Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Graag controle log files

Othuroyo
13 antwoorden
  • Hallo,

    mijn virusscanner vond diverse files zoals TinyProxy.exe en WDMaud.sys

    Ik heb deze verwijderd samen met het bestand Fmark2.dat

    Nu heb ik MBAM laten draaien en nog 2 files verwijderd (zie log hieronder)
    Ik heb tevens een HIJJACKTHIS log file.

    Zou iemand voor mij deze logfiles na willen kijken? Bij voorbaat dank.

    MBAM

    Malwarebytes' Anti-Malware 1.33
    Database versie: 1675
    Windows 5.1.2600 Service Pack 3

    21-1-2009 20:39:41
    mbam-log-2009-01-21 (20-39-41).txt

    Scan type: Snelle Scan
    Objecten gescand: 48029
    Verstreken tijd: 2 minute(s), 37 second(s)

    Geheugenprocessen geïnfecteerd: 0
    Geheugenmodulen geïnfecteerd: 0
    Registersleutels geïnfecteerd: 0
    Registerwaarden geïnfecteerd: 0
    Registerdata bestanden geïnfecteerd: 0
    Mappen geïnfecteerd: 0
    Bestanden geïnfecteerd: 2

    Geheugenprocessen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Geheugenmodulen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registersleutels geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registerwaarden geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registerdata bestanden geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Mappen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Bestanden geïnfecteerd:
    C:\WINDOWS\higeorge1.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
    C:\WINDOWS\himark2.dat (Malware.Trace) -> Quarantined and deleted successfully.


    HIJJACKTHIS


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:33:23, on 21-1-2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\NORMAN\Npm\bin\ELOGSVC.EXE
    C:\NORMAN\Ngs\Bin\Nprosec.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\NORMAN\Npm\Bin\Zanda.exe
    C:\NORMAN
    pm\bin
    voy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\NORMAN
    pf\bin
    pfsvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\NORMAN\Npm\Bin\ZLH.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\NORMAN\Npm\Bin\Njeeves.exe
    C:\NORMAN\Npm\Bin\Nvcsched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\NORMAN
    se\bin\NSESVC.EXE
    C:\WINDOWS\System32\alg.exe
    C:\NORMAN\Nvc\bin
    vcoas.exe
    C:\NORMAN\Nvc\Bin\Nip.exe
    C:\NORMAN\Nvc\Bin\cclaw.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\NORMAN
    pf\bin
    pfuser.exe
    E:\mambam\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noutweb.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aragorn.nl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8181
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [Norman ZANDA] "C:\NORMAN\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] E:\mambam\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_S83.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 3.0 .lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.aragorn.nl
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BFF0BE82-DCAA-426B-B531-4099FFDD74B0}: NameServer = 192.168.0.1
    O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\NORMAN\Npm\bin\ELOGSVC.EXE
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norman NJeeves - Norman ASA - C:\NORMAN\Npm\Bin\Njeeves.exe
    O23 - Service: Norman ZANDA - Norman ASA - C:\NORMAN\Npm\Bin\Zanda.exe
    O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\NORMAN
    pf\bin
    pfsvc32.exe
    O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\NORMAN\Ngs\Bin\Nprosec.exe
    O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\NORMAN
    se\bin\NSESVC.EXE
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\bin
    vcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\NORMAN\Npm\Bin\Nvcsched.exe
    O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\NORMAN
    pm\bin
    voy.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


    End of file - 7777 bytes
  • Start hijackthis en kies voor 'do a system scan only'
    Selecteer alleen de items die hieronder zijn genoemd:

    [b:a4f6b11263]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8181[/b:a4f6b11263]


    Sluit alle vensters behalve Hijackthis
    Klik op 'Fix checked' om de items te verwijderen.


