Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

Besmetting, hulp nodig

None
15 antwoorden
  • Hallo,

    er verscheen plotseling een voor mij niet bekende "anti virusscanner" in beeld (sysgaurd?)

    Ik heb zoveel mogelijk processen proberen te stoppen en daarna MBAM gedraait.

    Wil iemand deze log files voor me nakijken?

    Bij voorbaat dank.

    [b:a6dc605a5c]Eerst de MBAM log:[/b:a6dc605a5c]

    Malwarebytes' Anti-Malware 1.34
    Database versie: 1824
    Windows 5.1.2600 Service Pack 3

    6-3-2009 13:20:04
    mbam-log-2009-03-06 (13-20-04).txt

    Scan type: Snelle Scan
    Objecten gescand: 65071
    Verstreken tijd: 4 minute(s), 10 second(s)

    Geheugenprocessen geïnfecteerd: 1
    Geheugenmodulen geïnfecteerd: 0
    Registersleutels geïnfecteerd: 1
    Registerwaarden geïnfecteerd: 1
    Registerdata bestanden geïnfecteerd: 2
    Mappen geïnfecteerd: 0
    Bestanden geïnfecteerd: 2

    Geheugenprocessen geïnfecteerd:
    C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Unloaded process successfully.

    Geheugenmodulen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Registersleutels geïnfecteerd:
    HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registerwaarden geïnfecteerd:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.Agent) -> Quarantined and deleted successfully.

    Registerdata bestanden geïnfecteerd:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

    Mappen geïnfecteerd:
    (Geen kwaadaardige items gevonden)

    Bestanden geïnfecteerd:
    C:\WINDOWS\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.


    [b:a6dc605a5c]Hijackthis log file nadat MBAM zijn werk had gedaan:[/b:a6dc605a5c]

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:27:26, on 6-3-2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
    C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norman\Npm\Bin\Zanda.exe
    C:\Program Files\Norman
    pm\bin
    voy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norman
    pf\bin
    pfsvc32.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
    C:\Program Files\Norman\Npm\Bin\ZLH.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32
    vsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\Norman\Npm\Bin\Nvcsched.exe
    C:\Program Files\Norman\Npm\Bin\Njeeves.exe
    C:\Program Files\Norman
    se\bin\NSESVC.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norman\Nvc\Bin
    vcoas.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Norman\Nvc\Bin\Nip.exe
    C:\Program Files\Norman\Nvc\Bin\cclaw.exe
    C:\Program Files\Norman
    pf\bin
    pfuser.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    H:\software\ad aware\hijackthis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eu.ixquick.com/ned/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SetCacheMode] Rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32
    wprovau.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C17F52E8-0B2A-45D4-A22F-613BCAFA2693}: NameServer = 192.168.1.254
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\Bin\Njeeves.exe
    O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe
    O23 - Service: Norman Personal Firewall Service (NPFSvc32) - Norman ASA - C:\Program Files\Norman
    pf\bin
    pfsvc32.exe
    O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
    O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Program Files\Norman
    se\bin\NSESVC.EXE
    O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\Bin
    vcoas.exe
    O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Nvcsched.exe
    O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Program Files\Norman
    pm\bin
    voy.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
    vsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: xControlCOM - Siemens - C:\Program Files\Gigaset\talk&surf 5.1\xControlCOM.exe


    End of file - 6950 bytes
  • Download [b:f67d7258eb]Combofix[/color:f67d7258eb][/b:f67d7258eb] naar je Bureaublad en gebruik het volgens deze handleiding.
    [i:f67d7258eb]OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en [b:f67d7258eb]download Combofix opnieuw[/b:f67d7258eb].
    Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen![/color:f67d7258eb][/i:f67d7258eb][list:f67d7258eb][*:f67d7258eb]Dubbelklik op [b:f67d7258eb]Combofix.exe[/b:f67d7258eb] om het te starten.
    [*:f67d7258eb][i:f67d7258eb]Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.[/i:f67d7258eb]
    [*:f67d7258eb]Klik op [b:f67d7258eb]OK[/b:f67d7258eb] in het "NirCmd" venstertje.
    [*:f67d7258eb]Klik na afloop terug op [b:f67d7258eb]Ja[/b:f67d7258eb] om het scannen op malware te starten.
    [*:f67d7258eb]Tijdens het runnen van de fix, [b:f67d7258eb]NIET[/b:f67d7258eb] in het venster klikken, want dit zal je pc doen vasthangen.
    [*:f67d7258eb]Wanneer de fix voltooid is en na herstart, zal de log [b:f67d7258eb]Combofix.txt[/b:f67d7258eb] openen.[/list:u:f67d7258eb]Post dit logje in je volgende antwoord
  • Hallo

    hierbij de gevraagde log:

