Vraag & Antwoord

Beveiliging & privacy

Trojan horse BHO.CVX

18 antwoorden
  • De laatse tijd heb ik om de paar minuten de volgende AVG "Threat Detected" melding: Trojan horse BHO.CVX. Wie kan mij hier vanaf helpen? Bijvoorbaat dank, Yo!
  • Download [url=http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe]Hijackthis-setup[/url] naar je [u:22e29809f3]Bureaublad[/u:22e29809f3]. Open HJTInstall en bepaal de locatie waar je Hijackthis wilt installeren. Druk vervolgens op Install, na enkele seconde zal Hijackthis automatisch openen. Kies nu voor [b:22e29809f3]'Do a system scan and save a logfile'[/b:22e29809f3]. Er opent een kladblok bestand met een logfile. Selecteer deze tekst helemaal ([b:22e29809f3]ctrl-A[/b:22e29809f3]), kopieer ([b:22e29809f3]ctrl C[/b:22e29809f3]) en plak deze tekst in je volgende bericht. Succes! 8) Pim
  • Hierbij het Hijack this log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 22:20:42, on 3-1-2008 Platform: Windows XP (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\WINPAT~1\WinPatrol.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen F2 - REG:system.ini: UserInit=userinit.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Internet Security Service ] msq23.exe O4 - HKLM\..\Run: [windle] windle.exe O4 - HKLM\..\RunServices: [Internet Security Service ] msq23.exe O4 - HKLM\..\RunServices: [] AWG.exe O4 - HKLM\..\RunServices: [windle] windle.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Internet Security Service ] msq23.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Office Monitor] C:\WINDOWS\System32\alg32.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ICQ Agent] C:\WINDOWS\System32\icq6.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Messanger 7] C:\WINDOWS\System32\msgs7.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'Default user') O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} - http://advnt01.com/dialer/olanda_ver3.CAB O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6 O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- End of file - 6368 bytes
  • Start Hijackthis, kies voor 'do a system scan only' en vink onderstaande regels aan: [b:72566776da] F2 - REG:system.ini: UserInit=userinit.exe, O4 - HKLM\..\Run: [Internet Security Service ] msq23.exe O4 - HKLM\..\Run: [windle] windle.exe O4 - HKLM\..\RunServices: [Internet Security Service ] msq23.exe O4 - HKLM\..\RunServices: [] AWG.exe O4 - HKLM\..\RunServices: [windle] windle.exe O4 - HKUS\S-1-5-18\..\Run: [Internet Security Service ] msq23.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Office Monitor] C:\WINDOWS\System32\alg32.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ICQ Agent] C:\WINDOWS\System32\icq6.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Messanger 7] C:\WINDOWS\System32\msgs7.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunServices: [MSN UPDATERS] virtualmemory.exe (User 'Default user') O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} - http://advnt01.com/dialer/olanda_ver3.CAB [/b:72566776da] Sluit alle openstaande vensters, behalve Hijackthis en klik op 'Fix checked' Download [b:72566776da][url=http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe]Combofix[/url][/b:72566776da] naar je [b:72566776da]bureaublad[/b:72566776da] Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link, want Combofix wordt dagelijks geupdate. OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:72566776da]download Combofix opnieuw[/b:72566776da]. Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen! Dubbelklik op [u:72566776da]combofix.exe[/u:72566776da] Kies voor "Continue" door [b:72566776da]1[/b:72566776da] te typen gevolgd door [b:72566776da]ENTER[/b:72566776da]. Tijdens het runnen van de fix, [b:72566776da]NIET[/b:72566776da] in het venster klikken, want dit zal je pc doen vasthangen. Wanneer de fix voltooid is en na herstart, zal de log [b:72566776da]combofix.txt[/b:72566776da] openen. [i:72566776da]Plaats in je volgende antwoord het logje van combofix (combofix.txt) tesamen met een vers Hijackthis log. [/i:72566776da] Succes! Pim
  • Hier is het ComboFix log: ComboFix 08-01-03.4 - Adri 2008-01-03 22:48:24.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.76 [GMT 1:00] Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe * Nieuw herstelpunt werd aangemaakt . (((((((((((((((((((( Bestanden Gemaakt van 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))) . 2008-01-03 22:45 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-03 21:46 . 2008-01-03 22:21 <DIR> dr-h----- C:\Documents and Settings\Adri\Onlangs geopend 2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d-------- C:\Documents and Settings\Adri\Contacts 2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2007-12-12 12:34 . 2007-12-12 12:34 427,016 --a------ C:\wingkka.exe 2007-12-07 13:11 . 19,456 C:\WINDOWS\system32\drivers\kwklkwot.dat 2007-12-04 13:45 . 2007-12-04 13:45 116,480 --a------ C:\WINDOWS\system32\sxtznrle.dat 2007-12-04 13:35 . 2008-01-03 14:02 <DIR> d-------- C:\WINDOWS\system32\AppCert 2007-12-04 13:35 . 