Vraag & Antwoord

Beveiliging & privacy

hijack this log

15 antwoorden
  • hallo allemaal ik begon last te krijgen van allerlei rare websites en heb malwarebytes gedraaid. en heb nu een hijackthis log gemaakt kan iemand er mischien naar kijken en me verder helpen. alvast bedankt Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:16:28, on 5-3-2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [3CBCD6] C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [VoipBlast] "C:\Program Files\VoipBlast.com\VoipBlast\VoipBlast.exe" -nosplash -minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Voipwise] "C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe" -nosplash -minimized O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: 3CBCD6.lnk = C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 5948 bytes
  • Hallo alpak, er zit een besmetting in jouw Windows, dat is zeker. Maar om welke het nu precies gaat, dat is nog een vraagteken dus! [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][b:97644dbc30]Laat Combofix jouw Windows scannen[/b:97644dbc30] (klik)[/url]. [url=http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden][b:97644dbc30]Hoe Combofix goed te gebruiken[/b:97644dbc30] (klik)[/url] [b:97644dbc30]Aanvulling: om Combofix te kunnen gebruiken geldt het volgende: [color=red:97644dbc30]• er mogen geen webbrowsers openstaan • antivirus moet geheel gedeaktiveerd zijn • actieve mal- en spywarescanners moeten gedeaktiveerd zijn.[/b:97644dbc30][/color:97644dbc30] Niet in het actieve Combofixvnster klikken – dit zal Combofix doen bevriezen! Combofix sluit de internet verbinding – probeer deze tussentijds niet te [b:97644dbc30]• [color=darkblue:97644dbc30]Indien de Recovery Console niet geïnstalleerd is, dan wordt je gevraagd om dit alsnog te doen door op 'JA' te klikken in het "Query - Recovery Console" venster. Klik daarom op 'OK' en 'Ja' om automatisch de Recovery Console te laten installeren. Klik na afloop hiervan wederom op 'Ja', om het scannen op malware te starten. • De recovery Console maakt het makkelijker problemen op te lossen, indien Windows om de een of andere reden opstartproblemen heeft! [/color:97644dbc30][/b:97644dbc30] [url=http://www.bleepingcomputer.com/forums/topic114351.html][b:97644dbc30]Hier vindt je gegevens hoe antivirus te deaktiveren[/b:97644dbc30] (klik)[/url] [b:97644dbc30]Post aansluitend de inhoud van het Combofixlog.[/b:97644dbc30]
  • hey dank voor de reactie heb combofix laten draaien. heb weer een log gemaakt. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:33:06, on 6-3-2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\FTD Watchdog\FtdMonitor.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [3CBCD6] C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [VoipBlast] "C:\Program Files\VoipBlast.com\VoipBlast\VoipBlast.exe" -nosplash -minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Voipwise] "C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe" -nosplash -minimized O4 - HKCU\..\Run: [FTD Watchdog Monitor] "C:\Program Files\FTD Watchdog\FtdMonitor.exe" O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: 3CBCD6.lnk = C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 5599 bytes
  • Maar waar is nu het Combofix-log?