    ComboFix 09-03-04.01 - eigenaar 2009-03-06 18:00:31.7 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.223 [GMT 1:00]
    Gestart vanuit: c:\documents and settings\eigenaar\Bureaublad\ComboFix.exe
    AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
    FW: Norman Personal Firewall v. 1.4 *disabled*
    FW: Persoonlijke firewall *disabled*
    * Nieuw herstelpunt werd aangemaakt
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

    —– BITS: Mogelijk geïnfecteerde sites —–

    hxxp://vestepau.cn
    .
    (((((((((((((((((((( Bestanden Gemaakt van 2009-02-06 to 2009-03-06 ))))))))))))))))))))))))))))))
    .

    2009-03-06 15:04 . 2009-03-06 15:22 <DIR> dr-h—– c:\documents and settings\eigenaar\Onlangs geopend
    2009-03-06 13:11 . 2009-03-06 13:11 <DIR> d——– c:\documents and settings\eigenaar\Application Data\Malwarebytes
    2009-03-06 13:11 . 2009-03-06 13:11 <DIR> d——– c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-06 13:11 . 2009-02-11 10:19 38,496 –a—— c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-06 13:11 . 2009-02-11 10:19 15,504 –a—— c:\windows\system32\drivers\mbam.sys
    2009-03-06 12:30 . 2008-04-14 18:03 26,112 –a—— c:\windows\system32\stu2.exe
    2009-02-27 11:12 . 2004-08-04 01:03 578,560 –a—— c:\windows\system32\user32.dll
    2009-02-25 21:43 . 2009-02-26 13:34 <DIR> d–hs—- c:\windows\system32\lowsec

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-06 14:09 ——— d—–w c:\program files\Norman
    2009-03-06 11:30 17,920 —ha-w c:\windows\system32\userinit.exe
    2009-02-27 16:21 ——— d—a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-02-22 15:20 ——— d—–w c:\documents and settings\eigenaar\Application Data\AdobeUM
    2009-02-05 14:56 ——— d—–w c:\program files\SpywareBlaster
    2009-01-22 11:41 19,512 —-a-w c:\windows\system32\drivers
    vcw32mf.sys
    2009-01-14 14:17 ——— d—–w c:\program files\Barcode Maker 5
    2008-12-20 23:03 826,368 —-a-w c:\windows\system32\wininet.dll
    2008-09-24 12:08 18,536 —-a-w c:\documents and settings\eigenaar\Application Data\GDIPFONTCACHEV1.DAT
    2008-09-19 19:06 32,768 –sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008091920080920\index.dat
    .

