Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

SecCenter\scprot4.exe virus! Hijackthis log

smeenk
7 antwoorden
  • Hallo,
    Ik hoop dat jullie mij kunnen helpen.
    Elke keer als ik mijn computer opstart krijg ik van symantec antivirus programma het volgende:

    Threatfound: Downloader.MisleadApp
    Filename: C:\Program Files\SecCenter\scprot4.exe
    Action taken: Deleted

    Hierbij mijn Hijackscan:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:54:19, on 16-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    F:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\WINDOWS\system32
    vsvc32.exe
    F:\PROGRA~1\MICROS~1\rapimgr.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [fkbupuvm] rundll32.exe "C:\Program Files\fkbupuvm\jarudwxy.dll",Init
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Mobiele favorieten maken… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} (Corporate Language Training Interface) - http://www.cltnet.de/login/dplaunch.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game10.zylom.com/activex/zylomgamesplayer.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


    End of file - 9029 bytes

    Alvast bedankt,
    Kuyichi
  • Download: [b:a6a473f26b]RVAXO.exe[/b:a6a473f26b][/color:a6a473f26b][list:a6a473f26b][*:a6a473f26b]Sla het bestand op je bureaublad op, dubbelklik het en kies voor "Unzip" om het uit te pakken.
    [*:a6a473f26b]Open nu de map [b:a6a473f26b]RVAXO[/b:a6a473f26b] op je bureaublad en dubbeklik [b:a6a473f26b]RVAXO[/b:a6a473f26b].cmd
    Er zal een cmd-schermpje openen, daarin zullen snel enkele regels over niet gevonden bestanden voorbijkomen, dit is normaal.
    [*:a6a473f26b][b:a6a473f26b]Mogelijk[/b:a6a473f26b] start er ook een uninstaller van een rogue scanner op, [b:a6a473f26b]sluit deze niet af[/b:a6a473f26b] maar volg eventuele aanwijzingen en laat deze gewoon zijn werk doen.

    [*:a6a473f26b]Daarna zal je PC herstarten, na de herstart opent het cmd-venster van RVAXO opnieuw.
    Laat deze lopen en wacht tot er een logfile opent: C:\[b:a6a473f26b]RVAXO-results.log[/b:a6a473f26b]
    [*:a6a473f26b]Herstart je computer niet vanzelf, of start de tool niet na de reboot, [b:a6a473f26b]doe dit dan handmatig[/b:a6a473f26b].
    [*:a6a473f26b]Post de inhoud van de logfile in je volgende bericht.[/list:u:a6a473f26b]

    Download [b:a6a473f26b]Combofix[/b:a6a473f26b] (mirror) naar je Bureaublad.
    Dubbelklik op [b:a6a473f26b]Combofix.exe[/b:a6a473f26b]
    Kies voor "Continue" door [b:a6a473f26b]1[/b:a6a473f26b] te typen gevolgd door [b:a6a473f26b]ENTER[/b:a6a473f26b].
    Tijdens het runnen van de fix, [b:a6a473f26b]NIET[/b:a6a473f26b] in het venster klikken, want dit zal je pc doen vasthangen.
    Wanneer de fix voltooid is en na herstart, zal de log [b:a6a473f26b]combofix.txt[/b:a6a473f26b] openen.
    [i:a6a473f26b]Plaats deze log in je volgende post.[/i:a6a473f26b]

    NOTA: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.
  • —RVAXO.exe Updated: 2008-01-16[/color:50a694acc4]—first run—
    Files found:
    C:\WINDOWS\system32
    daTqsVqrX.dll

    Uninstallers Rogue scanners:


    Folders Found:

    C:\Program Files\SecCenter
    C:\WINDOWS\ppqvmpqr

    Hosts-file was reset, If you use a custom hosts file please replace it…

    ————–RVAXO.exe last run—————

    Files found:

    Folders Found:

    ————–RVAXO.exe finished—————-



    ComboFix 08-01-17.5 - Maicoosje 2008-01-17 11:12:01.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.571 [GMT 1:00]
    Gestart vanuit: C:\Documents and Settings\Maicoosje\Bureaublad\ComboFix.exe
    * Nieuw herstelpunt werd aangemaakt

    [b:50a694acc4]WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !![/b:50a694acc4][/color:50a694acc4]
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data.\wfozypov.dll
    C:\Program Files\fkbupuvm
    C:\Program Files\fkbupuvm\jarudwxy.dll
    C:\Program Files\Hqzjzivu
    C:\Program Files\Hqzjzivu\gqowqvld.dll
    C:\Program Files\SecCenter
    C:\WINDOWS\system32\drvjun.dll
    C:\WINDOWS\system32\drvjunr.dll

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2007-12-17 to 2008-01-17 ))))))))))))))))))))))))))))))
    .