  • srry was vergeten mee te zenden kun je hier ff naar kijken ComboFix 10-03-06.01 - ifzan 06-03-2010 20:27:22.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.502.250 [GMT 1:00] Gestart vanuit: c:\documents and settings\ifzan\Bureaublad\ComboFix.exe . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\ifzan\LOCALS~1\Temp\E_N4 c:\docume~1\ifzan\LOCALS~1\Temp\E_N4\cnvpe.fne c:\docume~1\ifzan\LOCALS~1\Temp\E_N4\dp1.fne c:\docume~1\ifzan\LOCALS~1\Temp\E_N4\eAPI.fne c:\docume~1\ifzan\LOCALS~1\Temp\E_N4\HtmlView.fne c:\docume~1\ifzan\LOCALS~1\Temp\E_N4\internet.fne c:\docume~1\ifzan\LOCALS~1\Temp\E_N4\krnln.fnr c:\docume~1\ifzan\LOCALS~1\Temp\E_N4\shell.fne c:\docume~1\ifzan\LOCALS~1\Temp\E_N4\spec.fne c:\recycler\S-1-5-21-1971979069-299461318-3179683930-1003 . (((((((((((((((((((( Bestanden Gemaakt van 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))) . 2010-03-06 15:25 . 2010-03-06 15:26 -------- d-----w- c:\program files\FTD Watchdog 2010-03-05 21:16 . 2010-03-05 21:16 -------- d-----w- c:\program files\Trend Micro 2010-03-05 20:24 . 2010-03-05 20:24 -------- d-----w- c:\documents and settings\ifzan\Application Data\Malwarebytes 2010-03-05 20:24 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-05 20:24 . 2010-03-05 20:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-05 20:24 . 2010-03-05 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-03-05 20:24 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-02 13:39 . 2010-03-02 13:40 -------- d-----w- c:\program files\FTDv3.8 2010-03-02 13:15 . 2010-03-02 13:17 -------- d-----w- c:\documents and settings\ifzan\Application Data\Voipwise 2010-03-02 13:13 . 2010-03-02 13:13 -------- d-----w- c:\program files\Voipwise.com 2010-03-01 14:48 . 2010-03-01 14:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple 2010-02-17 16:38 . 2010-02-17 16:38 51780 ---ha-w- c:\windows\system32\mlfcache.dat 2010-02-12 20:47 . 2010-02-12 20:47 -------- d-----w- c:\program files\Common Files\Adobe 2010-02-12 20:46 . 2010-02-12 21:32 -------- d-----w- c:\documents and settings\ifzan\Local Settings\Application Data\Adobe 2010-02-12 15:06 . 2010-02-12 15:06 -------- d-----w- c:\program files\WinAVI MP4 Converter 2010-02-08 14:27 . 2010-02-08 14:27 -------- d-----r- C:\MSOCache 2010-02-07 11:21 . 2001-09-06 20:27 5632 ----a-w- c:\windows\system32\ptpusb.dll 2010-02-07 11:21 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys 2010-02-07 11:21 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2010-02-07 11:21 . 2008-04-14 17:02 159232 ----a-w- c:\windows\system32\ptpusd.dll 2010-02-06 21:44 . 2010-02-06 21:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-02-06 20:49 . 2010-02-06 20:49 -------- d-----w- c:\windows\system32\nl 2010-02-06 20:49 . 2010-02-06 20:49 -------- d-----w- c:\windows\system32\bits 2010-02-06 20:49 . 2010-02-06 20:49 -------- d-----w- c:\windows\l2schemas 2010-02-06 20:43 . 2010-02-06 20:43 -------- d-----w- c:\windows\EHome 2010-02-06 20:17 . 2010-02-06 20:17 -------- d-----w- c:\documents and settings\ifzan\Application Data\Media Player Classic 2010-02-06 15:36 . 2010-02-06 15:36 -------- d-----w- c:\program files\GrabIt 2010-02-06 11:23 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll 2010-02-06 11:23 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-20 21:29 . 2004-08-04 19:00 70224 ----a-w- c:\windows\system32\perfc013.dat 2010-02-20 21:29 . 2004-08-04 19:00 444908 ----a-w- c:\windows\system32\perfh013.dat 2010-02-13 16:26 . 2010-02-05 16:17 69232 ----a-w- c:\documents and settings\ifzan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-10 07:58 . 2010-02-08 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-02-08 21:50 . 2010-02-08 14:31 -------- d-----w- c:\program files\Microsoft Works 2010-02-08 14:31 . 2010-02-08 14:31 -------- d-----w- c:\program files\MSBuild 2010-02-08 14:30 . 2010-02-08 14:30 -------- d-----w- c:\program files\Microsoft.NET 2010-02-07 11:24 . 2010-02-05 20:08 -------- d-----w- c:\documents and settings\ifzan\Application Data\Apple Computer 2010-02-07 11:21 . 2010-02-05 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2010-02-06 20:50 . 2005-09-16 11:23 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2010-02-06 20:17 . 2010-02-06 20:16 -------- d-----w- c:\program files\K-Lite Codec Pack 2010-02-06 00:04 . 