    ——- Sigcheck ——-

    2008-04-14 18:03 26112 6818a533ed3b2fa9936df3daf45352df c:\windows\ServicePackFiles\i386\userinit.exe
    2009-03-06 12:30 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-06-05 77824]
    "Opware12"="c:\program files\ScanSoft\OmniPagePro12.0\Opware12.exe" [2002-08-01 49152]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
    "Norman ZANDA"="c:\program files\Norman\Npm\Bin\ZLH.EXE" [2009-02-11 187504]
    "NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-06-21 2468200]
    "SoundMan"="SOUNDMAN.EXE" [2002-10-16 c:\windows\SOUNDMAN.EXE]
    "SetCacheMode"="ptipbmf.dll" [2003-01-18 c:\windows\system32\ptipbmf.dll]
    "nwiz"="nwiz.exe" [2003-05-02 c:\windows\system32
    wiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-06-05 110592]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    P2 NPFSvc32;Norman Personal Firewall Service;c:\program files\Norman\Npf\Bin
    pfsvc32.exe [2008-11-19 597104]
    R0 NDIS_RD;Norman Firewall NDIS driver;c:\windows\system32\drivers
    dis_rd.sys [2008-11-19 79752]
    R1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin
    prosec.sys [2008-11-19 53816]
    R1 TDI_RD;Norman Firewall TDI driver;c:\windows\system32\drivers\tdi_rd.sys [2008-11-19 74624]
    R2 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\Ndiskio.sys [2008-11-19 20448]
    R2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin
    prosec.exe [2008-11-19 121912]
    R2 NVOY;Norman Resource Provider;c:\program files\Norman\Npm\Bin
    voy.exe [2008-11-19 126008]
    R3 Gigusb;Dect USB Driver;c:\windows\system32\drivers\Gigusb.sys [2003-06-04 59070]
    R3 HRCMPA;ISDN Wan driver (Ver. 1.10.0021);c:\windows\system32\drivers\hrcmpa.sys [2003-06-04 253648]
    R3 IUAPIWDM;ISDN USB Interface (Ver. 1.10.0021);c:\windows\system32\drivers\IUAPIWDM.sys [2003-06-04 49344]
    R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\Nsesvc.exe [2009-01-28 183352]
    R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers
    vcw32mf.sys [2008-11-19 19512]
    R3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman
    vc\bin\Nvcoas.exe [2008-11-19 195640]
    R3 NVCScheduler;Norman Virus Control Scheduler;c:\program files\Norman\Npm\Bin
    vcsched.exe [2008-11-19 154680]
    R3 siellif;siellif;c:\windows\system32\drivers\siellif.sys [2003-06-04 115856]
    S1 NGS;Norman General Security Driver;c:\program files\Norman\Ngs\Bin
    gs.sys [2009-02-27 22712]
    S1 smnstrns;smnstrns;\SystemRoot\System\smnstrns.sys –> \SystemRoot\System\smnstrns.sys [?]
    S3 FCUSB;Freecom Cable II USB Driver;c:\windows\system32\drivers\FCUSB.sys [2001-11-29 13104]
    S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys –> c:\windows\system32\drivers\Ndisprot.sys [?]
    S3 PfsTape;1Vision Tape Drive;c:\windows\system32\DRIVERS\PfsTape.sys –> c:\windows\system32\DRIVERS\PfsTape.sys [?]
    S3 sc2k;sc2k;c:\windows\system32\drivers\sc2k.sys [2004-02-08 21536]
    S3 scsiscan;Stuurprogramma voor SCSI-scanner;c:\windows\system32\drivers\scsiscan.sys [2003-06-05 11520]
    S3 xControlCOM;xControlCOM;c:\program files\Gigaset\talk&surf 5.1\xControlCOM.exe [2003-01-24 339968]

    — Andere Services/Drivers In Geheugen —

    *NewlyCreated* - AD-WATCH_REAL-TIME_SCANNER
    *NewlyCreated* - AD-WATCH_REGISTRY_FILTER
    *Deregistered* - Ad-Watch Real-Time Scanner
    *Deregistered* - Ad-Watch Registry Filter
    *Deregistered* - mchInjDrv
    *Deregistered* - uphcleanhlp
    .
    .
    ——- Bijkomende Scan ——-
    .
    uStart Page = hxxp://eu.ixquick.com/ned/
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: {C17F52E8-0B2A-45D4-A22F-613BCAFA2693} = 192.168.1.254
    DPF: DirectAnimation Java Classes
    DPF: Microsoft XML Parser for Java
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-06 18:02:42
    Windows 5.1.2600 Service Pack 3 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2009-03-06 18:04:32
    ComboFix-quarantined-files.txt 2009-03-06 17:04:28

    Pre-Run: 36.573.278.208 bytes beschikbaar
    Post-Run: 36,562,956,288 bytes beschikbaar

    124 — E O F — 2008-06-21 17:41:40
  • Hallo Othuroyo,

    er vinden nog steeds rare dingen op mijn computer plaats.

    Bij het contact maken met internet krijg ik via de firewall en Ad-Aware continu meldingen over "userinit" ook MBAM vindt continu deze bestanden als besmet en na verwijdering steeds weer opnieuw.

    Er komen ook nog steeds .tmp bestanden die er niet horen (in1.tmp ie2.tmp etc.)

    Via de kladblok zie ik tussen de "griebus" dit adres: hxxp://vestepau.cn


    Nog suggesties na mijn vorige post?
  • Ik weet niet of je mijn bericht over de Trojan.Agent van MBAM weleens gelezen hebt, maar het is een Hoax van Malware bytes.


    http://forum.computertotaal.nl/phpBB2/viewtopic.php?t=198045
  • Hallo Edouard,

    ik betwijfel in dit geval of het een Hoax is, zie bovenstaande.

    Groet,
    grafcom
  • Open een kladblokbestand.
    Kopieer de onderstaande code, en plak deze in het kladblokbestand.