    2008-01-17 11:11 . 2000-08-31 08:00 51,200 –a—— C:\WINDOWS\NirCmd.exe
    2008-01-16 20:00 . 2008-01-16 20:00 <DIR> d——– C:\RVAXO
    2008-01-16 19:59 . 2008-01-16 09:28 608,867 –a—— C:\WINDOWS\system32\RVAXO.bat
    2008-01-16 19:59 . 2001-10-01 14:51 69,632 –a—— C:\WINDOWS\system32\remove.exe
    2008-01-16 18:51 . 2008-01-16 18:51 <DIR> d——– C:\Program Files\Trend Micro
    2008-01-16 18:22 . 2008-01-16 18:22 <DIR> d——– C:\Documents and Settings\Maicoosje\Application Data\TrojanHunter
    2008-01-16 18:08 . 2008-01-16 18:38 <DIR> d——– C:\Program Files\TrojanHunter 5.0
    2008-01-16 14:40 . 2008-01-16 16:29 <DIR> d——– C:\Program Files\XoftSpySE
    2008-01-15 13:53 . 2008-01-15 14:40 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-05 00:55 . 2008-01-05 00:55 <DIR> d——– C:\Program Files\MSXML 4.0
    2008-01-04 02:11 . 2008-01-04 22:39 69 –a—— C:\WINDOWS\NeroDigital.ini
    2008-01-04 00:45 . 2008-01-04 00:45 <DIR> d——– C:\Documents and Settings\Maicoosje\Application Data\Nero
    2008-01-04 00:38 . 2008-01-04 00:38 <DIR> d——– C:\Program Files\Nero
    2008-01-04 00:38 . 2008-01-04 00:41 <DIR> d——– C:\Program Files\Common Files\Nero
    2008-01-04 00:38 . 2008-01-04 00:38 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Nero
    2008-01-03 13:47 . 2008-01-03 13:47 <DIR> d——– C:\Documents and Settings\All Users\Application Data\Zylom
    2007-12-26 22:28 . 2008-01-16 14:34 <DIR> d-a—— C:\Documents and Settings\All Users\Application Data\TEMP
    2007-12-22 14:57 . 2008-01-16 18:37 <DIR> d——– C:\Program Files\Hkvqumtf

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-17 10:11 ——— d—–w C:\Documents and Settings\Maicoosje\Application Data\uTorrent
    2008-01-17 09:37 ——— d—–w C:\Documents and Settings\All Users\Application Data\Google Updater
    2008-01-17 09:29 ——— d—–w C:\Program Files\Symantec AntiVirus
    2008-01-15 23:14 22,328 —-a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-01-15 23:14 107,832 —-a-w C:\WINDOWS\system32\PnkBstrB.exe
    2008-01-15 17:29 ——— d–h–w C:\Program Files\InstallShield Installation Information
    2007-12-22 13:14 ——— d—–w C:\Documents and Settings\Maicoosje\Application Data\dvdcss
    2007-12-16 11:31 ——— d—–w C:\Program Files\DivX
    2007-12-13 18:09 972,072 —-a-w C:\WINDOWS\UNNeroMediaHome.exe
    2007-12-11 19:46 524,288 —-a-w C:\WINDOWS\system32\DivXsm.exe
    2007-12-11 19:46 3,596,288 —-a-w C:\WINDOWS\system32\qt-dx331.dll
    2007-12-11 19:45 200,704 —-a-w C:\WINDOWS\system32\ssldivx.dll
    2007-12-11 19:45 1,044,480 —-a-w C:\WINDOWS\system32\libdivx.dll
    2007-12-11 19:44 823,296 —-a-w C:\WINDOWS\system32\divx_xx0c.dll
    2007-12-11 19:44 823,296 —-a-w C:\WINDOWS\system32\divx_xx07.dll
    2007-12-11 19:44 81,920 —-a-w C:\WINDOWS\system32\dpl100.dll
    2007-12-11 19:44 802,816 —-a-w C:\WINDOWS\system32\divx_xx11.dll
    2007-12-11 19:44 682,496 —-a-w C:\WINDOWS\system32\DivX.dll
    2007-12-11 19:44 593,920 —-a-w C:\WINDOWS\system32\dpuGUI11.dll
    2007-12-11 19:44 57,344 —-a-w C:\WINDOWS\system32\dpv11.dll
    2007-12-11 19:44 53,248 —-a-w C:\WINDOWS\system32\dpuGUI10.dll
    2007-12-11 19:44 344,064 —-a-w C:\WINDOWS\system32\dpus11.dll
    2007-12-11 19:44 294,912 —-a-w C:\WINDOWS\system32\dpu11.dll
    2007-12-11 19:44 294,912 —-a-w C:\WINDOWS\system32\dpu10.dll
    2007-12-11 19:44 196,608 —-a-w C:\WINDOWS\system32\dtu100.dll
    2007-12-11 19:44 156,992 —-a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
    2007-12-11 19:43 12,288 —-a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    2007-12-10 12:52 66,872 —-a-w C:\WINDOWS\system32\pnkbstra.exe
    2007-12-10 12:18 22,328 —-a-w C:\Documents and Settings\Maicoosje\Application Data\PnkBstrK.sys
    2007-12-10 12:07 ——— d—–w C:\Program Files\DAEMON Tools
    2007-12-10 12:04 685,816 —-a-w C:\WINDOWS\system32\drivers\sptd.sys
    2007-12-04 08:59 972,072 —-a-w C:\WINDOWS\UNRecode.exe
    2007-12-03 17:04 95,600 —-a-w C:\WINDOWS\system32\NeroCo.dll
    2007-11-21 16:31 132,904 —-a-w C:\WINDOWS\system32\drivers\imagesrv.sys
    2007-11-21 16:31 11,304 —-a-w C:\WINDOWS\system32\drivers\imagedrv.sys
    2007-11-20 22:54 ——— d—–w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
    2007-11-17 10:19 107,888 —-a-w C:\WINDOWS\system32\CmdLineExt.dll
    2007-11-17 10:19 ——— d–h–r C:\Documents and Settings\Maicoosje\Application Data\SecuROM
    2007-11-17 10:18 669,184 —-a-w C:\WINDOWS\system32\pbsvc.exe
    2007-11-07 09:51 732,160 —-a-w C:\WINDOWS\system32\lsasrv.dll
    2007-11-02 23:39 60,416 —-a-w C:\WINDOWS\ALCFDRTM.EXE
    2007-10-29 22:41 1,291,776 —-a-w C:\WINDOWS\system32\quartz.dll
    2007-10-20 05:01 227,328 —-a-w C:\WINDOWS\system32\wmasf.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 11:24 68856]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
    "H/PC Connection Agent"="F:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 18:34 1289000]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2004-07-27 16:01 68096 C:\WINDOWS\SOUNDMAN.EXE]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44 66680]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18 124128]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
    "nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32
    wiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
    "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
    "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:03 15360]