2010-02-06 00:04 60 ----a-w- c:\windows\system32\SYSDRV.DAT 2010-02-05 21:14 . 2010-02-05 20:58 -------- d-----w- c:\documents and settings\ifzan\Application Data\Notepad++ 2010-02-05 20:58 . 2010-02-05 20:58 -------- d-----w- c:\program files\Notepad++ 2010-02-05 20:08 . 2010-02-05 20:07 -------- d-----w- c:\program files\iTunes 2010-02-05 20:08 . 2010-02-05 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2010-02-05 20:07 . 2010-02-05 20:07 -------- d-----w- c:\program files\iPod 2010-02-05 20:07 . 2010-02-05 20:05 -------- d-----w- c:\program files\Common Files\Apple 2010-02-05 20:07 . 2010-02-05 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2010-02-05 20:07 . 2010-02-05 20:07 -------- d-----w- c:\program files\Bonjour 2010-02-05 20:07 . 2010-02-05 20:06 -------- d-----w- c:\program files\QuickTime 2010-02-05 20:06 . 2010-02-05 20:06 -------- d-----w- c:\program files\Apple Software Update 2010-02-05 18:37 . 2010-02-05 16:16 -------- d-----w- c:\documents and settings\ifzan\Application Data\VoipBlast 2010-02-05 16:24 . 2010-02-05 16:24 -------- d-----w- c:\program files\Microsoft 2010-02-05 16:24 . 2010-02-05 16:23 -------- d-----w- c:\program files\Windows Live 2010-02-05 16:24 . 2010-02-05 16:24 -------- d-----w- c:\program files\Windows Live SkyDrive 2010-02-05 16:18 . 2010-02-05 16:18 -------- d-----w- c:\program files\Common Files\Windows Live 2010-02-05 16:10 . 2010-02-05 16:10 -------- d-----w- c:\program files\VoipBlast.com 2010-02-05 15:30 . 2010-02-05 15:30 128 ----a-w- c:\documents and settings\ifzan\Local Settings\Application Data\fusioncache.dat 2010-02-05 15:19 . 2010-02-05 15:16 -------- d-----w- c:\program files\Realtek 2010-02-05 15:18 . 2010-02-05 15:18 -------- d-----w- c:\program files\microsoft frontpage 2010-02-05 15:16 . 2010-02-05 15:16 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-02-05 15:16 . 2010-02-05 15:16 -------- d-----w- c:\program files\Common Files\InstallShield 2010-02-05 15:16 . 2010-02-05 15:16 -------- d-----w- c:\program files\HighMAT CD Writing Wizard 2010-02-02 18:00 . 2010-02-06 20:16 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2010-01-22 18:51 . 2010-01-22 18:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-21 19:10 . 2004-08-04 19:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-12-17 07:42 . 2005-09-16 18:20 345600 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:10 . 2004-08-04 19:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-12 14:15 . 2010-02-06 20:16 178176 ----a-w- c:\windows\system32\unrar.dll 2009-12-09 10:11 . 2004-08-04 19:00 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-12-09 10:11 . 2004-08-04 07:58 2070400 ----a-w- c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VoipBlast"="c:\program files\VoipBlast.com\VoipBlast\VoipBlast.exe" [2009-11-12 8882480] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "Voipwise"="c:\program files\Voipwise.com\Voipwise\Voipwise.exe" [2010-02-16 9084720] "FTD Watchdog Monitor"="c:\program files\FTD Watchdog\FtdMonitor.exe" [2009-03-14 176640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824] "Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952] "RTHDCPL"="RTHDCPL.EXE" [2005-10-14 14864384] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608] "3CBCD6"="c:\windows\system32\9A8CA5\3CBCD6.EXE" [2010-02-05 1405986] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\ifzan\Menu Start\Programma's\Opstarten\ 3CBCD6.lnk - c:\windows\system32\9A8CA5\3CBCD6.EXE [2010-2-5 1405986] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\VoipBlast.com\\VoipBlast\\VoipBlast.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"= . Inhoud van de 'Gedeelde Taken' map 2010-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 . - - - - ORPHANS VERWIJDERD - - - - AddRemove-HijackThis - c:\documents and settings\ifzan\Local Settings\Temporary Internet Files\Content.IE5\BAUKKKHG\HijackThis.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-06 20:31 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . Voltooingstijd: 2010-03-06 20:32:21 ComboFix-quarantined-files.txt 2010-03-06 19:32 Pre-Run: 56.789.532.672 bytes beschikbaar Post-Run: 57.034.018.816 bytes beschikbaar WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 17ACD145C53D2DAEA7B5FFF68DFDE366
  • Hallo alpak, hoe gaat het nu nadat Combofix heeft gedraaod? Post overigens een nieuw HijackThis-log!