    Download combofix.exe van deze site: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    ComboFix zal wanneer de Recovery Console niet geïnstalleerd is, voorstellen om deze te downloaden en te installeren. Sta dit toe.
    Wanneer de Recovery Console geïnstalleerd is, laat je ComboFix de computer scannen.
    Wanneer ComboFix klaar is, dit kan eventueel na een reboot zijn, opent er een logfile (combofix.txt).
    Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.
  • Hallo Othuroyo (dank voor je reactie)

    ComboFix vroeg overigens niet om een herstart.

    Hierbij de log files:

    ComboFix 09-01-21.02 - NvD 2009-01-22 15:46:31.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.511.208 [GMT 1:00]
    Gestart vanuit: \\Compu2\marius4\software\ad aware\ComboFix.exe
    AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
    FW: Norman Personal Firewall v. 1.4 *disabled*
    FW: Persoonlijke firewall *disabled*
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2008-12-22 to 2009-01-22 ))))))))))))))))))))))))))))))
    .

    2009-01-22 15:16 . 2009-01-22 15:16 <DIR> dr-h—– c:\documents and settings\NvD\Onlangs geopend
    2009-01-21 20:35 . 2009-01-21 20:35 <DIR> d——– c:\documents and settings\NvD\Application Data\Malwarebytes
    2009-01-21 20:35 . 2009-01-21 20:35 <DIR> d——– c:\documents and settings\All Users\Application Data\Malwarebytes

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-22 13:24 ——— d—–w c:\program files\Spyware Terminator
    2009-01-22 13:24 ——— d—–w c:\documents and settings\NvD\Application Data\Spyware Terminator
    2009-01-18 12:47 ——— d—a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-01-18 12:47 ——— d—–w c:\program files\SpywareBlaster
    2009-01-15 18:08 ——— d—–w c:\documents and settings\NvD\Application Data\FileZilla
    2009-01-15 16:08 ——— d—–w c:\documents and settings\NvD\Application Data\gtk-2.0
    2009-01-04 13:48 ——— d—–w c:\documents and settings\NvD\Application Data\Apple Computer
    2008-12-28 12:05 ——— d—–w c:\program files\Java
    2008-12-06 14:58 ——— d—–w c:\documents and settings\NvD\Application Data\OpenOffice.org
    2008-12-06 14:25 ——— d—–w c:\program files\OpenOffice.org 3
    2008-12-06 14:23 ——— d—–w c:\documents and settings\NvD\Application Data\OpenOffice.org2
    2008-11-16 12:12 5 —-a-w C:\NPF_USER.DAT
    2008-11-10 04:43 410,984 —-a-w c:\windows\system32\deploytk.dll
    2008-10-23 12:43 286,720 —-a-w c:\windows\system32\gdi32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    "EPSON Stylus D92 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE" [2006-09-27 139264]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
    "SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-21 2957824]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "Norman ZANDA"="c:
    orman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
    "Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\NvD\Menu Start\Programma's\Opstarten\
    OpenOffice.org 3.0 .lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

    c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Snelle start.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-05-25 184320]
    TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-07-08 114688]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux2"= wdmaud.sys