2001-09-07 13:00 84,480 --a------ C:\WINDOWS\system32\dsauthw.dll.bak 2007-12-04 13:35 . 2007-12-04 13:35 16,384 --a------ C:\WINDOWS\system32\t4isiu0.exe 2007-12-04 13:34 . 2001-09-07 13:00 84,992 --a------ C:\WINDOWS\system32\EqnClassj.dll . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-03 19:56 --------- d-----w C:\Program Files\Google 2007-12-28 17:11 --------- d-----w C:\Program Files\MSN Messenger 2007-12-23 21:51 --------- d-----w C:\Program Files\kari 2007-12-02 13:46 --------- d-----w C:\Program Files\Mijn Paardenstal 2007-12-01 19:18 680,105 ----a-w C:\zena.exe 2007-12-01 19:18 --------- d-----w C:\Program Files\dfsdfsd 2007-12-01 19:17 991,304 ----a-w C:\z3na.exe 2007-11-25 13:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2007-11-13 14:10 38,649 ----a-w C:\WINDOWS\system32\kl.exe 2007-11-11 11:44 171,008 ----a-w C:\WINDOWS\system32\avvg.exe 2007-11-09 15:22 78,336 --sha-w C:\WINDOWS\system32\irdvxc.exe 2007-11-09 13:38 --------- d-----w C:\Program Files\Java 2006-02-27 23:54 26,958 ----a-w C:\Program Files\MovieLand Terms.html 2002-11-02 13:01 266 --sh--w C:\Program Files\desktop.ini 2002-11-02 13:01 11,209 ---ha-w C:\Program Files\folder.htt 2001-09-07 12:00 169,984 --sh--r C:\WINDOWS\system32\fixy.exe . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF1304BD-504B-441E-A401-35BD9E50BA94}] 2001-09-07 13:00 84992 --a------ C:\WINDOWS\system32\EqnClassj.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184] "WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592] "MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Update Machine"="Linux.exe" [] "MSN UPDATERS"="virtualmemory.exe" [] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136] "Internet Security Service "="msq23.exe" [] R0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat [] R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02] R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41] S2 EnGenius Network Analysis Tool;EnGenius Network Analysis Tool;"C:\WINDOWS\System32\dllcache\winegne.exe" [] S4 INService;Windows Installer Manager;C:\WINDOWS\System32\winins.exe [] S4 MSDisk;Network helper Service;"C:\WINDOWS\System32\irdvxc.exe" [2007-11-09 16:22] S4 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-03 22:50:47 Windows 5.1.2600 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . Voltooingstijd: 2008-01-03 22:52:20 ComboFix2.txt 2007-12-23 21:15:05 En het verse Hijack this log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 23:01:36, on 3-1-2008 Platform: Windows XP (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\WINPAT~1\WinPatrol.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update Machine] Linux.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update Machine] Linux.exe (User 'Default user') O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6 O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- End of file - 5500 bytes
  • Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster: [b:cb31514819] File:: C:\wingkka.exe C:\WINDOWS\system32\drivers\kwklkwot.dat C:\WINDOWS\system32\sxtznrle.dat C:\WINDOWS\system32\dsauthw.dll.bak C:\WINDOWS\system32\t4isiu0.exe C:\WINDOWS\system32\EqnClassj.dll C:\zena.exe C:\z3na.exe C:\WINDOWS\system32\fixy.exe C:\WINDOWS\system32\kl.exe C:\WINDOWS\system32\avvg.exe Folder:: C:\Program Files\dfsdfsd Driver:: kwklkwot Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF1304BD-504B-441E-A401-35BD9E50BA94}] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Update Machine"=- "MSN UPDATERS"=- "Internet Security Service"=- [/b:cb31514819] Sla dit op op je Bureaublad als [b:cb31514819]CFScript.txt[/b:cb31514819] Sleep [b:cb31514819]CFScript.txt[/b:cb31514819] in [b:cb31514819]ComboFix.exe[/b:cb31514819] zoals getoond in onderstaand voorbeeld : [img:cb31514819]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:cb31514819] Dit zal [b:cb31514819]ComboFix[/b:cb31514819] doen herstarten. Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de [b:cb31514819]Combofix.txt[/b:cb31514819] in je volgende antwoord samen met een nieuw HijackThislogje. Hoe is het met je problemen? Succes! Pim
  • Het zaakje is na veel (reparatie)tijd opnieuw opgestart en ik heb de melding nog niet weer gehad, dus het lijkr erop dat het paard weg is. Hier nog ff wat logjes: ComboFix 08-01-03.4 - Adri 2008-01-04 19:31:50.4 - NTFSx86 Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe Command switches used :: C:\Documents and Settings\Adri\Bureaublad\CFScript.txt * Nieuw herstelpunt werd aangemaakt FILE C:\WINDOWS\system32\avvg.exe C:\WINDOWS\system32\drivers\kwklkwot.dat C:\WINDOWS\system32\dsauthw.dll.bak C:\WINDOWS\system32\EqnClassj.dll C:\WINDOWS\system32\fixy.exe C:\WINDOWS\system32\kl.exe C:\WINDOWS\system32\sxtznrle.dat C:\WINDOWS\system32\t4isiu0.exe C:\wingkka.exe C:\z3na.exe C:\zena.exe . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\dfsdfsd C:\Program Files\dfsdfsd\aliases.ini C:\Program Files\dfsdfsd\cult.exe C:\Program Files\dfsdfsd\gt.x C:\Program Files\dfsdfsd\kiss.exe C:\Program Files\dfsdfsd\knlps.sys C:\Program Files\dfsdfsd\ksat.bat C:\Program Files\dfsdfsd\law.x C:\Program Files\dfsdfsd\lovely.sys C:\Program Files\dfsdfsd\mirc.ini C:\Program Files\dfsdfsd\murd3r C:\Program Files\dfsdfsd\orrl.exe C:\Program Files\dfsdfsd\pingy.exe C:\Program Files\dfsdfsd\ps2m.exe C:\Program Files\dfsdfsd\remote.ini C:\Program Files\dfsdfsd\repcale.exe C:\Program Files\dfsdfsd\w.e C:\WINDOWS\system32\avvg.exe C:\WINDOWS\system32\drivers\kwklkwot.dat C:\WINDOWS\system32\dsauthw.dll.bak C:\WINDOWS\system32\EqnClassj.dll C:\WINDOWS\system32\fixy.exe C:\WINDOWS\system32\kl.exe C:\WINDOWS\system32\sxtznrle.dat C:\WINDOWS\system32\t4isiu0.exe C:\wingkka.exe C:\z3na.exe C:\zena.exe . (((((((((((((((((((( Bestanden Gemaakt van 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))) . 2008-01-04 19:26 . 2008-01-04 19:26 45,568 --a------ C:\WINDOWS\system32\ujvm.exe 2008-01-04 19:26 . 2008-01-04 19:26 45,568 --a------ C:\WINDOWS\system32\boqn.exe 2008-01-04 19:26 . 2008-01-04 19:26 20,819 --a------ C:\WINDOWS\system32\nschl.exe 2008-01-04 19:26 . 2008-01-04 19:26 20,819 --a------ C:\WINDOWS\system32\fswb.exe 2008-01-04 17:01 . 2008-01-04 17:01 45,568 --a------ C:\WINDOWS\system32\jwbftp.exe 2008-01-04 17:01 . 2008-01-04 17:01 20,819 --a------ C:\WINDOWS\system32\tkmoky.exe 2008-01-04 16:59 . 2008-01-04 16:59 45,568 --a------ C:\WINDOWS\system32\ebwtupn.exe 2008-01-04 16:59 . 2008-01-04 16:59 20,819 --a------ C:\WINDOWS\system32\kyhecd.exe 2008-01-04 15:30 . 2008-01-04 15:30 45,568 --a------ C:\WINDOWS\system32\fwkxx.exe 2008-01-04 15:30 . 2008-01-04 15:30 20,819 --a------ C:\WINDOWS\system32\xdflcbmr.exe 2008-01-04 15:28 . 2008-01-04 15:28 45,568 --a------ C:\WINDOWS\system32\ivvx.exe 2008-01-04 15:28 . 2008-01-04 15:28 20,819 --a------ C:\WINDOWS\system32\xxwdl.exe 2008-01-04 13:06 . 2008-01-04 13:06 45,568 --a------ C:\WINDOWS\system32\jtuf.exe 2008-01-04 13:06 . 2008-01-04 13:06 20,819 --a------ C:\WINDOWS\system32\sgptbq.exe 2008-01-04 13:04 . 2008-01-04 13:04 45,568 --a------ C:\WINDOWS\system32\bwqfvg.exe 2008-01-04 13:04 . 2008-01-04 13:04 20,819 --a------ C:\WINDOWS\system32\dxts.exe 2008-01-04 12:56 . 2008-01-04 12:56 45,568 --a------ C:\WINDOWS\system32\zvozaygf.exe 2008-01-04 12:56 . 2008-01-04 12:56 45,568 --a------ C:\WINDOWS\system32\huwpggf.exe 2008-01-04 12:56 . 2008-01-04 12:56 20,819 --a------ C:\WINDOWS\system32\uxshewz.exe 2008-01-04 12:56 . 2008-01-04 12:56 20,819 --a------ C:\WINDOWS\system32\umnlzev.exe 2008-01-03 22:45 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-03 21:46 . 2008-01-04 19:29 <DIR> dr-h----- C:\Documents and Settings\Adri\Onlangs geopend 2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d-------- C:\Documents and Settings\Adri\Contacts 2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2007-12-04 13:35 . 2008-01-03 14:02 <DIR> d-------- C:\WINDOWS\system32\AppCert . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-03 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-03 19:56 --------- d-----w C:\Program Files\Google 2007-12-28 17:11 --------- d-----w C:\Program Files\MSN Messenger 2007-12-23 21:51 --------- d-----w C:\Program Files\kari 2007-12-02 13:46 --------- d-----w C:\Program Files\Mijn Paardenstal 2007-11-25 13:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2007-11-09 15:22 78,336 --sha-w C:\WINDOWS\system32\irdvxc.exe 2007-11-09 13:38 --------- d-----w C:\Program Files\Java 2006-02-27 23:54 26,958 ----a-w C:\Program Files\MovieLand Terms.html 2002-11-02 13:01 266 --sh--w C:\Program Files\desktop.ini 2002-11-02 13:01 11,209 ---ha-w C:\Program Files\folder.htt . ((((((((((((((((((((((((((((( snapshot@2008-01-03_22.50.55,04 ))))))))))))))))))))))))))))))))))))))))) . + 2001-09-07 12:00:00 82,944 ---h--w C:\WINDOWS\system32\algs.exe + 2001-09-07 12:00:00 108,544 ---h--w C:\WINDOWS\system32\spoolsvc.exe . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184] "WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592] "MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072] "Spooler SubSystem App"="C:\WINDOWS\System32\spoolsvc.exe" [2001-09-07 13:00 108544] "Application Layer Gateway Service"="C:\WINDOWS\System32\algs.exe" [2001-09-07 13:00 82944] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136] "Internet Security Service "="msq23.exe" [] R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02] R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41] S0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat [] S2 EnGenius Network Analysis Tool;EnGenius Network Analysis Tool;"C:\WINDOWS\System32\dllcache\winegne.exe" [] S4 INService;Windows Installer Manager;C:\WINDOWS\System32\winins.exe [] S4 MSDisk;Network helper Service;"C:\WINDOWS\System32\irdvxc.exe" [2007-11-09 16:22] S4 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-04 19:50:13 Windows 5.1.2600 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... C:\WINDOWS\system32\uuak.exe 45568 bytes executable ************************************************************************** . Voltooingstijd: 2008-01-04 19:54:13 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-04 18:53:13 ComboFix2.txt 2008-01-04 18:21:11 ComboFix3.txt 2008-01-03 21:52:21 ComboFix4.txt 2007-12-23 21:15:05 En: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 19:59:16, on 4-1-2008 Platform: Windows XP (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\WINPAT~1\WinPatrol.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\algs.exe C:\WINDOWS\System32\spoolsvc.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6 O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- End of file - 6098 bytes