  • hey abraham ik heb nog steeds last van opspringende websites e.d. hierbij een nieuwe hijack this log kun je er even naar kijken? alvast bedankt. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:08:51, on 7-3-2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\VoipBlast.com\VoipBlast\VoipBlast.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe C:\Program Files\FTD Watchdog\FtdMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\2D8375\TX845D87.EXE C:\WINDOWS\system32\2D8375\XV439A04.EXE C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [3CBCD6] C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [VoipBlast] "C:\Program Files\VoipBlast.com\VoipBlast\VoipBlast.exe" -nosplash -minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Voipwise] "C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe" -nosplash -minimized O4 - HKCU\..\Run: [FTD Watchdog Monitor] "C:\Program Files\FTD Watchdog\FtdMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: 3CBCD6.lnk = C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 6094 bytes
  • Hallo alpak, open een nieuw kladblok bestand. ([b:5744df5688]Start\Alle programma’s\Bureau-accessoires\Kladblok[/b:5744df5688]), kopieer en plak vervolgens de (vetgedrukte, blauwe tekst) in een leeg venster: [color=#0000FF:5744df5688][b:5744df5688]@ECHO OFF IF EXIST log.txt DEL log.txt ECHO Deleting files>>log.txt FOR %%g in ( "C:\WINDOWS\system32\2D8375\TX845D87.EXE" "C:\WINDOWS\system32\2D8375\XV439A04.EXE" "C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE" ) DO ( IF EXIST %%g ( ATTRIB -r -s -h %%g DEL %%g IF EXIST %%g ( ECHO %%g not deleted>>log.txt ) ELSE ( ECHO %%g deleted successfully>>log.txt) ) ELSE ( ECHO %%g not found>>log.txt)) START NOTEPAD.EXE log.txt DEL %0[/b:5744df5688][/color:5744df5688] Ga naar Bestand - [b:5744df5688]Opslaan als.[/b:5744df5688] • Bij Opslaan in kies je:[b:5744df5688] Bureaublad [/b:5744df5688] • Bij Bestandsnaam zet je: [b:5744df5688]del.bat[/b:5744df5688] • Bij Opslaan als type selecteer je: [b:5744df5688]Alle bestanden (*.*)[/b:5744df5688] • Klik vervolgens op de knop [b:5744df5688]Opslaan[/b:5744df5688] [b:5744df5688]Klik\Dubbelklik op [color=darkblue:5744df5688]del.bat [/color:5744df5688]en post de inhoud van de logfile die opent[/b:5744df5688] Start HijackThis dan en kies voor [b:5744df5688]Scan only[/b:5744df5688], • zet een vinkje voor die regel(s) welke met de onderstaande regels corresponderen • vervolgens klik je daarna op de knop [b:5744df5688]Fix checked[/b:5744df5688] [b:5744df5688]O4 - HKLM\..\Run: [3CBCD6] C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE O4 - Startup: 3CBCD6.lnk = C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE[/b:5744df5688] Hierna de PD opnieuw opstarten. [b:5744df5688]Hierna post je de inhoud van de volgende logs:[/b:5744df5688] • een nieuw Hijackthis-log • del.bat-log
  • dankje wel voor de hulp hierbij de gevraagde logs. hijack this log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:35:05, on 8-3-2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\VoipBlast.com\VoipBlast\VoipBlast.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\FTD Watchdog\FtdMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [VoipBlast] "C:\Program Files\VoipBlast.com\VoipBlast\VoipBlast.exe" -nosplash -minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Voipwise] "C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe" -nosplash -minimized O4 - HKCU\..\Run: [FTD Watchdog Monitor] "C:\Program Files\FTD Watchdog\FtdMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 5728 bytes en de andere log Deleting files "C:\WINDOWS\system32\2D8375\TX845D87.EXE" deleted successfully "C:\WINDOWS\system32\2D8375\XV439A04.EXE" deleted successfully "C:\WINDOWS\system32\9A8CA5\3CBCD6.EXE" not deleted