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    P4 NPFSvc32;Norman Personal Firewall Service;c:
    orman
    pf\bin
    pfsvc32.exe [2008-11-16 597104]
    R0 NDIS_RD;Norman Firewall NDIS driver;c:\windows\system32\drivers
    dis_rd.sys [2006-02-24 79752]
    R1 NPROSEC;Norman Security driver;c:
    orman\Ngs\Bin
    prosec.sys [2008-11-16 53816]
    R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-06-21 138752]
    R1 TDI_RD;Norman Firewall TDI driver;c:\windows\system32\drivers\tdi_rd.sys [2006-02-24 74624]
    R3 nsesvc;Norman Scanner Engine Service;c:
    orman\Nse\bin\Nsesvc.exe [2008-07-06 322616]
    R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers
    vcw32mf.sys [2007-05-02 19512]
    R3 nvcoas;Norman Virus Control on-access component;c:
    orman\NVC\BIN\Nvcoas.exe [2008-01-25 191544]
    R3 NVCScheduler;Norman Virus Control Scheduler;c:
    orman
    pm\bin
    vcsched.exe [2008-11-16 154680]
    R4 Ndiskio;Ndiskio;c:
    orman\Nse\bin\Ndiskio.sys [2005-01-19 20448]
    R4 NPROSECSVC;Norman Security service;c:
    orman\Ngs\Bin
    prosec.exe [2008-11-16 121912]
    R4 NVOY;Norman's Very Own supplY of resources;c:
    orman
    pm\bin
    voy.exe [2008-11-16 121912]
    S3 nvcfsr;nvcfsr;c:
    orman\NVC\BIN\Nvcfsr.sys [2005-01-19 6712]
    S3 nvcoafl51;nvcoafl51;c:
    orman\NVC\BIN\Nvcoafl51.sys [2005-06-27 30264]
    S3 nvcoaft51;nvcoaft51;c:
    orman\NVC\BIN\Nvcoaft51.sys [2005-06-27 129848]
    S3 nvcoarc51;nvcoarc51;c:
    orman\NVC\BIN\Nvcoarc51.sys [2005-06-27 23224]

    — Andere Services/Drivers In Geheugen —

    *Deregistered* - mchInjDrv
    .
    Inhoud van de 'Gedeelde Taken' map

    2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    .
    ——- Bijkomende Scan ——-
    .
    uStart Page = hxxp://www.noutweb.com/
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8181
    TCP: {BFF0BE82-DCAA-426B-B531-4099FFDD74B0} = 192.168.0.1
    DPF: Microsoft XML Parser for Java
    FF - ProfilePath - c:\documents and settings\NvD\Application Data\Mozilla\Firefox\Profiles\4d7tajdu.default\
    FF - prefs.js: browser.startup.homepage - hxxp://nl.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:nl:official
    FF - component: c:\documents and settings\NvD\Application Data\Mozilla\Firefox\Profiles\4d7tajdu.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-22 15:49:16
    Windows 5.1.2600 Service Pack 3 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    ——————— DLLs Geladen Onder Lopende Processen ———————

    - - - - - - - > 'winlogon.exe'(808)
    c:\windows\system32\Ati2evxx.dll
    .
    Voltooingstijd: 2009-01-22 15:50:53
    ComboFix-quarantined-files.txt 2009-01-22 14:50:49

    Pre-Run: 14.830.374.912 bytes beschikbaar
    Post-Run: 14,826,565,632 bytes beschikbaar

    WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    124


    De volgende Hijackthis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:52:13, on 22-1-2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\NORMAN\Npm\bin\ELOGSVC.EXE
    C:\NORMAN\Ngs\Bin\Nprosec.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\NORMAN\Npm\Bin\Zanda.exe
    C:\NORMAN
    pm\bin
    voy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\NORMAN
    pf\bin
    pfsvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\NORMAN\Npm\Bin\ZLH.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\NORMAN\Npm\Bin\Nvcsched.exe
    C:\NORMAN\Npm\Bin\Njeeves.exe
    C:\NORMAN
    se\bin\NSESVC.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\NORMAN\Nvc\bin
    vcoas.exe
    C:\NORMAN\Nvc\Bin\Nip.exe
    C:\NORMAN\Nvc\Bin\cclaw.exe
    C:\NORMAN
    pf\bin
    pfuser.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    E:\mambam\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noutweb.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8181
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [Norman ZANDA] "C:\NORMAN\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_S83.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 3.0 .lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.aragorn.nl
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BFF0BE82-DCAA-426B-B531-4099FFDD74B0}: NameServer = 192.168.0.1
    O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\NORMAN\Npm\bin\ELOGSVC.EXE
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norman NJeeves - Norman ASA - C:\NORMAN\Npm\Bin\Njeeves.exe
    O23 - Service: Norman ZANDA - Norman ASA - C:\NORMAN\Npm\Bin\Zanda.exe
    O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\NORMAN
    pf\bin
    pfsvc32.exe
    O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\NORMAN\Ngs\Bin\Nprosec.exe
    O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\NORMAN
    se\bin\NSESVC.EXE
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\bin
    vcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\NORMAN\Npm\Bin\Nvcsched.exe
    O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\NORMAN
    pm\bin
    voy.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