  • Nog niet schoon :cry: Download [url=http://downloads.andymanchesta.com/RemovalTools/SDFix.zip]SDFix[/url] naar je [b:c11de7afce]Bureaublad[/b:c11de7afce]. Dubbelklik om te openen, selecteer alle bestanden en pak ze uit naar een eigen map met de naam [u:c11de7afce]SDFix[/u:c11de7afce]. Start je computer op in [url=http://users.telenet.be/marcvn/spyware/1378056.htm]veilige modus[/url]. Open de map SDfix en dubbelklik op [b:c11de7afce]runthis.bat[/b:c11de7afce] om de tool te starten. Computer laten herstarten wanneer dit gevraagd wordt. SDfix loopt verder en opent na afloop een rapportje! Post dit rapport in je volgende antwoord samen met een nieuw Hijackthis logje. Pim
  • Ik ben bezig met uitvoeren SDFIX maar nadat hij opnieuw is opgestart loopt hij nu al een uur ongeveer met als tekst in het venster zoiets van: Register aan het repareren, even wachten a.u.b. Dit schiet niet echt op.
  • Voer je SDFix wel uit in Veilige modus? Anders zal deze inderdaad niet werken. 1. Print deze instructies even uit of sla ze op in een kladblok bestand, je moet dadelijk in veilige modus gaan werken en daar kan je deze pagina niet terugvinden. 2. Start je computer op in veilige modus: http://users.telenet.be/marcvn/spyware/1378056.htm 3. Start Hijackthis, kies voor 'Do a system scan only' en vink onderstaande regels aan: [b:8ad24f4a8e] O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\System32\spoolsvc.exe O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe O23 - Service: EnGenius Network Analysis Tool - Unknown owner - C:\WINDOWS\System32\dllcache\winegne.exe (file missing) [/b:8ad24f4a8e] Sluit nu alle openstaande vensters, behalve Hijackthis en klik op 'Fix checked' 4. Verwijder onderstaande bestanden: C:\WINDOWS\System32\[b:8ad24f4a8e]algs.exe [/b:8ad24f4a8e] C:\WINDOWS\System32\[b:8ad24f4a8e]spoolsvc.exe[/b:8ad24f4a8e] [i:8ad24f4a8e]Let op de bestandsnamen, deze lijken erg op de windows legieme bestandsnamen![/i:8ad24f4a8e] Verwijder ook nog: C:\WINDOWS\system32\ujvm.exe C:\WINDOWS\system32\boqn.exe C:\WINDOWS\system32\nschl.exe C:\WINDOWS\system32\fswb.exe C:\WINDOWS\system32\jwbftp.exe C:\WINDOWS\system32\tkmoky.exe C:\WINDOWS\system32\ebwtupn.exe C:\WINDOWS\system32\kyhecd.exe C:\WINDOWS\system32\fwkxx.exe C:\WINDOWS\system32\xdflcbmr.exe C:\WINDOWS\system32\ivvx.exe C:\WINDOWS\system32\xxwdl.exe C:\WINDOWS\system32\jtuf.exe C:\WINDOWS\system32\sgptbq.exe C:\WINDOWS\system32\bwqfvg.exe C:\WINDOWS\system32\dxts.exe C:\WINDOWS\system32\zvozaygf.exe C:\WINDOWS\system32\huwpggf.exe C:\WINDOWS\system32\uxshewz.exe C:\WINDOWS\system32\umnlzev.exe 5.Leeg je Temp-mappen (Let op : de mappen [u:8ad24f4a8e]leegmaken[/u:8ad24f4a8e], niet verwijderen !!): C:\Windows\[b:8ad24f4a8e]Temp[/b:8ad24f4a8e] C:\Documents and Settings\<profielnaam>\Local Settings\[b:8ad24f4a8e]Temp[/b:8ad24f4a8e] C:\Documents and Settings\<profielnaam>\Local Settings\[b:8ad24f4a8e]Temporary Internet Files[/b:8ad24f4a8e] C:\Documents and Settings\<profielnaam>\Local Settings\Temporary Internet Files\[b:8ad24f4a8e]content.ie5[/b:8ad24f4a8e] Als de laatste map niet wordt weergegeven, ga dan naar de map Temporary Internet Files en type er [b:8ad24f4a8e]\content.ie5[/b:8ad24f4a8e] achter in de adresbalk en klik enter. Maak je prullenbak leeg. 6. Laat nu SDfix opnieuw lopen. Na herstart, maak een nieuw Combofix logje en post deze, samen met het SDfix logje in je volgende bericht. Succes! Pim :)
  • O.k. daar zijn we weer... SDFix is gisteren toch voltooid na +/- 4 uur, hieronder het logje + ComboFix log na je instructies te hebben uitgevoerd. Een paar bestanden waren niet te vinden, de rest is verwijderd. ComboFix 08-01-03.4 - Adri 2008-01-06 16:54:21.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.72 [GMT 1:00] Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe . (((((((((((((((((((( Bestanden Gemaakt van 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))) . 2008-01-05 16:19 . 2008-01-05 16:19 <DIR> d-------- C:\WINDOWS\ERUNT 2008-01-05 12:51 . 2008-01-05 12:51 45,568 --a------ C:\WINDOWS\system32\onmzwt.exe 2008-01-05 12:51 . 2008-01-05 12:51 20,819 --a------ C:\WINDOWS\system32\aduzqsx.exe 2008-01-05 12:49 . 2008-01-05 12:49 45,568 --a------ C:\WINDOWS\system32\ihkjq.exe 2008-01-05 12:49 . 2008-01-05 12:49 20,819 --a------ C:\WINDOWS\system32\lcbabi.exe 2008-01-04 19:51 . 2008-01-04 19:51 45,568 --a------ C:\WINDOWS\system32\uuak.exe 2008-01-04 19:51 . 2008-01-04 19:51 20,819 --a------ C:\WINDOWS\system32\zoicdvee.exe 2008-01-04 19:50 . 