    [b:fd12463651]
    File::
    c:\windows\system32\stu2.exe
    c:\windows\system32\userinit.exe
    [/b:fd12463651][/color:fd12463651]

    Sla het kladblokbestand op als CFScript.txt

    Sleep nu het bestand CFScript.txt in het bestand ComboFix.exe, zoals hier onder:

    [img:fd12463651]http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif[/img:fd12463651]

    ComboFix zal opnieuw starten.
    Wanneer ComboFix klaar is, dit kan na een herstart zijn, opent er een logfile.
    Post de inhoud van de logfile.
  • Hallo Othuroyo,

    hierbij het nieuwe log bestand:

    ComboFix 09-03-06.02 - eigenaar 2009-03-08 13:07:19.8 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.182 [GMT 1:00]
    Gestart vanuit: c:\documents and settings\eigenaar\Bureaublad\ComboFix.exe
    gebruikte Opdracht switches :: c:\documents and settings\eigenaar\Bureaublad\CFScript.txt
    AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
    FW: Norman Personal Firewall v. 1.4 *disabled*
    FW: Persoonlijke firewall *disabled*
    * Nieuw herstelpunt werd aangemaakt

    FILE ::
    c:\windows\system32\stu2.exe
    c:\windows\system32\userinit.exe :#:
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\windows\system32\lowsec
    c:\windows\system32\lowsec\local.ds
    c:\windows\system32\lowsec\user.ds
    c:\windows\system32\stu2.exe

    —– BITS: Mogelijk geïnfecteerde sites —–

    hxxp://vestepau.cn
    .
    (((((((((((((((((((( Bestanden Gemaakt van 2009-02-08 to 2009-03-08 ))))))))))))))))))))))))))))))
    .

    2009-03-07 21:44 . 2009-03-08 13:04 <DIR> dr-h—– c:\documents and settings\eigenaar\Onlangs geopend
    2009-03-06 13:11 . 2009-03-06 13:11 <DIR> d——– c:\documents and settings\eigenaar\Application Data\Malwarebytes
    2009-03-06 13:11 . 2009-03-06 13:11 <DIR> d——– c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-06 13:11 . 2009-02-11 10:19 38,496 –a—— c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-06 13:11 . 2009-02-11 10:19 15,504 –a—— c:\windows\system32\drivers\mbam.sys
    2009-02-27 11:12 . 2004-08-04 01:03 578,560 –a—— c:\windows\system32\user32.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-08 08:42 ——— d—–w c:\program files\Norman
    2009-03-06 11:30 17,920 —ha-w c:\windows\system32\userinit.exe
    2009-02-27 16:21 ——— d—a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-02-22 15:20 ——— d—–w c:\documents and settings\eigenaar\Application Data\AdobeUM
    2009-02-05 14:56 ——— d—–w c:\program files\SpywareBlaster
    2009-01-22 11:41 19,512 —-a-w c:\windows\system32\drivers
    vcw32mf.sys
    2009-01-14 14:17 ——— d—–w c:\program files\Barcode Maker 5
    2008-12-20 23:03 826,368 —-a-w c:\windows\system32\wininet.dll
    2008-09-24 12:08 18,536 —-a-w c:\documents and settings\eigenaar\Application Data\GDIPFONTCACHEV1.DAT
    2008-09-19 19:06 32,768 –sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008091920080920\index.dat
    .

