Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Hardnekkige problemen- HJT log.

Endor
4 antwoorden
  • Hallo iedereen.

    Ik heb tal van problemen met deze computer.
    Trojans: Obfuscated en TR/ Dldr.Swizzor.Gen trojan. Avira krijgt het niet weg.
    Kan iemand me helpen?

    HJt-log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:17:15, on 5/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32
    otepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Toevoegen aan Mobiele favorieten - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Toevoegen aan Mobiele favorieten… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} -
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} -
    O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} -
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


    End of file - 5134 bytes

    Ik heb ook combofix al laten draaien, log:

    ComboFix 08-08-04.06 - jasper 2008-08-05 17:01:57.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.229 [GMT 2:00]
    Gestart vanuit: C:\Documents and Settings\jasper\Bureaublad\ComboFix.exe
    * Nieuw herstelpunt werd aangemaakt
    * Resident AV is active


    [b:98591e89a2]WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !![/b:98591e89a2][/color:98591e89a2]
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\MSINET.oca

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2008-07-05 to 2008-08-05 ))))))))))))))))))))))))))))))
    .

    2008-08-05 16:48 . 2008-08-05 16:48 <DIR> dr-h—– C:\Documents and Settings\jasper\Onlangs geopend
    2008-08-05 16:43 . 2008-08-05 16:43 685,056 –a—— C:\WINDOWS\isRS-000.tmp
    2008-08-05 16:43 . 2008-07-30 20:07 38,472 –a—— C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
    2008-08-05 16:43 . 2008-07-30 20:07 17,144 –a—— C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
    2008-07-09 19:29 . 2008-07-09 19:29 <DIR> d——– C:\Documents and Settings\jasper\Application Data\Template

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-05 14:44 ——— d—–w C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-09 17:09 ——— d—–w C:\Program Files\PopCap Games
    2008-06-27 13:54 ——— d—–w C:\Program Files\World of Warcraft
    2008-06-27 13:32 ——— d—–w C:\Documents and Settings\jean pierre\Application Data\16load
    2008-06-20 17:43 247,296 —-a-w C:\WINDOWS\SYSTEM32\mswsock.dll
    2008-06-20 17:43 247,296 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
    2008-06-20 17:43 148,992 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
    2008-06-20 10:45 360,320 —-a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:45 360,320 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
    2008-06-20 10:44 138,368 —-a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 10:44 138,368 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
    2008-06-20 09:52 225,920 —-a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-20 09:52 225,920 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
    2008-06-14 18:00 272,640 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
    2008-06-14 18:00 272,640 ——w C:\WINDOWS\system32\drivers\bthport.sys
    2008-05-08 12:28 202,752 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
    2008-05-07 05:16 1,291,776 —-a-w C:\WINDOWS\SYSTEM32\quartz.dll
    2008-05-07 05:16 1,291,776 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
    2004-05-18 18:48 5,244,360 —-a-w C:\Program Files\SetupDl.exe
    2003-02-15 15:18 560 —-a-w C:\Program Files\Global.sw
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ap41"= apmpg4v1.dll
    "vidc.divf"= divx412.dll
    "vidc.div3"= divxc32.dll
    "vidc.div4"= divxc32f.dll
    "vidc.xvid"= xvid.dll
    "vidc.hfyu"= huffyuv.dll
    "msacm.DivXa32"= DivXa32.acm
    "msacm.lameacm"= lameACM.dll
    "vidc.mjpg"= m3jpeg32.dll
    "vidc.dmb1"= m3jpeg32.dll
    "MSACM.CEGSM"= mobilev.acm
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
    –a—— 2008-07-28 00:15 266497 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
    –a—— 2008-07-29 15:41 1213680 C:\Program Files\CCleaner\CCleaner.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    –a—— 2004-08-04 10:03 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    –a—— 2004-02-24 15:28 401491 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Date Five"=C:\PROGRA~1\16load\Playdraw.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Xfire\\Xfire.exe"=
    "C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
    "C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
    "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
    "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\DreamCatcher\\Painkiller Overdose Demo\\Bin\\OverdoseDemo.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2002-04-03 17:51]
    R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2002-04-03 17:51]
    S3 kbeepm;kbeepm;C:\DOCUME~1\poging3\LOCALS~1\Temp\kbeepm.sys []
    S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2003-06-13 16:45]
    S3 XDva007;XDva007;C:\WINDOWS\system32\XDva007.sys []

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{99B782AF-0B9A-4FB5-BDD1-D83F4B6218BA}]
    c:\CriticalUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AD88BEC6-2BE4-4E8A-A47F-DD87FA67A2A7}]
    "%SystemRoot%\twain_32.exe"
    .
    Inhoud van de 'Gedeelde Taken' map