2008-01-04 19:50 45,568 --a------ C:\WINDOWS\system32\xblibm.exe 2008-01-04 19:50 . 2008-01-04 19:50 20,819 --a------ C:\WINDOWS\system32\atxgll.exe 2008-01-04 19:26 . 2008-01-04 19:26 45,568 --a------ C:\WINDOWS\system32\ujvm.exe 2008-01-03 22:45 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-03 21:46 . 2008-01-06 16:26 <DIR> dr-h----- C:\Documents and Settings\Adri\Onlangs geopend 2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d-------- C:\Documents and Settings\Adri\Contacts 2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-06 07:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-01-03 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-03 19:56 --------- d-----w C:\Program Files\Google 2007-12-28 17:11 --------- d-----w C:\Program Files\MSN Messenger 2007-12-23 21:51 --------- d-----w C:\Program Files\kari 2007-12-02 13:46 --------- d-----w C:\Program Files\Mijn Paardenstal 2007-11-09 13:38 --------- d-----w C:\Program Files\Java 2006-02-27 23:54 26,958 ----a-w C:\Program Files\MovieLand Terms.html 2002-11-02 13:01 266 --sh--w C:\Program Files\desktop.ini 2002-11-02 13:01 11,209 ---ha-w C:\Program Files\folder.htt . ((((((((((((((((((((((((((((( snapshot@2008-01-03_22.50.55,04 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-05 05:57:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-01-05 16:23:15 4,345,856 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:612f9226d3]0[/u:612f9226d3]0000001\NTUSER.DAT + 2008-01-05 16:23:15 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:612f9226d3]0[/u:612f9226d3]0000002\UsrClass.dat + 2008-01-05 05:57:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-01-05 15:19:34 4,345,856 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:612f9226d3]0[/u:612f9226d3]0000001\NTUSER.DAT + 2008-01-05 15:19:34 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:612f9226d3]0[/u:612f9226d3]0000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184] "WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592] "MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2001-09-07 13:00 147456] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136] "Internet Security Service "="msq23.exe" [] R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02] R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41] S0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-06 16:55:49 Windows 5.1.2600 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . Voltooingstijd: 2008-01-06 16:56:46 ComboFix-quarantined-files.txt 2008-01-06 15:56:25 ComboFix2.txt 2008-01-04 18:54:14 ComboFix3.txt 2008-01-04 18:21:11 ComboFix4.txt 2008-01-03 21:52:21 ComboFix5.txt 2007-12-23 21:15:05 SDFix: Version 1.124 Run by Adri on za 05-01-2008 at 17:23 Microsoft Windows XP [versie 5.1.2600] Running From: C:\DOWNLO~1\TIJDEL~1\SDFix Safe Mode: Checking Services: Name: EnGenius Network Analysis Tool INService MSDisk MSWindows Path: EnGenius Network Analysis Tool - Deleted INService - Deleted MSDisk - Deleted MSWindows - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\SYSTEM32\DP.EXE - Deleted C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted C:\WINDOWS\SYSTEM32\IT.EXE - Deleted C:\WINDOWS\SYSTEM32\KMCAFE.EXE - Deleted C:\WINDOWS\SYSTEM32\NMSQ22.EXE - Deleted C:\WINDOWS\SYSTEM32\REGFIX.EXE - Deleted C:\WINDOWS\SYSTEM32\SCRCON~1.EXE - Deleted C:\WINDOWS\system32\CatRoot\TMP15.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP16.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP18.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP1A.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP1B.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP1D.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP1E.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP20.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP21.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP23.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP24.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP26.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP27.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP29.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP2A.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP2C.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP2D.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP2F.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP30.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP32.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP33.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP35.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP36.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP38.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP39.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP3B.tmp - Deleted C:\WINDOWS\system32\261.tmp - Deleted C:\WINDOWS\system32\algs.exe - Deleted C:\WINDOWS\system32\irdvxc.exe - Deleted C:\WINDOWS\system32\spoolsvc.exe - Deleted C:\WINDOWS\system32\TFTP1424 - Deleted C:\WINDOWS\system32\TFTP1644 - Deleted C:\WINDOWS\system32\TFTP2092 - Deleted C:\WINDOWS\system32\TFTP2108 - Deleted C:\WINDOWS\system32\TFTP220 - Deleted C:\WINDOWS\system32\TFTP2404 - Deleted C:\WINDOWS\system32\TFTP2908 - Deleted C:\WINDOWS\system32\TFTP3192 - Deleted C:\WINDOWS\system32\TFTP3328 - Deleted C:\WINDOWS\system32\TFTP3336 - Deleted C:\WINDOWS\system32\TFTP3384 - Deleted C:\WINDOWS\system32\TFTP3760 - Deleted