    ——- Sigcheck ——-

    2008-04-14 18:03 26112 6818a533ed3b2fa9936df3daf45352df c:\windows\ServicePackFiles\i386\userinit.exe
    2009-03-06 12:30 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-03-06_18.03.17,90 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-03-08 08:42:51 16,384 —-atw c:\windows\temp\Perflib_Perfdata_2f0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-06-05 77824]
    "Opware12"="c:\program files\ScanSoft\OmniPagePro12.0\Opware12.exe" [2002-08-01 49152]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
    "Norman ZANDA"="c:\program files\Norman\Npm\Bin\ZLH.EXE" [2009-02-11 187504]
    "NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-06-21 2468200]
    "SoundMan"="SOUNDMAN.EXE" [2002-10-16 c:\windows\SOUNDMAN.EXE]
    "SetCacheMode"="ptipbmf.dll" [2003-01-18 c:\windows\system32\ptipbmf.dll]
    "nwiz"="nwiz.exe" [2003-05-02 c:\windows\system32
    wiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-06-05 110592]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    P2 NPFSvc32;Norman Personal Firewall Service;c:\program files\Norman\Npf\Bin
    pfsvc32.exe [2008-11-19 597104]
    R0 NDIS_RD;Norman Firewall NDIS driver;c:\windows\system32\drivers
    dis_rd.sys [2008-11-19 79752]
    R1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin
    prosec.sys [2008-11-19 53816]
    R1 TDI_RD;Norman Firewall TDI driver;c:\windows\system32\drivers\tdi_rd.sys [2008-11-19 74624]
    R2 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\Ndiskio.sys [2008-11-19 20448]
    R2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin
    prosec.exe [2008-11-19 121912]
    R2 NVOY;Norman Resource Provider;c:\program files\Norman\Npm\Bin
    voy.exe [2008-11-19 126008]
    R3 Gigusb;Dect USB Driver;c:\windows\system32\drivers\Gigusb.sys [2003-06-04 59070]
    R3 HRCMPA;ISDN Wan driver (Ver. 1.10.0021);c:\windows\system32\drivers\hrcmpa.sys [2003-06-04 253648]
    R3 IUAPIWDM;ISDN USB Interface (Ver. 1.10.0021);c:\windows\system32\drivers\IUAPIWDM.sys [2003-06-04 49344]
    R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\Nsesvc.exe [2009-01-28 183352]
    R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers
    vcw32mf.sys [2008-11-19 19512]
    R3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman
    vc\bin\Nvcoas.exe [2008-11-19 195640]
    R3 NVCScheduler;Norman Virus Control Scheduler;c:\program files\Norman\Npm\Bin
    vcsched.exe [2008-11-19 154680]
    R3 siellif;siellif;c:\windows\system32\drivers\siellif.sys [2003-06-04 115856]
    S1 NGS;Norman General Security Driver;c:\program files\Norman\Ngs\Bin
    gs.sys [2009-02-27 22712]
    S1 smnstrns;smnstrns;\SystemRoot\System\smnstrns.sys –> \SystemRoot\System\smnstrns.sys [?]
    S3 FCUSB;Freecom Cable II USB Driver;c:\windows\system32\drivers\FCUSB.sys [2001-11-29 13104]
    S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys –> c:\windows\system32\drivers\Ndisprot.sys [?]
    S3 PfsTape;1Vision Tape Drive;c:\windows\system32\DRIVERS\PfsTape.sys –> c:\windows\system32\DRIVERS\PfsTape.sys [?]
    S3 sc2k;sc2k;c:\windows\system32\drivers\sc2k.sys [2004-02-08 21536]
    S3 scsiscan;Stuurprogramma voor SCSI-scanner;c:\windows\system32\drivers\scsiscan.sys [2003-06-05 11520]
    S3 xControlCOM;xControlCOM;c:\program files\Gigaset\talk&surf 5.1\xControlCOM.exe [2003-01-24 339968]

    — Andere Services/Drivers In Geheugen —

    *NewlyCreated* - AD-WATCH_REAL-TIME_SCANNER
    *NewlyCreated* - AD-WATCH_REGISTRY_FILTER
    *Deregistered* - mchInjDrv
    *Deregistered* - uphcleanhlp
    .
    .
    ——- Bijkomende Scan ——-
    .
    uStart Page = hxxp://eu.ixquick.com/ned/
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: {C17F52E8-0B2A-45D4-A22F-613BCAFA2693} = 192.168.1.254
    DPF: DirectAnimation Java Classes
    DPF: Microsoft XML Parser for Java
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-08 13:09:56
    Windows 5.1.2600 Service Pack 3 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2009-03-08 13:11:59
    ComboFix-quarantined-files.txt 2009-03-08 12:11:55
    ComboFix2.txt 2009-03-06 17:04:34

    Pre-Run: 36.521.676.800 bytes beschikbaar
    Post-Run: 36,511,137,792 bytes beschikbaar

    133 — E O F — 2008-06-21 17:41:40
  • Hallo Othuroyo,

    de vermeldingen over userinit blijven nu weg maar bij internet explorer krijg ik nu een aantal (soms 10 stuks) vermeldingen (Ad-Watch) dat IEXPLORE.EXE (xxxx) wijzigingen in het register wil aanbrengen.
  • Hallo Othuroyo,

    MBAM opnieuw laten draaien en geeft opnieuw de userinit aan als besmet.