  • Hallo Alpak, doe nu het volgende: [b:c56215e41a][url=http://www.idealsoftware.nl/MBAM/]Download, installeer en blijf MBAM gebruiken (KLIK)[/url][/b:c56215e41a] [list:c56215e41a]• Al meteen na de installatie wil [b:c56215e41a]MBAM[/b:c56215e41a] zijn database opwaarderen – toestaan dus. • Ook bij herhaald gebruik: eerst MBAM updaten via de tab [b:c56215e41a]Update[/b:c56215e41a]! • Start [b:c56215e41a]MBAM[/b:c56215e41a] en kies voor [b:c56215e41a]Snelle Scan[/b:c56215e41a] • [b:c56215e41a]N.B.: Vistagebruik(st)ers starten MBAM middels rechtsklikken en dan kiezen voor Als Administrator uitvoeren.[/b:c56215e41a] • Het scannen kan een tijdje duren, dus wees geduldig. • Indien de scan voltooid is, klik dan op de knop [b:c56215e41a]OK[/b:c56215e41a] • Klik daarna op de knop [b:c56215e41a]Bekijk Resultaten[/b:c56215e41a] om de resultaten te zien. • Zorg ervoor, dat alles aangevinkt is. • Vervolgens klik je op: [b:c56215e41a]Verwijder geselecteerde[/b:c56215e41a] . • Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. • Het log wordt automatisch bewaard door [b:c56215e41a]MBAM[/b:c56215e41a] en dat kan je terugvinden door op de tab [b:c56215e41a]Logs[/b:c56215e41a] te klikken in [b:c56215e41a]MBAM[/b:c56215e41a] . • Indien [b:c56215e41a]MBAM[/b:c56215e41a] moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven – dan telkens op [b:c56215e41a]OK[/b:c56215e41a] klikken! • Daarna zal [b:c56215e41a]MBAM[/b:c56215e41a] vragen om de Computer opnieuw op te starten - dus sta toe dat de computer opnieuw opgestart wordt.[/list:u:c56215e41a] Indien er de rootkit (TDSS) aanwezig is, zal MBAM ook vragen te herstarten. Doe dit dan ook. MBAM zal dan na de herstart opnieuw scannen en de rootkit verwijderen. [b:c56215e41a]Hierna post je de inhoud van de volgende logs:[/b:c56215e41a] [list:c56215e41a]• MBAM scanlog[/list:u:c56215e41a]
  • mbam log Malwarebytes' Anti-Malware 1.44 Database versie: 3836 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8-3-2010 17:17:27 mbam-log-2010-03-08 (17-17-27).txt Scan type: Snelle Scan Objecten gescand: 119261 Verstreken tijd: 4 minute(s), 29 second(s) Geheugenprocessen geïnfecteerd: 0 Geheugenmodulen geïnfecteerd: 0 Registersleutels geïnfecteerd: 0 Registerwaarden geïnfecteerd: 0 Registerdata bestanden geïnfecteerd: 0 Mappen geïnfecteerd: 1 Bestanden geïnfecteerd: 8 Geheugenprocessen geïnfecteerd: (Geen kwaadaardige items gevonden) Geheugenmodulen geïnfecteerd: (Geen kwaadaardige items gevonden) Registersleutels geïnfecteerd: (Geen kwaadaardige items gevonden) Registerwaarden geïnfecteerd: (Geen kwaadaardige items gevonden) Registerdata bestanden geïnfecteerd: (Geen kwaadaardige items gevonden) Mappen geïnfecteerd: C:\Documents and Settings\ifzan\Local Settings\temp\E_N4 (Worm.Autorun) -> Quarantined and deleted successfully. Bestanden geïnfecteerd: C:\Documents and Settings\ifzan\Local Settings\temp\E_N4\cnvpe.fne (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\ifzan\Local Settings\temp\E_N4\dp1.fne (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\ifzan\Local Settings\temp\E_N4\eAPI.fne (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\ifzan\Local Settings\temp\E_N4\HtmlView.fne (HackTool.Patcher) -> Quarantined and deleted successfully. C:\Documents and Settings\ifzan\Local Settings\temp\E_N4\internet.fne (HackTool.Patcher) -> Quarantined and deleted successfully. C:\Documents and Settings\ifzan\Local Settings\temp\E_N4\krnln.fnr (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\ifzan\Local Settings\temp\E_N4\shell.fne (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\ifzan\Local Settings\temp\E_N4\spec.fne (Worm.Autorun) -> Quarantined and deleted successfully.
