunt aangemaakt.

    Lees om herhaling te voorkomen deze beveiligingstips nog eens door:
    http://www.jawwi.nl/nederlands/tips/beveiligen/beveiligen.html

    Pim
  • Ok, bedankt. Ik zal 's kijken. Trouwens waarom moet je Java elke keer compleet verwijderen en installeren, is er geen manier om het gewoon te updaten. Best irritant op deze manier en als leek weet je niet dat er nieuwe versie is en dat je met de oude risico loopt. :?

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.