    Heb even nog geen actie ondernomen.
  • Zoals ik zei, MBAM zal de Trojan.Agent blijven vinden, het is een false positive waar je niet op moet reageren. Er is wat anders aan de hand.


    Zie ook deze, je zoekt naar een spook.

    http://www.2-spyware.com
    emove-trojan-agent.html

    http://antivirus.startpagina.nl/prikbord/4048032/4048044
    e-win32trojanagent
  • Download en bewaar SDFix
    op je bureaublad.
    Dubbelklik op [b:c75575aa7e]SDFix.exe[/b:c75575aa7e] en kies voor [b:c75575aa7e]Install[/b:c75575aa7e] om het tooltje uit te pakken in een eigen map op je bureaublad.

    Start de computer opnieuw op, maar dan in veilige modus.

    [list:c75575aa7e][*:c75575aa7e] In veilige modus, open de SDFix map op je bureaublad en dubbelklik op [b:c75575aa7e]RunThis.bat[/b:c75575aa7e] om het tooltje te starten.
    [*:c75575aa7e] Typ [b:c75575aa7e]Y[/b:c75575aa7e] om het clean proces te starten.
    [*:c75575aa7e] het verwijdert alle Trojan Services of Registry Entries die met deze infectie te maken hebben, als het tooltje klaar is zal het jou vertellen om eender welke toets te drukken om je pc te herstarten, doe dit ook.
    [*:c75575aa7e] Wanneer de pc herstart zal het tooltje opnieuw runnen en het opruimproces beëindigen en je de melding [b:c75575aa7e]Finished[/b:c75575aa7e] tonen, druk dan op eender welke toets om het scriptje te beëindigen en je bureaublad zullen tevoorschijn komen.
    [*:c75575aa7e] Wanneer je bureaublad icoontjes verschijnen zal het rapportje van SDFix openen en ook in de map bewaren onder de naam [b:c75575aa7e]Report.txt[/b:c75575aa7e].[/list:u:c75575aa7e]


    Post dit logje in je volgende bericht samen met een nieuw ComboFix logje.
  • Hallo Othuroyo,

    nadat ik in veilige modus was opgestart kreeg ik alleen een zwart scherm.

    Dit lijkt me een overblijfsel van hetgeen ik post onlangs in

    http://forum.computertotaal.nl/phpBB2/viewtopic.php?t=198150&highlight=

    Met control alt delete het tooltje toch laten runnen maar nadat opnieuw is opgestart is nu mijn desktop weer leeg zoals in vorige post.

    Ik kan met control alt delete nu het tooltje wel starten, moet ik dat eerst doen en dan voor F kiezen?
  • Hallo Othuroyo

    met explorer kon ik weer op de desktiop

    hier het SDFix log


    [b:577a444b39]SDFix: Version 1.240 [/b:577a444b39]
    Run by Administrator on zo 08-03-2009 at 14:08

    Microsoft Windows XP [versie 5.1.2600]
    Running From: C:\SDFix

    [b:577a444b39]Checking Services [/b:577a444b39]:


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    [b:577a444b39]Checking Files [/b:577a444b39]:

    Trojan Files Found:

    C:\WINDOWS\MS1.EXE - Deleted
    C:\WINDOWS\TOOL1.EXE - Deleted
    C:\WINDOWS\TOOL3.EXE - Deleted
    C:\WINDOWS\TOOL4.EXE - Deleted
    C:\WINDOWS\TOOL5.EXE - Deleted





    Removing Temp Files

    [b:577a444b39]ADS Check [/b:577a444b39]:



    [b:577a444b39]Final Check [/b:577a444b39]:

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-08 14:27:19
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes …

    IPC error: 2 Het systeem kan het opgegeven bestand niet vinden.
    scanning hidden services & system hive …

    scanning hidden registry entries …

    scanning hidden files …

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    [b:577a444b39]Remaining Services [/b:577a444b39]:




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    [b:577a444b39]Remaining Files [/b:577a444b39]:


    File Backups: - C:\SDFix\backups\backups.zip

    [b:577a444b39]Files with Hidden Attributes [/b:577a444b39]:

    Fri 6 Mar 2009 17,920 A..H. — "C:\WINDOWS\system32\userinit.exe"
    Sat 27 Nov 2004 4,348 A.SH. — "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Thu 4 Jan 2007 400 A.SH. — "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
    Thu 4 Jan 2007 48 A.SH. — "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"

    [b:577a444b39]Finished![/b:577a444b39]


    Hier de nieuw Combo log

    ComboFix 09-03-06.02 - eigenaar 2009-03-08 14:30:33.9 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.511.241 [GMT 1:00]
    Gestart vanuit: c:\documents and settings\eigenaar\Bureaublad\ComboFix.exe
    AV: Norman Security Suite ver. 7.00 *On-access scanning disabled* (Updated)
    FW: Norman Personal Firewall v. 1.4 *disabled*
    FW: Persoonlijke firewall *enabled*
    .