    End of file - 7270 bytes
  • Hallo Othuroyo

    Ik zag dat deze opnieuw in de logfile stond:

    [b:997cc01b21]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8181[/b:997cc01b21]

    Heb dit opnieuw "gefixed" maar dit blijft terug komen
  • Dat zou heel goed kunnen, voer dit eens uit:

    Klik in het menu Extra op Internet-opties.
    Klik op het tabblad Geavanceerd op Reset.
    Klik in het dialoogvenster Reset Internet Explorer Settings op Reset.
    Wanneer de standaardinstellingen van Internet Explorer 7 zijn hersteld, klikt u op Sluiten en vervolgens tweemaal op OK.
    Sluit Internet Explorer 7. De wijzigingen worden doorgevoerd wanneer u Internet Explorer 7 de volgende keer opent.


    En plaats daarna een nieuw hijackthis logje.
  • Bij deze:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:35:01, on 23-1-2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\NORMAN\Npm\bin\ELOGSVC.EXE
    C:\NORMAN\Ngs\Bin\Nprosec.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\NORMAN\Npm\Bin\Zanda.exe
    C:\NORMAN
    pm\bin
    voy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\NORMAN
    pf\bin
    pfsvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\NORMAN\Npm\Bin\ZLH.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\NORMAN\Npm\Bin\Nvcsched.exe
    C:\NORMAN\Npm\Bin\Njeeves.exe
    C:\NORMAN
    se\bin\NSESVC.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\NORMAN\Nvc\bin
    vcoas.exe
    C:\NORMAN\Nvc\Bin\Nip.exe
    C:\NORMAN\Nvc\Bin\cclaw.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    E:\mambam\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [Norman ZANDA] "C:\NORMAN\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_S83.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Startup: OpenOffice.org 3.0 .lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.aragorn.nl
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BFF0BE82-DCAA-426B-B531-4099FFDD74B0}: NameServer = 192.168.0.1
    O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\NORMAN\Npm\bin\ELOGSVC.EXE
    O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norman NJeeves - Norman ASA - C:\NORMAN\Npm\Bin\Njeeves.exe
    O23 - Service: Norman ZANDA - Norman ASA - C:\NORMAN\Npm\Bin\Zanda.exe
    O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\NORMAN
    pf\bin
    pfsvc32.exe
    O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\NORMAN\Ngs\Bin\Nprosec.exe
    O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\NORMAN
    se\bin\NSESVC.EXE
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\bin
    vcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\NORMAN\Npm\Bin\Nvcsched.exe
    O23 - Service: Norman's Very Own supplY of resources (NVOY) - Norman ASA - C:\NORMAN
    pm\bin
    voy.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


    End of file - 7218 bytes
  • Hoe staat het met de problemen?

    Download combofix.exe van deze site: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    ComboFix zal wanneer de Recovery Console niet geïnstalleerd is, voorstellen om deze te downloaden en te installeren. Sta dit toe.
    Wanneer de Recovery Console geïnstalleerd is, laat je ComboFix de computer scannen.
    Wanneer ComboFix klaar is, dit kan eventueel na een reboot zijn, opent er een logfile (combofix.txt).
    Post de inhoud van dit bestandje
  • Deze had ik gisteren al gedaan. Volgens mij is nu alles oke

    Graag nog een bevestiging

    ComboFix 09-01-21.04 - NvD 2009-01-23 13:57:27.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.511.130 [GMT 1:00]
    Gestart vanuit: \\Compu2\marius4\software\ad aware\ComboFix.exe
    AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
    FW: Norman Personal Firewall v. 1.4 *disabled*
    FW: Persoonlijke firewall *disabled*
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2008-12-23 to 2009-01-23 ))))))))))))))))))))))))))))))
    .