  • Hallo alpak, doe eerst het volgende: [b:c765827df6]Download [url=http://downloads.malwareremoval.com/CKScanner.exe]CKScanner by askey 127[/url] en sla het op je bueaublad op[/b:c765827df6]. Vista en Win 7 gebruikers gebruiken dit tool via rechtsklik en kiezen voor Als Administrator uitvoeren. [list:c765827df6]• Klik/dubbelklik op [b:c765827df6]CKScanner by askey 127[/b:c765827df6] om het tool te starten en klik op Search for Files. • Na een korte tijd, wanneer de zandloper verdwijnt, klik dan op Save List To File • Een berichtvenster zal bevestigen dat het dokument is opgelagen. • Klik/dubbelklik op de CKFiles.txt snelkoppeling op je bureaublad en kopiëer en plak de inhoud in je volgende post.[/list:u:c765827df6] [b:c765827df6]En doe nogmaals een scan met Combofix![/b:c765827df6]
  • hier de combo fixComboFix 10-03-08.01 - ifzan 08-03-2010 18:20:00.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.502.116 [GMT 1:00] Gestart vanuit: c:\documents and settings\ifzan\Bureaublad\ComboFix.exe . (((((((((((((((((((( Bestanden Gemaakt van 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))) . 2010-03-06 15:25 . 2010-03-06 15:26 -------- d-----w- c:\program files\FTD Watchdog 2010-03-05 21:16 . 2010-03-05 21:16 -------- d-----w- c:\program files\Trend Micro 2010-03-05 20:24 . 2010-03-05 20:24 -------- d-----w- c:\documents and settings\ifzan\Application Data\Malwarebytes 2010-03-05 20:24 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-05 20:24 . 2010-03-05 20:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-05 20:24 . 2010-03-05 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-03-05 20:24 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-02 13:39 . 2010-03-02 13:40 -------- d-----w- c:\program files\FTDv3.8 2010-03-02 13:15 . 2010-03-02 13:17 -------- d-----w- c:\documents and settings\ifzan\Application Data\Voipwise 2010-03-02 13:13 . 2010-03-02 13:13 -------- d-----w- c:\program files\Voipwise.com 2010-03-01 14:48 . 2010-03-01 14:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple 2010-02-17 16:38 . 2010-02-17 16:38 51780 ---ha-w- c:\windows\system32\mlfcache.dat 2010-02-12 20:47 . 2010-02-12 20:47 -------- d-----w- c:\program files\Common Files\Adobe 2010-02-12 20:46 . 2010-02-12 21:32 -------- d-----w- c:\documents and settings\ifzan\Local Settings\Application Data\Adobe 2010-02-12 15:06 . 2010-02-12 15:06 -------- d-----w- c:\program files\WinAVI MP4 Converter 2010-02-08 14:27 . 2010-02-08 14:27 -------- d-----r- C:\MSOCache 2010-02-07 11:21 . 2001-09-06 20:27 5632 ----a-w- c:\windows\system32\ptpusb.dll 2010-02-07 11:21 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys 2010-02-07 11:21 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys 2010-02-07 11:21 . 2008-04-14 17:02 159232 ----a-w- c:\windows\system32\ptpusd.dll 2010-02-06 21:44 . 2010-02-06 21:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-02-06 20:49 . 2010-02-06 20:49 -------- d-----w- c:\windows\system32\nl 2010-02-06 20:49 . 2010-02-06 20:49 -------- d-----w- c:\windows\system32\bits 2010-02-06 20:49 . 2010-02-06 20:49 -------- d-----w- c:\windows\l2schemas 2010-02-06 20:43 . 2010-02-06 20:43 -------- d-----w- c:\windows\EHome 2010-02-06 20:17 . 2010-02-06 20:17 -------- d-----w- c:\documents and settings\ifzan\Application Data\Media Player Classic . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-07 15:26 . 2010-02-05 16:16 -------- d-----w- c:\documents and settings\ifzan\Application Data\VoipBlast 2010-02-20 21:29 . 