    (((((((((((((((((((( Bestanden Gemaakt van 2009-02-08 to 2009-03-08 ))))))))))))))))))))))))))))))
    .

    2009-03-08 14:08 . 2009-03-08 14:08 578,560 –a–c— c:\windows\system32\dllcache\user32.dll
    2009-03-08 14:07 . 2009-03-08 14:07 <DIR> d——– c:\windows\ERUNT
    2009-03-08 14:02 . 2009-03-08 14:28 <DIR> d——– C:\SDFix
    2009-03-07 21:44 . 2009-03-08 13:12 <DIR> dr-h—– c:\documents and settings\eigenaar\Onlangs geopend
    2009-03-06 13:11 . 2009-03-06 13:11 <DIR> d——– c:\documents and settings\eigenaar\Application Data\Malwarebytes
    2009-03-06 13:11 . 2009-03-06 13:11 <DIR> d——– c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-06 13:11 . 2009-02-11 10:19 38,496 –a—— c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-06 13:11 . 2009-02-11 10:19 15,504 –a—— c:\windows\system32\drivers\mbam.sys
    2009-02-27 11:12 . 2004-08-04 01:03 578,560 –a—— c:\windows\system32\user32.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-08 13:10 ——— d—–w c:\program files\Norman
    2009-03-06 11:30 17,920 —ha-w c:\windows\system32\userinit.exe
    2009-02-27 16:21 ——— d—a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-02-22 15:20 ——— d—–w c:\documents and settings\eigenaar\Application Data\AdobeUM
    2009-02-05 14:56 ——— d—–w c:\program files\SpywareBlaster
    2009-01-22 11:41 19,512 —-a-w c:\windows\system32\drivers
    vcw32mf.sys
    2009-01-14 14:17 ——— d—–w c:\program files\Barcode Maker 5
    2008-12-20 23:03 826,368 —-a-w c:\windows\system32\wininet.dll
    2008-09-24 12:08 18,536 —-a-w c:\documents and settings\eigenaar\Application Data\GDIPFONTCACHEV1.DAT
    2008-09-19 19:06 32,768 –sha-w c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\MSHist012008091920080920\index.dat
    .

