Vraag & Antwoord

Beveiliging & privacy

HJT ter controle

22 antwoorden
  • Een van mijn dochters probeert een vriendin te helpen wiens laptop zwaar vervuild was. MBAM, anywhere,MRT gedraaid en een hoop verwijderd. Hierbij een HJT met de vraag of de experts er even naar willen kijken. Omslachtige manier, we weten het maar kennisje is een redelijke digibeet Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 16:39:13, on 21-12-2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe C:\Program Files\SMART Technologies\SMART Product Drivers\UCService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\TODDSrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Security Client\msseces.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe C:\Program Files\SMART Technologies\SMART Product Drivers\Aware.exe C:\Program Files\SMART Technologies\SMART Product Drivers\Marker.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: ThreeShips IEHelper - {17FDB9F8-DCC4-4F6A-AE07-B16018A48469} - C:\Program Files\Common Files\Threeships Shared\DLL\ThreeShipsIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing) O2 - BHO: (no name) - {454EC6D4-79C6-4F8C-BF58-5656C37982B0} - c:\windows\system32\ywdfiqe.dll (file missing) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\SMART Notebook\NotebookPlugin.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMgBHADMASwAtADgANwBXAFUAVQAtADIAVABWAEgAQQAtAFgANgBEAEYAOAAtAEwANgBQAEEATgA"&"inst=NwA3AC0ANgA4ADAAMAA0ADUAMQAwAC0AVAA1AC0AQgBBACsAMQAtAEsAVgAzACsANwAtAEIAMgA0AC0ARgBMACsAOQAtAEYAOQBNADYAKwAxAC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AA"&"prod=90"&"ver=9.0.872 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file) O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79344.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp09.photoprintit.de/microsite/8/defaults/activex/ImageUploader3.cab O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AMService - Unknown owner - C:\WINDOWS\TEMP\qaxr\setup.exe (file missing) O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: kroover - Unknown owner - C:\WINDOWS\system32\drivers\kroover.exe (file missing) O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SMART Board-service (SMART Board Service) - SMART Technologies - C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe O23 - Service: SMART Display Controller - SMART Technologies ULC - C:\Program Files\SMART Technologies\SMART Product Drivers\UCService.exe O23 - Service: SMART SNMP Agent Service - SMART Technologies ULC - C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe -- End of file - 11049 bytes
  • Hallo Anjo, het log ziet er al redelijk goed uit. Jammer dat jij het MBAM-log niet meegepost hebt. Wil je dat alsnog doen in een volgende post? Sluit alle openstaande vensters - behalve dit venster, dat je sluit voor het moment, dat je op de knop [b:f44c6be1a5]Fix checked[/b:f44c6be1a5] klikt! Start nu HijackThis en klik op de knop [b:f44c6be1a5]Do a Scan only, O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing) O2 - BHO: (no name) - {454EC6D4-79C6-4F8C-BF58-5656C37982B0} - c:\windows\system32\ywdfiqe.dll (file missing) O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file) O23 - Service: kroover - Unknown owner - C:\WINDOWS\system32\drivers\kroover.exe (file missing)[/b:f44c6be1a5] [list:f44c6be1a5][*:f44c6be1a5] zet een vinkje voor die regel(s) welke met de bovenstaande regels corresponderen [*:f44c6be1a5] Sluit nu de webbrowser en vervolgens klik je daarna op de knop [b:f44c6be1a5]Fix checked[/b:f44c6be1a5] [*:f44c6be1a5] Klik hierna HijackThis op uit.[/list:u:f44c6be1a5] Post naast het MBAM-log ook een nieuw HJT-log.
  • Ga t doorgeven en kijken of een vd dames t verder overneemt. MBT MBAM, die had een aantal malwareitems gevonden en verwijderdt, hoop dat t log nog boven water te krijgen is. Alvast bedankt.
  • Je klikt daarvoor gewoon op de tab "Logbestanden" in MBAM.