2004-08-04 19:00 70224 ----a-w- c:\windows\system32\perfc013.dat 2010-02-20 21:29 . 2004-08-04 19:00 444908 ----a-w- c:\windows\system32\perfh013.dat 2010-02-13 16:26 . 2010-02-05 16:17 69232 ----a-w- c:\documents and settings\ifzan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-10 07:58 . 2010-02-08 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-02-08 21:50 . 2010-02-08 14:31 -------- d-----w- c:\program files\Microsoft Works 2010-02-08 14:31 . 2010-02-08 14:31 -------- d-----w- c:\program files\MSBuild 2010-02-08 14:30 . 2010-02-08 14:30 -------- d-----w- c:\program files\Microsoft.NET 2010-02-07 11:24 . 2010-02-05 20:08 -------- d-----w- c:\documents and settings\ifzan\Application Data\Apple Computer 2010-02-07 11:21 . 2010-02-05 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2010-02-06 20:50 . 2005-09-16 11:23 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2010-02-06 20:17 . 2010-02-06 20:16 -------- d-----w- c:\program files\K-Lite Codec Pack 2010-02-06 15:36 . 2010-02-06 15:36 -------- d-----w- c:\program files\GrabIt 2010-02-06 00:04 . 2010-02-06 00:04 60 ----a-w- c:\windows\system32\SYSDRV.DAT 2010-02-05 21:14 . 2010-02-05 20:58 -------- d-----w- c:\documents and settings\ifzan\Application Data\Notepad++ 2010-02-05 20:58 . 2010-02-05 20:58 -------- d-----w- c:\program files\Notepad++ 2010-02-05 20:08 . 2010-02-05 20:07 -------- d-----w- c:\program files\iTunes 2010-02-05 20:08 . 2010-02-05 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2010-02-05 20:07 . 2010-02-05 20:07 -------- d-----w- c:\program files\iPod 2010-02-05 20:07 . 2010-02-05 20:05 -------- d-----w- c:\program files\Common Files\Apple 2010-02-05 20:07 . 2010-02-05 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2010-02-05 20:07 . 2010-02-05 20:07 -------- d-----w- c:\program files\Bonjour 2010-02-05 20:07 . 2010-02-05 20:06 -------- d-----w- c:\program files\QuickTime 2010-02-05 20:06 . 2010-02-05 20:06 -------- d-----w- c:\program files\Apple Software Update 2010-02-05 16:24 . 2010-02-05 16:24 -------- d-----w- c:\program files\Microsoft 2010-02-05 16:24 . 2010-02-05 16:23 -------- d-----w- c:\program files\Windows Live 2010-02-05 16:24 . 2010-02-05 16:24 -------- d-----w- c:\program files\Windows Live SkyDrive 2010-02-05 16:18 . 2010-02-05 16:18 -------- d-----w- c:\program files\Common Files\Windows Live 2010-02-05 16:10 . 2010-02-05 16:10 -------- d-----w- c:\program files\VoipBlast.com 2010-02-05 15:30 . 2010-02-05 15:30 128 ----a-w- c:\documents and settings\ifzan\Local Settings\Application Data\fusioncache.dat 2010-02-05 15:19 . 2010-02-05 15:16 -------- d-----w- c:\program files\Realtek 2010-02-05 15:18 . 2010-02-05 15:18 -------- d-----w- c:\program files\microsoft frontpage 2010-02-05 15:16 . 2010-02-05 15:16 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-02-05 15:16 . 2010-02-05 15:16 -------- d-----w- c:\program files\Common Files\InstallShield 2010-02-05 15:16 . 2010-02-05 15:16 -------- d-----w- c:\program files\HighMAT CD Writing Wizard 2010-02-02 18:00 . 2010-02-06 20:16 85504 ----a-w- c:\windows\system32\ff_vfw.dll 2010-01-22 18:51 . 2010-01-22 18:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-21 19:10 . 2004-08-04 19:00 916480 ------w- c:\windows\system32\wininet.dll 2009-12-17 07:42 . 2005-09-16 18:20 345600 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:10 . 2004-08-04 19:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-12 14:15 . 