    ——- Sigcheck ——-

    2008-04-14 18:03 26112 6818a533ed3b2fa9936df3daf45352df c:\windows\ServicePackFiles\i386\userinit.exe
    2009-03-06 12:30 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2009-03-06_18.03.17,90 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-08-07 14:27:04 163,328 —-a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
    + 2009-03-08 13:07:35 483,328 —-a-w c:\windows\ERUNT\SDFIX\Users\[u:577a444b39]0[/u:577a444b39]0000001\NTUSER.DAT
    + 2009-03-08 13:07:35 8,192 —-a-w c:\windows\ERUNT\SDFIX\Users\[u:577a444b39]0[/u:577a444b39]0000002\UsrClass.dat
    + 2008-08-07 14:27:04 163,328 —-a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
    + 2009-03-08 13:07:34 483,328 —-a-w c:\windows\ERUNT\SDFIX_First_Run\Users\[u:577a444b39]0[/u:577a444b39]0000001\NTUSER.DAT
    + 2009-03-08 13:07:34 8,192 —-a-w c:\windows\ERUNT\SDFIX_First_Run\Users\[u:577a444b39]0[/u:577a444b39]0000002\UsrClass.dat
    + 2009-03-08 13:11:21 16,384 —-atw c:\windows\temp\Perflib_Perfdata_59c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-06-05 77824]
    "Opware12"="c:\program files\ScanSoft\OmniPagePro12.0\Opware12.exe" [2002-08-01 49152]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
    "Norman ZANDA"="c:\program files\Norman\Npm\Bin\ZLH.EXE" [2009-02-11 187504]
    "NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-06-21 2468200]
    "SoundMan"="SOUNDMAN.EXE" [2002-10-16 c:\windows\SOUNDMAN.EXE]
    "SetCacheMode"="ptipbmf.dll" [2003-01-18 c:\windows\system32\ptipbmf.dll]
    "nwiz"="nwiz.exe" [2003-05-02 c:\windows\system32
    wiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-06-05 110592]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R0 NDIS_RD;Norman Firewall NDIS driver;c:\windows\system32\drivers
    dis_rd.sys [2008-11-19 79752]
    R1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin
    prosec.sys [2008-11-19 53816]
    R1 TDI_RD;Norman Firewall TDI driver;c:\windows\system32\drivers\tdi_rd.sys [2008-11-19 74624]
    R2 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\Ndiskio.sys [2008-11-19 20448]
    R2 NPFSvc32;Norman Personal Firewall Service;c:\program files\Norman\Npf\Bin
    pfsvc32.exe [2008-11-19 597104]
    R2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin
    prosec.exe [2008-11-19 121912]
    R2 NVOY;Norman Resource Provider;c:\program files\Norman\Npm\Bin
    voy.exe [2008-11-19 126008]
    R3 Gigusb;Dect USB Driver;c:\windows\system32\drivers\Gigusb.sys [2003-06-04 59070]
    R3 HRCMPA;ISDN Wan driver (Ver. 1.10.0021);c:\windows\system32\drivers\hrcmpa.sys [2003-06-04 253648]
    R3 IUAPIWDM;ISDN USB Interface (Ver. 1.10.0021);c:\windows\system32\drivers\IUAPIWDM.sys [2003-06-04 49344]
    R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\Nsesvc.exe [2009-01-28 183352]
    R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers
    vcw32mf.sys [2008-11-19 19512]
    R3 NVCScheduler;Norman Virus Control Scheduler;c:\program files\Norman\Npm\Bin
    vcsched.exe [2008-11-19 154680]
    R3 siellif;siellif;c:\windows\system32\drivers\siellif.sys [2003-06-04 115856]
    S1 NGS;Norman General Security Driver;c:\program files\Norman\Ngs\Bin
    gs.sys [2009-02-27 22712]
    S1 smnstrns;smnstrns;\SystemRoot\System\smnstrns.sys –> \SystemRoot\System\smnstrns.sys [?]
    S3 FCUSB;Freecom Cable II USB Driver;c:\windows\system32\drivers\FCUSB.sys [2001-11-29 13104]
    S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys –> c:\windows\system32\drivers\Ndisprot.sys [?]
    S3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman
    vc\bin\Nvcoas.exe [2008-11-19 195640]
    S3 PfsTape;1Vision Tape Drive;c:\windows\system32\DRIVERS\PfsTape.sys –> c:\windows\system32\DRIVERS\PfsTape.sys [?]
    S3 sc2k;sc2k;c:\windows\system32\drivers\sc2k.sys [2004-02-08 21536]
    S3 scsiscan;Stuurprogramma voor SCSI-scanner;c:\windows\system32\drivers\scsiscan.sys [2003-06-05 11520]
    S3 xControlCOM;xControlCOM;c:\program files\Gigaset\talk&surf 5.1\xControlCOM.exe [2003-01-24 339968]

    — Andere Services/Drivers In Geheugen —

    *Deregistered* - uphcleanhlp
    .
    .
    ——- Bijkomende Scan ——-
    .
    uStart Page = hxxp://eu.ixquick.com/ned/
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: {C17F52E8-0B2A-45D4-A22F-613BCAFA2693} = 192.168.1.254
    DPF: DirectAnimation Java Classes
    DPF: Microsoft XML Parser for Java
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-08 14:31:39
    Windows 5.1.2600 Service Pack 3 NTFS

    scannen van verborgen processen …

    scannen van verborgen autostart items …

    scannen van verborgen bestanden …

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    Voltooingstijd: 2009-03-08 14:33:03
    ComboFix-quarantined-files.txt 2009-03-08 13:33:00
    ComboFix2.txt 2009-03-08 12:12:01
    ComboFix3.txt 2009-03-06 17:04:34

    Pre-Run: 36.458.299.392 bytes beschikbaar
    Post-Run: 36,447,539,200 bytes beschikbaar

    124 — E O F — 2008-06-21 17:41:40
  • Deze post maar als afgesloten beschouwen……

    Heb uiteindelijk maar alles opnieuw geinstalleerd met een "oudere" backup.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.