  • Dag Allen, Heb de aanpassingen gedaan die aangegeven zijn an het draaien van HJT. Ik zal straks s kijken of ik aan de logs kan komen. Er komt nog een probleem bij: Elke keer als zij een USB erin stopt krijgt ze de volgende melding: Windows kan het bestand taapoq.exe niet vinden. Controleer of u de naam huist hebt ingevoerd en probeer het daarna opnieuw. Klik als u naar een bestand wilt zoeken op de knop Start en daarna op Zoeken. Dit gebeurd bij alle USB sticks die ze erin stopt en op verschillende poorten. Greot, KaCey
  • Ook dat is is een besmetting! En: hebben we het nog steeds over dezelfde PC waarvan Anjo het log heeft gepost?
  • ja we hebben t over dezelde laptop :) Die hebben we al gecanned. Alleen blijft er nog iets op zitten. Die heb ik gister nog gescanned met MS Essentials, maar niets gevonden. Nog ideeen?
  • CCleaner heeft iig wat geholpen. De USB kan weer benaderd worden.
  • Hoi KaCey, je mag het volgende gaan doen: Download ComboFix van één van deze locaties: [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][b:f595361ff4]Bleepingcomputer[/b:f595361ff4][/url] [url=http://www.forospyware.com/sUBs/ComboFix.exe][b:f595361ff4]ForoSpyware[/b:f595361ff4][/url] [color=#8000FF:f595361ff4][b:f595361ff4]* BELANGRIJK !!! Sla ComboFix.exe op je Bureaublad op *[/b:f595361ff4][/color:f595361ff4] [list:f595361ff4][*:f595361ff4] Schakel alle antivirus- en antispywareprogramma's uit, want anders kunnen ze misschien conflicteren met ComboFix. Hier is een handleiding over hoe je ze kan uitschakelen: [url=http://www.bleepingcomputer.com/forums/topic114351.html][b:f595361ff4]Klik hier[/b:f595361ff4][/url] [*:f595361ff4] Indien het je niet lukt om ze uit te schakelen, ga dan gewoon door naar de volgende stap.[*:f595361ff4]Dubbeklik op ComboFix.exe en volg de meldingen op het scherm.[*:f595361ff4] ComboFix zal controleren of dat de Microsoft Windows Recovery Console reeds is geïnstalleerd. [color=#0000FF:f595361ff4][b:f595361ff4]**Let op: Als de Microsoft Windows Recovery Console al is geïnstalleerd, dan krijg je de volgende schermen niet te zien en zal ComboFix automatisch verder gaan met het scannen naar malware.[/b:f595361ff4][/color:f595361ff4] [*:f595361ff4]Volg de meldingen op het scherm om ComboFix de Microsoft Windows Recovery Console te laten downloaden en installeren.[/list:u:f595361ff4] [img:f595361ff4]http://www.bleepstatic.com/combofix/nl/cf-rc-auto.jpg[/img:f595361ff4] Je krijgt de volgende melding te zien wanneer ComboFix de Microsoft Windows Recovery Console succesvol heeft geïnstalleerd: [img:f595361ff4]http://www.bleepstatic.com/combofix/nl/rc-auto-done.jpg[/img:f595361ff4] [b:f595361ff4]Klik op Ja om verder te gaan met het scannen naar malware.[/b:f595361ff4] Wanneer ComboFix klaar is, zal het het een logbestand voor je maken. Post de inhoud van dit logbestand (te vinden als [b:f595361ff4]C:\ComboFix.txt[/b:f595361ff4]) in je volgende bericht.