2010-02-06 20:16 178176 ----a-w- c:\windows\system32\unrar.dll 2009-12-09 10:11 . 2004-08-04 19:00 2193536 ------w- c:\windows\system32\ntoskrnl.exe 2009-12-09 10:11 . 2004-08-04 07:58 2070400 ------w- c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((( SnapShot@2010-03-06_19.31.05 ))))))))))))))))))))))))))))))))))))))))) . - 2010-03-03 20:32 . 2010-03-06 18:49 14336 c:\windows\system32\2D8375\TC-8U7.EXE + 2010-03-03 20:32 . 2010-03-07 21:27 14336 c:\windows\system32\2D8375\TC-8U7.EXE + 2010-03-01 14:34 . 2010-03-07 21:27 24576 c:\windows\system32\2D8375\GC-9876.EXE - 2010-03-01 14:34 . 2010-03-06 18:49 24576 c:\windows\system32\2D8375\GC-9876.EXE . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VoipBlast"="c:\program files\VoipBlast.com\VoipBlast\VoipBlast.exe" [2009-11-12 8882480] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "FTD Watchdog Monitor"="c:\program files\FTD Watchdog\FtdMonitor.exe" [2009-03-14 176640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824] "Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952] "RTHDCPL"="RTHDCPL.EXE" [2005-10-14 14864384] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\VoipBlast.com\\VoipBlast\\VoipBlast.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Voipwise.com\\Voipwise\\Voipwise.exe"= . Inhoud van de 'Gedeelde Taken' map 2010-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-08 18:24 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(3236) c:\windows\system32\webcheck.dll . Voltooingstijd: 2010-03-08 18:26:03 ComboFix-quarantined-files.txt 2010-03-08 17:25 ComboFix2.txt 2010-03-06 19:32 Pre-Run: 57.779.286.016 bytes beschikbaar Post-Run: 57.861.754.880 bytes beschikbaar - - End Of File - - B6929C4CDEA5DEF67834192A19AB80A3 en dit de andere log CKScanner - Additional Security Risks - These are not necessarily bad scanner sequence 3.RP.11 ----- EOF -----
  • Start HijackThis dan en kies voor [b:6282d9d350]Do a Scan only[/b:6282d9d350], [list:6282d9d350][*:6282d9d350] zet een vinkje voor die regel(s) welke met de onderstaande regels corresponderen [*:6282d9d350] vervolgens klik je daarna op de knop [b:6282d9d350]Fix checked[/b:6282d9d350][/list:u:6282d9d350] [b:6282d9d350]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local[/b:6282d9d350] Open een nieuw kladblok bestand. (Start>Alle programma’s>Bureau-accessoires>Kladblok), kopieer en plak de volgende (vetgedrukte, blauwe tekst) in een leeg venster [b:6282d9d350][color=blue:6282d9d350]File:: c:\windows\system32\2D8375\TC-8U7.EXE c:\windows\system32\2D8375\TC-8U7.EXE c:\windows\system32\2D8375\GC-9876.EX c:\windows\system32\2D8375\GC-9876.EXE [/color:6282d9d350][/b:6282d9d350] Sla dit kladblokbestand op je bureaublad op als [b:6282d9d350]CFScript.txt[/b:6282d9d350]. [b:6282d9d350][color=Red:6282d9d350]Nu eerst de antivirus deaktiveren![/color:6282d9d350][/b:6282d9d350] Sleep CFScript.txt in ComboFix.exe [img:6282d9d350]http://home.kpn.nl/~stefsmeenk/CFScript.gif[/img:6282d9d350] Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt. Post het Combofix log dat na het opnieuw starten wordt getoond!
  • hey ik had eigenlijk geen problemen meer en dankje voor alle hulp maar vandaag zette ik mijn externe harde schijf aan en plots kwamen alle nare dingen weer terug. dus spreekt het voor zich dat de schadelijke software op mijn externe schijf staat toch? kan iemand me helpen met het verwijderen van dit soort troep van mijn externe schijf? alvast bedankt alpak

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.