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-06-17 11:24:38]

    R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 19:36]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98c37bb5-1c4c-11dc-8475-00138f5e73a8}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    *Newly Created Service* - PROCEXP90
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-17 11:14:01
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-01-17 11:14:22
    ComboFix-quarantined-files.txt 2008-01-17 10:14:14
    .
    2008-01-16 19:08:31 — E O F —
  • Open de map RVAXO op je bureaublad en dubbelklik [b:930d585258]Uninstall[/b:930d585258].cmd
    Dit zal alles van RVAXO doen verwijderen.

    Verwijder de volgende mappen:
    C:\[b:930d585258]Qoobox[/b:930d585258]
    C:\Program Files\[b:930d585258]Hkvqumtf[/b:930d585258]

    Maak dan je prullenbak leeg.

    Download ATF cleaner (mirror)(gemaakt door Atribune)

    [b:930d585258]Belangrijk:[/b:930d585258] Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

    Dubbelklik op ATF cleaner om het programma te starten.
    Op het tabblad "Main", plaats je een vinkje bij [b:930d585258]Select All[/b:930d585258].
    Klik op de knop [b:930d585258]Empty Selected[/b:930d585258].

    Het volgende doen als je ook FireFox als browser hebt:
    Klik op tabblad "Firefox", plaats een vinkje bij [b:930d585258]Select All[/b:930d585258].
    Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    (dit haalt het vinkje weer weg bij "Firefox saved passwords")
    Klik op de knop [b:930d585258]Empty Selected[/b:930d585258].

    Het volgende doen als je ook Opera als browser hebt:
    Klik op tabblad "Opera", plaats een vinkje bij [b:930d585258]Select All[/b:930d585258].
    Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
    Klik op de knop [b:930d585258]Empty Selected[/b:930d585258].
    Ga naar het tabblad "Main" en klik op de knop [b:930d585258]Exit[/b:930d585258] om het programma af te sluiten.

    Ga naar Start - Uitvoeren en geef hier het volgende in:
    [b:930d585258]Combofix /U[/b:930d585258]
    Druk daarna op OK.
    [b:930d585258]Let op:[/color:930d585258][/b:930d585258] Er moet een spatie tussen [b:930d585258]Combofix[/b:930d585258] en [b:930d585258]/U[/b:930d585258] zitten.

    Dit zal Combofix deïnstalleren.

    Schakel Systeemherstel uit. Herstart de computer. Schakel Systeemherstel weer in.
    Kijk hier hoe je je systeemherstel moet uitschakelen.
    Hiermee verwijder je eventuele restanten van de infecties uit je systeemherstel.

    Post als laatste nog een nieuw logje van Hijackthis ter controle ;)
  • Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:55:29, on 17-1-2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32
    vsvc32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    F:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    F:\PROGRA~1\MICROS~1\rapimgr.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Mobiele favorieten maken… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~1\INetRepl.dll
    O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} (Corporate Language Training Interface) - http://www.cltnet.de/login/dplaunch.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://cache.hyvz.com/statics/Aurigma/ImageUploader4.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game10.zylom.com/activex/zylomgamesplayer.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
    vsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


    End of file - 8888 bytes

    Is hij weer schoon?
  • Deze regel mag je nog verwijderen met Hijackthis:
    [b:efdaafdfbe]R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)[/b:efdaafdfbe]

    Voor de rest ziet het er weer goed uit :)
  • Bedankt Smeenk! :D

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.