    2009-01-23 12:13 . 2009-01-23 12:13 <DIR> dr-h—– c:\documents and settings\NvD\Onlangs geopend

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-22 13:24 ——— d—–w c:\program files\Spyware Terminator
    2009-01-22 13:24 ——— d—–w c:\documents and settings\NvD\Application Data\Spyware Terminator
    2009-01-18 12:47 ——— d—a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-01-18 12:47 ——— d—–w c:\program files\SpywareBlaster
    2009-01-15 18:08 ——— d—–w c:\documents and settings\NvD\Application Data\FileZilla
    2009-01-15 16:08 ——— d—–w c:\documents and settings\NvD\Application Data\gtk-2.0
    2009-01-04 13:48 ——— d—–w c:\documents and settings\NvD\Application Data\Apple Computer
    2008-12-28 12:05 ——— d—–w c:\program files\Java
    2008-12-11 10:57 333,952 —-a-w c:\windows\system32\drivers\srv.sys
    2008-12-06 14:58 ——— d—–w c:\documents and settings\NvD\Application Data\OpenOffice.org
    2008-12-06 14:25 ——— d—–w c:\program files\OpenOffice.org 3
    2008-11-16 12:12 5 —-a-w C:\NPF_USER.DAT
    2008-11-10 04:43 410,984 —-a-w c:\windows\system32\deploytk.dll
    2008-10-23 12:43 286,720 —-a-w c:\windows\system32\gdi32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    "EPSON Stylus D92 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE" [2006-09-27 139264]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
    "SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-21 2957824]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "Norman ZANDA"="c:
    orman\Npm\Bin\ZLH.EXE" [2008-06-02 277616]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
    "Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\NvD\Menu Start\Programma's\Opstarten\
    OpenOffice.org 3.0 .lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

    c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
    Adobe Reader Snelle start.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-05-25 184320]
    TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-07-08 114688]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux2"= wdmaud.sys

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    P4 NPFSvc32;Norman Personal Firewall Service;c:
    orman
    pf\bin
    pfsvc32.exe [2008-11-16 597104]
    R0 NDIS_RD;Norman Firewall NDIS driver;c:\windows\system32\drivers
    dis_rd.sys [2006-02-24 79752]
    R1 NPROSEC;Norman Security driver;c:
    orman\Ngs\Bin
    prosec.sys [2008-11-16 53816]
    R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-06-21 138752]
    R1 TDI_RD;Norman Firewall TDI driver;c:\windows\system32\drivers\tdi_rd.sys [2006-02-24 74624]
    R3 nsesvc;Norman Scanner Engine Service;c:
    orman\Nse\bin\Nsesvc.exe [2008-07-06 322616]
    R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers
    vcw32mf.sys [2007-05-02 19512]
    R3 nvcoas;Norman Virus Control on-access component;c:
    orman\NVC\BIN\Nvcoas.exe [2008-01-25 191544]
    R3 NVCScheduler;Norman Virus Control Scheduler;c:
    orman
    pm\bin
    vcsched.exe [2008-11-16 154680]
    R4 Ndiskio;Ndiskio;c:
    orman\Nse\bin\Ndiskio.sys [2005-01-19 20448]
    R4 NPROSECSVC;Norman Security service;c:
    orman\Ngs\Bin
    prosec.exe [2008-11-16 121912]
    R4 NVOY;Norman's Very Own supplY of resources;c:
    orman
    pm\bin
    voy.exe [2008-11-16 121912]
    S3 nvcfsr;nvcfsr;c:
    orman\NVC\BIN\Nvcfsr.sys [2005-01-19 6712]
    S3 nvcoafl51;nvcoafl51;c:
    orman\NVC\BIN\Nvcoafl51.sys [2005-06-27 30264]
    S3 nvcoaft51;nvcoaft51;c:
    orman\NVC\BIN\Nvcoaft51.sys [2005-06-27 129848]
    S3 nvcoarc51;nvcoarc51;c:
    orman\NVC\BIN\Nvcoarc51.sys [2005-06-27 23224]