  • Dag Abraham54, Hier is de log: Hoop dat je nog iets kan vinden als er nog een virus op staat. ComboFix 10-12-26.01 - Preinstalled user 27-12-2010 16:14:08.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.1526.924 [GMT 1:00] Gestart vanuit: d:\mijn documenten\ComboFix.exe AV: Lavasoft Ad-Watch Live! Antivirus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Documenten\Settings c:\documents and settings\Preinstalled user\baauz.exe c:\documents and settings\Preinstalled user\caewov.exe c:\documents and settings\Preinstalled user\gnam.exe c:\documents and settings\Preinstalled user\heocib.exe c:\documents and settings\Preinstalled user\jaaput.exe c:\documents and settings\Preinstalled user\noevk.exe c:\documents and settings\Preinstalled user\reues.exe c:\documents and settings\Preinstalled user\taeduq.exe c:\documents and settings\Preinstalled user\waucic.exe c:\documents and settings\Preinstalled user\yiozoj.exe c:\windows\system32\drivers\kqeeh.sys c:\windows\system32\drivers\vvzsl.sys c:\windows\system32\Oeminfo.ini c:\windows\system32\Thumbs.db . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SSHNAS -------\Service_czmrl -------\Service_neuhtecwaplrzje (((((((((((((((((((( Bestanden Gemaakt van 2010-11-27 to 2010-12-27 )))))))))))))))))))))))))))))) . 2010-12-27 14:49 . 2010-12-27 14:59 -------- d--h--r- c:\documents and settings\Preinstalled user\Onlangs geopend 2010-12-26 17:37 . 2010-11-16 11:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5C502704-1604-41F9-B372-11E19202ED2B}\mpengine.dll 2010-12-21 15:56 . 2010-12-27 13:05 -------- d-----w- c:\program files\CCleaner 2010-12-21 15:34 . 2010-12-21 15:35 388096 ----a-r- c:\documents and settings\Preinstalled user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-12-21 15:31 . 2010-12-21 15:31 -------- d-----w- c:\program files\Trend Micro 2010-12-21 13:47 . 2010-12-21 13:47 -------- d-----w- c:\documents and settings\Preinstalled user\Application Data\Malwarebytes 2010-12-21 13:46 . 2010-11-29 16:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-21 13:46 . 2010-12-21 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-12-21 13:46 . 2010-11-29 16:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-21 13:46 . 2010-12-21 13:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-21 06:50 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll 2010-12-21 06:50 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll 2010-12-21 06:49 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2010-12-21 06:49 . 2010-08-23 16:13 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll 2010-12-21 06:48 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys 2010-12-21 06:45 . 2010-11-16 11:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2010-12-21 06:41 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe 2010-12-20 22:14 . 2010-12-20 22:14 -------- d-----w- c:\documents and settings\Administrator 2010-12-20 20:13 . 2010-12-20 20:13 138496 ----a-w- c:\windows\system32\drivers\AFD.SYS 2010-12-20 20:00 . 2010-12-20 20:00 138496 ----a-w- c:\windows\system32\drivers\xxjuiddu.sys 2010-12-20 18:57 . 2010-12-20 18:57 138496 ----a-w- c:\windows\system32\drivers\rewqkrte.sys 2010-12-20 18:13 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-12-20 17:55 . 2010-12-20 17:57 -------- d-----w- c:\program files\Microsoft Security Client 2010-12-19 18:56 . 2010-12-19 18:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2010-12-19 17:32 . 2010-12-19 17:32 -------- d-----w- c:\documents and settings\Preinstalled user\Local Settings\Application Data\PCHealth 2010-12-16 18:03 . 2010-12-16 18:03 733184 ----a-w- c:\windows\system32\alk19.dll 2010-12-16 18:03 . 2010-12-16 18:03 0 ----a-w- c:\windows\system32\alk19.tmp 2010-12-16 18:03 . 