  • Het begint er steeds beter uit te zien! Zou je nog eens kunnen controleren ofdat je het volledige rapport van SDfix hebt geplaatst, deze lijkt mij niet volledig. Open Kladblok, kopiëer en plak het volgende (vetgedrukte tekst) in een leeg venster: [b:6f7687367d] File:: C:\WINDOWS\system32\onmzwt.exe C:\WINDOWS\system32\aduzqsx.exe C:\WINDOWS\system32\ihkjq.exe C:\WINDOWS\system32\lcbabi.exe C:\WINDOWS\system32\uuak.exe C:\WINDOWS\system32\zoicdvee.exe C:\WINDOWS\system32\xblibm.exe C:\WINDOWS\system32\atxgll.exe C:\WINDOWS\system32\ujvm.exe C:\WINDOWS\System32\drivers\kwklkwot.dat Driver:: kwklkwot Registry:: [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Internet Security Service "=- [/b:6f7687367d] Sla dit op op je Bureaublad als [b:6f7687367d]CFScript.txt[/b:6f7687367d] Sleep [b:6f7687367d]CFScript.txt[/b:6f7687367d] in [b:6f7687367d]ComboFix.exe[/b:6f7687367d] zoals getoond in onderstaand voorbeeld : [img:6f7687367d]http://img.photobucket.com/albums/v666/sUBs/CFScript.gif[/img:6f7687367d] Dit zal [b:6f7687367d]ComboFix[/b:6f7687367d] doen herstarten. Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de [b:6f7687367d]Combofix.txt[/b:6f7687367d] in je volgende antwoord samen met een nieuw HijackThislogje. Succes! Pim
  • Hierbij nogmaals hopelijk het gehele SDFix rapport + Combofix log + Hijackthis log: SDFix: Version 1.124 Run by Adri on za 05-01-2008 at 17:23 Microsoft Windows XP [versie 5.1.2600] Running From: C:\DOWNLO~1\TIJDEL~1\SDFix Safe Mode: Checking Services: Name: EnGenius Network Analysis Tool INService MSDisk MSWindows Path: EnGenius Network Analysis Tool - Deleted INService - Deleted MSDisk - Deleted MSWindows - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\SYSTEM32\DP.EXE - Deleted C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted C:\WINDOWS\SYSTEM32\IT.EXE - Deleted C:\WINDOWS\SYSTEM32\KMCAFE.EXE - Deleted C:\WINDOWS\SYSTEM32\NMSQ22.EXE - Deleted C:\WINDOWS\SYSTEM32\REGFIX.EXE - Deleted C:\WINDOWS\SYSTEM32\SCRCON~1.EXE - Deleted C:\WINDOWS\system32\CatRoot\TMP15.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP16.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP18.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP1A.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP1B.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP1D.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP1E.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP20.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP21.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP23.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP24.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP26.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP27.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP29.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP2A.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP2C.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP2D.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP2F.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP30.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP32.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP33.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP35.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP36.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP38.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP39.tmp - Deleted C:\WINDOWS\system32\CatRoot\TMP3B.tmp - Deleted C:\WINDOWS\system32\261.tmp - Deleted C:\WINDOWS\system32\algs.exe - Deleted C:\WINDOWS\system32\irdvxc.exe - Deleted C:\WINDOWS\system32\spoolsvc.exe - Deleted C:\WINDOWS\system32\TFTP1424 - Deleted C:\WINDOWS\system32\TFTP1644 - Deleted C:\WINDOWS\system32\TFTP2092 - Deleted C:\WINDOWS\system32\TFTP2108 - Deleted C:\WINDOWS\system32\TFTP220 - Deleted C:\WINDOWS\system32\TFTP2404 - Deleted C:\WINDOWS\system32\TFTP2908 - Deleted C:\WINDOWS\system32\TFTP3192 - Deleted C:\WINDOWS\system32\TFTP3328 - Deleted C:\WINDOWS\system32\TFTP3336 - Deleted C:\WINDOWS\system32\TFTP3384 - Deleted C:\WINDOWS\system32\TFTP3760 - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-05 18:26:59 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?] "Type"=dword:00000110 "Start"=dword:00000004 "ErrorControl"=dword:00000000 "ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe"" "DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6" "ObjectName"="LocalSystem" "FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,.. "Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?] "Type"=dword:00000110 "Start"=dword:00000004 "ErrorControl"=dword:00000000 "ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe"" "DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6" "ObjectName"="LocalSystem" "FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,.. "Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\DOWNLO~1\TIJDEL~1\SDFix\backups\backups.zip Files with Hidden Attributes: Sat 2 Nov 2002 134 ..SH. --- "C:\AUTOEXEC.BAK" Wed 5 May 1999 96,546 ..SH. --- "C:\COMMAND.COM" Sat 2 Nov 2002 1,676 A.SHR --- "C:\MSDOS.BAK" Sat 2 Nov 2002 7,809 ..SH. --- "C:\SUHDLOG.BAK" Wed 5 May 1999 53,248 A..H. --- "C:\Program Files\Accessories\mspcx32.dll" Sat 9 Oct 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 11 Aug 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg" Sun 16 Feb 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg" Sun 16 Feb 2003 12,580 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg" Mon 11 Aug 2003 12,580 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg" Finished! ComboFix 08-01-03.4 - Adri 2008-01-07 16:18:24.6 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1043.18.119 [GMT 1:00] Gestart vanuit: C:\Documents and Settings\Adri\Bureaublad\ComboFix.exe Command switches used :: C:\Documents and Settings\Adri\Bureaublad\CFScript.txt FILE C:\WINDOWS\system32\aduzqsx.exe C:\WINDOWS\system32\atxgll.exe C:\WINDOWS\System32\drivers\kwklkwot.dat C:\WINDOWS\system32\ihkjq.exe C:\WINDOWS\system32\lcbabi.exe C:\WINDOWS\system32\onmzwt.exe C:\WINDOWS\system32\ujvm.exe C:\WINDOWS\system32\uuak.exe C:\WINDOWS\system32\xblibm.exe C:\WINDOWS\system32\zoicdvee.exe . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\aduzqsx.exe C:\WINDOWS\system32\atxgll.exe C:\WINDOWS\system32\ihkjq.exe C:\WINDOWS\system32\lcbabi.exe C:\WINDOWS\system32\onmzwt.exe C:\WINDOWS\system32\ujvm.exe C:\WINDOWS\system32\uuak.exe C:\WINDOWS\system32\xblibm.exe C:\WINDOWS\system32\zoicdvee.exe . (((((((((((((((((((( Bestanden Gemaakt van 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))) . 2008-01-06 17:04 . 2008-01-07 16:13 <DIR> dr-h----- C:\Documents and Settings\Adri\Onlangs geopend 2008-01-05 16:19 . 2008-01-05 16:19 <DIR> d-------- C:\WINDOWS\ERUNT 2008-01-03 22:45 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-12-28 18:13 . 2007-12-28 18:13 <DIR> d-------- C:\Documents and Settings\Adri\Contacts 2007-12-28 18:10 . 2007-12-28 18:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-06 07:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-01-03 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-03 19:56 --------- d-----w C:\Program Files\Google 2007-12-28 17:11 --------- d-----w C:\Program Files\MSN Messenger 2007-12-23 21:51 --------- d-----w C:\Program Files\kari 2007-12-02 13:46 --------- d-----w C:\Program Files\Mijn Paardenstal 2007-11-09 13:38 --------- d-----w C:\Program Files\Java 2006-02-27 23:54 26,958 ----a-w C:\Program Files\MovieLand Terms.html 2002-11-02 13:01 266 --sh--w C:\Program Files\desktop.ini 2002-11-02 13:01 11,209 ---ha-w C:\Program Files\folder.htt . ((((((((((((((((((((((((((((( snapshot@2008-01-03_22.50.55,04 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-05 05:57:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-01-05 16:23:15 4,345,856 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:597706a198]0[/u:597706a198]0000001\NTUSER.DAT + 2008-01-05 16:23:15 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u:597706a198]0[/u:597706a198]0000002\UsrClass.dat + 2008-01-05 05:57:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-01-05 15:19:34 4,345,856 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:597706a198]0[/u:597706a198]0000001\NTUSER.DAT + 2008-01-05 15:19:34 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u:597706a198]0[/u:597706a198]0000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-09-07 13:00 13312] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpeedTouch USB Diagnostics"="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-06-06 11:15 861184] "WinPatrol"="c:\WINPAT~1\WinPatrol.exe" [2005-04-12 11:31 230592] "MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-04-24 00:12 176128] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-25 21:12 77824] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 21:11 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 15:55 219136] R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2001-12-20 09:02] R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41] S0 hpcceipw;hpcceipw;C:\WINDOWS\System32\drivers\kwklkwot.dat [] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-07 16:24:38 Windows 5.1.2600 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . Voltooingstijd: 2008-01-07 16:25:28 ComboFix-quarantined-files.txt 2008-01-07 15:25:08 ComboFix2.txt 2008-01-06 15:56:47 ComboFix3.txt 2008-01-04 18:54:14 ComboFix4.txt 2008-01-04 18:21:11 ComboFix5.txt 2008-01-03 21:52:21 Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 16:37:15, on 7-1-2008 Platform: Windows XP (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\WINPAT~1\WinPatrol.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\Adri\Bureaublad\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6 O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- End of file - 5753 bytes