    — Andere Services/Drivers In Geheugen —

    *Deregistered* - mchInjDrv
    .
    Inhoud van de 'Gedeelde Taken' map

    2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
    .
    .
    ——- Bijkomende Scan ——-
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local;<local>
    TCP: {BFF0BE82-DCAA-426B-B531-4099FFDD74B0} = 192.168.0.1
    DPF: Microsoft XML Parser for Java
    FF - ProfilePath - c:\documents and settings\NvD\Application Data\Mozilla\Firefox\Profiles\4d7tajdu.default\
    FF - prefs.js: browser.startup.homepage - hxxp://nl.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:nl:official
    FF - component: c:\documents and settings\NvD\Application Data\Mozilla\Firefox\Profiles\4d7tajdu.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-23 13:58:59
    Windows 5.1.2600 Service Pack 3 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    ——————— DLLs Geladen Onder Lopende Processen ———————

    - - - - - - - > 'winlogon.exe'(808)
    c:\windows\system32\Ati2evxx.dll
    .
    Voltooingstijd: 2009-01-23 14:00:23
    ComboFix-quarantined-files.txt 2009-01-23 13:00:20

    Pre-Run: 14.979.104.768 bytes beschikbaar
    Post-Run: 14,968,967,168 bytes beschikbaar

    WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    120
  • is dit nog van belang?

    *Deregistered* - mchInjDrv
  • Alles is nu in orde.

    Doe nog even dit:


    Download ATF cleaner (mirror)(gemaakt door Atribune)

    Belangrijk: Sluit al je browservensters(IE en/of Firefox en/of Opera) om de tool goed te kunnen laten werken.

    Dubbelklik op

    ATF cleaner om het programma te starten.
    Op het tabblad Main, plaats je een vinkje bij Select All.
    Klik op de knop Empty Selected.

    Het volgende doen als je ook FireFox als browser hebt:

    Klik op tabblad Firefox, plaats een vinkje bij Select All.
    Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op No.
    (dit haalt het vinkje weer weg bij Firefox saved passwords)
    Klik op de knop Empty Selected.

    Het volgende doen als je ook Opera als browser hebt:

    Klik op tabblad Opera, plaats een vinkje bij Select All.
    Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op No.
    Klik op de knop Empty Selected.
    Ga naar het tabblad Main en klik op de knop Exit om het programma af te sluiten.3. Je mag alle gebruikte tools en aangemaakte mappen terug verwijderen.(ComboFix doormiddel van start->uitvoeren en dan ComboFix /U typen en vervolgens op enter drukken)


    - Ga naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.
    - Klik in de linkerhelft van het venster op "Instellingen van systeemherstel".
    - Zet een vinkje voor "Systeemherstel uitschakelen".
    - Klik "Toepassen".
    - Windows vraagt of je dat zeker weet.
    - Klik "Ja".
    - Klik "OK".
    - Start de pc opnieuw op.
    - Ga weer naar Start/Alle programma's/Bureau-accessoires/Systeemwerkset/Systeemherstel.
    - Je krijgt de melding: "Systeemherstel is uitgeschakeld. Wilt u systeemherstel nu inschakelen?"
    - Klik "Ja".
    - Verwijder het vinkje voor "Systeemherstel uitschakelen".
    - Klik "Toepassen".
    - Klik "OK".
    - Start de pc opnieuw op
    - Er is nu een nieuw schoon herstel punt aangemaakt
  • is die AFT hetzelfde als CCleaner ?
  • Ja, als je CCleaner wil gebruiken is dat ook goed :wink:
  • Othuroyo

    Hartelijk dank voor je hulp :wink:

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.