2010-12-16 18:03 733184 ----a-w- c:\windows\system32\alk18.dll 2010-12-16 18:03 . 2010-12-16 18:03 0 ----a-w- c:\windows\system32\alk18.tmp 2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-18 16:17 . 2010-11-18 16:17 740864 ----a-w- c:\windows\system32\alk17.dll 2010-11-18 16:17 . 2010-11-18 16:17 0 ----a-w- c:\windows\system32\alk17.tmp 2010-11-18 16:17 . 2010-11-18 16:17 740864 ----a-w- c:\windows\system32\alk16.dll 2010-11-18 16:17 . 2010-11-18 16:17 0 ----a-w- c:\windows\system32\alk16.tmp 2010-11-18 16:16 . 2010-11-18 16:16 740864 ----a-w- c:\windows\system32\alk15.dll 2010-11-18 16:16 . 2010-11-18 16:16 0 ----a-w- c:\windows\system32\alk15.tmp 2010-11-09 13:49 . 2010-11-09 13:49 745984 ----a-w- c:\windows\system32\alk30.dll 2010-11-09 13:49 . 2010-11-09 13:49 0 ----a-w- c:\windows\system32\alk30.tmp 2010-11-07 18:07 . 2010-10-03 16:33 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-11-02 15:17 . 2006-05-31 07:19 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys 2010-10-24 20:25 . 2010-10-24 20:25 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http:" [X] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Preinstalled user\Menu Start\Programma's\Opstarten\ LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-7-8 503808] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-22 110592] RAMASST.lnk - c:\windows\system32\RAMASST.exe [2007-1-3 155648] SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe [2010-7-15 12375952] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Preinstalled user^Menu Start^Programma's^Opstarten^Antimalware Doctor.lnk] path=c:\documents and settings\Preinstalled user\Menu Start\Programma's\Opstarten\Antimalware Doctor.lnk backup=c:\windows\pss\Antimalware Doctor.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain] 2005-08-11 14:14 266240 ----a-w- c:\windows\system32\TPSMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3-10-2010 17:33 64288] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12-8-2010 13:15 1389400] R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\SMART Product Drivers\UCService.exe [15-7-2010 15:48 844688] R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18-4-2006 14:12 98816] S1 ikmpnqan;ikmpnqan;\??\c:\windows\system32\drivers\ikmpnqan.sys --> c:\windows\system32\drivers\ikmpnqan.sys [?] S2 AMService;AMService;c:\windows\TEMP\qaxr\setup.exe run --> c:\windows\TEMP\qaxr\setup.exe run [?] S2 enwcodjs;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Monitor;c:\windows\System32\svchost.exe -k netsvcs [31-5-2006 8:19 14336] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12-8-2010 13:15 15264] S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe [15-7-2010 15:48 1662352] S4 kroover;kroover;c:\windows\system32\drivers\kroover.exe --> c:\windows\system32\drivers\kroover.exe [?] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs enwcodjs . Inhoud van de 'Gedeelde Taken' map 2010-12-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 06:37] 2010-12-27 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=127.0.0.1:5643 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp09.photoprintit.de/microsite/8/defaults/activex/ImageUploader3.cab . - - - - ORPHANS VERWIJDERD - - - - WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) MSConfigStartUp-3121 - c:\docume~1\PREINS~1\LOCALS~1\Temp\99512.exe MSConfigStartUp-AMService - c:\windows\TEMP\plpo\setup.exe MSConfigStartUp-buoufo - c:\documents and settings\Preinstalled user\buoufo.exe MSConfigStartUp-coiut - c:\documents and settings\Preinstalled user\coiut.exe MSConfigStartUp-faekol - c:\documents and settings\Preinstalled user\faekol.exe MSConfigStartUp-foealos - c:\documents and