  • Download de nieuwste versie van Hijackthis: http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe Download: [url=http://home.hetnet.nl/~stefsmeenk/RVAXO.exe]RVAXO.exe[/url] Sla het bestand op je bureaublad op, daarna mag je het dubbelklikken. Je kunt het programma laten uitpakken naar je bureaublad. Open nu de map RVAXO op je bureaublad en dubbelklik [b:bf556c9481]RVAXO.cmd[/b:bf556c9481] Er zal een schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal. [b:bf556c9481]Mogelijk[/b:bf556c9481] start er ook een uninstaller van een rogue scanner op, [b:bf556c9481]sluit deze niet[/b:bf556c9481] af maar volg eventuele aanwijzingen en laat deze zijn werk doen. Daarna zal je PC herstarten, na de herstart opent het venster van RVAXO opnieuw. Laat deze lopen en wacht tot er een logfile opent. Deze is eventueel ook hier te vinden: C:\[b:bf556c9481]RVAXO-results.log[/b:bf556c9481] Post de inhoud in je volgende bericht tesamen met een nieuw logje van HijackThis. Herstarte je PC niet? Laat RVAXO nog een keer lopen en post dan het nieuwe logje: [b:bf556c9481]C:\rvaxo-results.log[/b:bf556c9481] Ga daarna naar de Windows Update site en haal SP1 minimaal binnen. Herstart je PC in veilige modus en maak een nieuw logje met SDfix. Plaats deze samen met het logje van RVAXO. Pim
  • Hier weer wat nieuwe logjes. SDFix: Version 1.124 Run by Adri on di 08-01-2008 at 16:30 Microsoft Windows XP [versie 5.1.2600] Running From: C:\DOWNLO~1\TIJDEL~1\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-08 16:58:34 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?] "Type"=dword:00000110 "Start"=dword:00000004 "ErrorControl"=dword:00000000 "ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe"" "DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6" "ObjectName"="LocalSystem" "FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,.. "Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\xac ?\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?] "Type"=dword:00000110 "Start"=dword:00000004 "ErrorControl"=dword:00000000 "ImagePath"=str(2):""C:\WINDOWS\msnmsgr.exe"" "DisplayName"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6" "ObjectName"="LocalSystem" "FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,.. "Description"="\x00be2\2:\xa1/\rw\27\a\xf9:G\x178\xb7si\xd6z\r\26\xf0\x90r<" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\\xac ?\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. scanning hidden registry entries ... scanning hidden files ... IPC error: 2 Het systeem kan het opgegeven bestand niet vinden. scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Sat 2 Nov 2002 134 ..SH. --- "C:\AUTOEXEC.BAK" Wed 5 May 1999 96,546 ..SH. --- "C:\COMMAND.COM" Sat 2 Nov 2002 1,676 A.SHR --- "C:\MSDOS.BAK" Sat 2 Nov 2002 7,809 ..SH. --- "C:\SUHDLOG.BAK" Wed 5 May 1999 53,248 A..H. --- "C:\Program Files\Accessories\mspcx32.dll" Sat 9 Oct 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Mon 11 Aug 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg" Sun 16 Feb 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg" Sun 16 Feb 2003 12,580 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg" Mon 11 Aug 2003 12,580 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg" Finished! ----------------RVAXO.exe first run------------- Files found: Uninstallers Rogue scanners: Folders Found: Hosts-file was reset, If you use a custom hosts file please replace it... --------------RVAXO.exe last run--------------- Files found: Folders Found: --------------RVAXO.exe finished---------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:09:57, on 8-1-2008 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe D:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [WinPatrol] "c:\WINPAT~1\WinPatrol.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199805747080 O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylomgames.com/activex/zylomgamesplayer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{DD3E7704-602A-456F-96AE-392478B62689}: NameServer = 62.58.50.11 62.58.50.6 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- End of file - 5203 bytes
  • Ik zou in elk geval nog de volgende 2 entry's fixen met Hijackthis: [b:a91fb7a662] O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/2/251/nl.exe[/b:a91fb7a662] Groet, Emiel
  • Dat is wel het minste waar hij zich zorgen om moet maken Emiel :wink: Ga naar de windows update website en haal daar alle beschikbare updates binnen. Herstart je PC en post een Hijackthis log ter controle. Succes! Pim
  • Via de windows update site lukt het niet want het is iets minder legale versie van xp. Ik probeer het nu via "offline update" van heise-security, hoop dat dat lukt. Maar is verder alle virus en trojan troep eraf nu? Ik heb nog wel steeds dat cpu gebruik op 100% staat tot ik het uitschakel met taakbeheer en dan weer start via bestand.... daarna is het normaal.

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.