    2008-08-05 C:\WINDOWS\Tasks\AA1A8C8D9185019D.job
    - c:\docume~1\jeanpi~1\applic~1\16load\CDROM 1 DEAD.exe []

    2007-12-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]

    2006-09-10 C:\WINDOWS\Tasks\XoftSpy.job
    - C:\Program Files\XoftSpy\XoftSpy.exe []

    2008-08-05 C:\WINDOWS\Tasks\XoftSpySE 2.job
    - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-07-18 22:41]

    2007-05-23 C:\WINDOWS\Tasks\XoftSpySE.job
    - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-07-18 22:41]
    .
    .
    ——- Supplementary Scan ——-
    .
    FireFox -: Profile - C:\Documents and Settings\jasper\Application Data\Mozilla\Firefox\Profiles\zqzqsbkw.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.be/firefox
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser
    ppdf32.dll


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-05 17:05:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-08-05 17:09:20
    ComboFix-quarantined-files.txt 2008-08-05 15:09:08

    Pre-Run: 88,807,702,528 bytes beschikbaar
    Post-Run: 88,801,894,400 bytes beschikbaar

    136 — E O F — 2008-08-05 14:33:18

    Ik had ook al MBAM laten lopen, maar die had niets gevonden.

    Alvast bedankt.
  • Start Hijackthis op en kies voor 'Do a system scan only'. Selecteer alleen de items hieronder genoemd:

    [b:4a2b31a70a]O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} -
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA}
    O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} –
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} –[/b:4a2b31a70a]

    Klik op 'Fix checked' om de items te verwijderen.

    Open een kladblokbestand.

    Kopieer en plak daarin de onderstaande vetgedrukte tekst.

    [b:4a2b31a70a]File::
    C:\WINDOWS\isRS-000.tmp
    C:\WINDOWS\Tasks\AA1A8C8D9185019D.job

    Folder::
    C:\Documents and Settings\jean pierre\Application Data\16load

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{99B782AF-0B9A-4FB5-BDD1-D83F4B6218BA}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AD88BEC6-2BE4-4E8A-A47F-DD87FA67A2A7}][/b:4a2b31a70a]

    Sla dit bestand op je bureaublad op als [b:4a2b31a70a]CFScript.txt[/b:4a2b31a70a].

    Sleep CFScript.txt in ComboFix.exe
    Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

    Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.
  • Oei, dat ziet er niet al te best uit.

    Hier de nieuwe HJT-log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:12:52, on 6/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32
    otepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Toevoegen aan Mobiele favorieten - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Toevoegen aan Mobiele favorieten… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


    End of file - 5015 bytes

    En de nieuwe combofix log:

    ComboFix 08-08-04.09 - jasper 2008-08-06 16:03:42.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.236 [GMT 2:00]
    Gestart vanuit: C:\Documents and Settings\jasper\Bureaublad\ComboFix.exe
    Command switches used :: C:\Documents and Settings\jasper\Bureaublad\CFScript.txt
    * Nieuw herstelpunt werd aangemaakt
    * Resident AV is active


    [b:97effd8450]WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !![/b:97effd8450][/color:97effd8450]

    FILE ::
    C:\WINDOWS\isRS-000.tmp
    C:\WINDOWS\Tasks\AA1A8C8D9185019D.job
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\jean pierre\Application Data\16load
    C:\Documents and Settings\jean pierre\Application Data\16load\[u:97effd8450]0[/u:97effd8450]
    C:\WINDOWS\Tasks\AA1A8C8D9185019D.job

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2008-07-06 to 2008-08-06 ))))))))))))))))))))))))))))))
    .

    2008-08-05 17:50 . 2008-08-05 17:54 <DIR> d——– C:\Documents and Settings\LocalService\Application Data\AdobeUM
    2008-08-05 16:48 . 2008-08-06 16:01 <DIR> dr-h—– C:\Documents and Settings\jasper\Onlangs geopend
    2008-08-05 16:43 . 2008-07-30 20:07 38,472 –a—— C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
    2008-08-05 16:43 . 2008-07-30 20:07 17,144 –a—— C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
    2008-07-09 19:29 . 2008-07-09 19:29 <DIR> d——– C:\Documents and Settings\jasper\Application Data\Template

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-05 17:17 ——— d—–w C:\Documents and Settings\jasper\Application Data\16load
    2008-08-05 15:59 ——— d—–w C:\Program Files\Common Files\Adobe
    2008-08-05 14:44 ——— d—–w C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-09 17:09 ——— d—–w C:\Program Files\PopCap Games
    2008-06-27 13:54 ——— d—–w C:\Program Files\World of Warcraft
    2008-06-20 17:43 247,296 —-a-w C:\WINDOWS\SYSTEM32\mswsock.dll
    2008-06-20 17:43 247,296 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
    2008-06-20 17:43 148,992 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
    2008-06-20 10:45 360,320 —-a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:45 360,320 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
    2008-06-20 10:44 138,368 —-a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 10:44 138,368 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
    2008-06-20 09:52 225,920 —-a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-20 09:52 225,920 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
    2008-06-14 18:00 272,640 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
    2008-06-14 18:00 272,640 ——w C:\WINDOWS\system32\drivers\bthport.sys
    2008-05-08 12:28 202,752 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
    2008-05-07 05:16 1,291,776 —-a-w C:\WINDOWS\SYSTEM32\quartz.dll
    2008-05-07 05:16 1,291,776 —-a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
    2004-05-18 18:48 5,244,360 —-a-w C:\Program Files\SetupDl.exe
    2003-02-15 15:18 560 —-a-w C:\Program Files\Global.sw
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-05_17.08.33.78 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-05 16:02:22 25,214 —-a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A71000000002}\SC_Reader.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 10:03 15360]

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ap41"= apmpg4v1.dll
    "vidc.divf"= divx412.dll
    "vidc.div3"= divxc32.dll
    "vidc.div4"= divxc32f.dll
    "vidc.xvid"= xvid.dll
    "vidc.hfyu"= huffyuv.dll
    "msacm.DivXa32"= DivXa32.acm
    "msacm.lameacm"= lameACM.dll
    "vidc.mjpg"= m3jpeg32.dll
    "vidc.dmb1"= m3jpeg32.dll
    "MSACM.CEGSM"= mobilev.acm
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
    –a—— 2008-07-28 00:15 266497 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
    –a—— 2008-07-29 15:41 1213680 C:\Program Files\CCleaner\CCleaner.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    –a—— 2004-08-04 10:03 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    –a—— 2004-02-24 15:28 401491 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Xfire\\Xfire.exe"=
    "C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
    "C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
    "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
    "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\DreamCatcher\\Painkiller Overdose Demo\\Bin\\OverdoseDemo.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

    R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2002-04-03 17:51]
    R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2002-04-03 17:51]
    S3 kbeepm;kbeepm;C:\DOCUME~1\poging3\LOCALS~1\Temp\kbeepm.sys []
    S3 vtdg46xx;vtdg46xx;C:\PROGRA~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2003-06-13 16:45]
    S3 XDva007;XDva007;C:\WINDOWS\system32\XDva007.sys []
    .
    Inhoud van de 'Gedeelde Taken' map

    2007-12-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]

    2006-09-10 C:\WINDOWS\Tasks\XoftSpy.job
    - C:\Program Files\XoftSpy\XoftSpy.exe []

    2008-08-06 C:\WINDOWS\Tasks\XoftSpySE 2.job
    - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-07-18 22:41]

    2007-05-23 C:\WINDOWS\Tasks\XoftSpySE.job
    - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-07-18 22:41]
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-06 16:08:26
    Windows 5.1.2600 Service Pack 2 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2008-08-06 16:12:25
    ComboFix-quarantined-files.txt 2008-08-06 14:12:04
    ComboFix2.txt 2008-08-05 15:09:21

    Pre-Run: 88,509,825,024 bytes beschikbaar
    Post-Run: 88,489,902,080 bytes beschikbaar

    135 — E O F — 2008-08-05 14:33:18

    Is het gelukt? Dit alles is uitgevoerd onder account "Jasper"
  • Je HJT-logje ziet er prima uit. Voor Combofix komt er een PB'tje aan.

    Voor je account Jasper mag je dit met Combofix uitvoeren :

    Open een kladblokbestand.

    Kopieer en plak daarin de onderstaande vetgedrukte tekst.

    [b:b10282d9fa]Driver::
    kbeepm

    File::
    C:\DOCUME~1\poging3\LOCALS~1\Temp\kbeepm.sys

    Folder::
    C:\Documents and Settings\jasper\Application Data\16load[/b:b10282d9fa]

    Sla dit bestand op je bureaublad op als [b:b10282d9fa]CFScript.txt[/b:b10282d9fa].

    Sleep CFScript.txt in ComboFix.exe
    Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.
    Post na herstart de inhoud van de Combofix.txt in je volgende bericht

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.