settings\Preinstalled user\foealos.exe MSConfigStartUp-fumuy - c:\documents and settings\Preinstalled user\fumuy.exe MSConfigStartUp-gaitoi - c:\documents and settings\Preinstalled user\gaitoi.exe MSConfigStartUp-Izepodaqoxo - c:\windows\mlcumol.dll MSConfigStartUp-joateo - c:\documents and settings\Preinstalled user\joateo.exe MSConfigStartUp-joatuog - c:\documents and settings\Preinstalled user\joatuog.exe MSConfigStartUp-joaveo - c:\documents and settings\Preinstalled user\joaveo.exe MSConfigStartUp-kcxis - c:\documents and settings\Preinstalled user\kcxis.exe MSConfigStartUp-laaemab - c:\documents and settings\Preinstalled user\laaemab.exe MSConfigStartUp-maetoz - c:\documents and settings\Preinstalled user\maetoz.exe MSConfigStartUp-nlxis - c:\documents and settings\Preinstalled user\nlxis.exe MSConfigStartUp-prkes - c:\documents and settings\Preinstalled user\prkes.exe MSConfigStartUp-releaseversion70700 - c:\documents and settings\Preinstalled user\Application Data\CE17613F657CADA8F7D27ACFF60F9C08\releaseversion70700.exe MSConfigStartUp-vntouh - c:\documents and settings\Preinstalled user\vntouh.exe MSConfigStartUp-voahes - c:\documents and settings\Preinstalled user\voahes.exe MSConfigStartUp-yoapuok - c:\documents and settings\Preinstalled user\yoapuok.exe MSConfigStartUp-ZE18MW23GY - c:\docume~1\PREINS~1\LOCALS~1\Temp\Oh2.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-27 16:25 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\¤–}|ÿÿÿÿÀ•}|ù•9~*] "3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(2820) c:\windows\system32\webcheck.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\windows\system32\DVDRAMSV.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe c:\windows\system32\TODDSrv.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\SMART Technologies\SMART Product Drivers\Aware.exe c:\program files\SMART Technologies\SMART Product Drivers\Marker.exe c:\program files\Lavasoft\Ad-Aware\AAWTray.exe . ************************************************************************** . Voltooingstijd: 2010-12-27 16:34:25 - machine werd herstart ComboFix-quarantined-files.txt 2010-12-27 15:34 Pre-Run: 10.043.392.000 bytes beschikbaar Post-Run: 10.380.214.272 bytes beschikbaar WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - B350099D48939D2A64A2F441F81B7F40
  • Hoi KaCey, dit notebook is behoorlijk besmet. Mede doordat de antivirus een deel van de Microsoft Forefront antivirus is! Dus geen echte totaal oplossing! Is dit mogelijk een bedrijfsnotebook? Open een nieuw kladblok bestand, via Start>Alle programma’s>Bureau-accessoires>Kladblok. Kopieer en plak de volgende (vetgedrukte, blauwe tekst) in het lege kladblokvenstervenster [b:1f7053b400][color=Blue:1f7053b400]File:: c:\windows\system32\drivers\xxjuiddu.sys c:\windows\system32\drivers\rewqkrte.sys c:\windows\system32\alk19.dll c:\windows\system32\alk19.tmp c:\windows\system32\alk18.dll c:\windows\system32\alk18.tmp c:\windows\system32\alk17.dll c:\windows\system32\alk17.tmp c:\windows\system32\alk16.dll c:\windows\system32\alk16.tmp c:\windows\system32\alk15.dll c:\windows\system32\alk15.tmp c:\windows\system32\alk30.dll c:\windows\system32\alk30.tmp Driver:: c:\windows\system32\drivers\xxjuiddu.sys c:\windows\system32\drivers\rewqkrte.sys[/color:1f7053b400][/b:1f7053b400] Sla dit kladblokbestand op je bureaublad op als [b:1f7053b400]CFScript.txt[/b:1f7053b400]. [b:1f7053b400][COLOR="Red"]Nu eerst de antivirus deaktiveren![/COLOR][/b:1f7053b400] Sleep CFScript.txt in ComboFix.exe [img:1f7053b400]http://home.kpn.nl/~stefsmeenk/CFScript.gif[/img:1f7053b400] Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt. Post het Combofix log dat na het opnieuw starten wordt getoond!
  • Hoi KaCey, wil het lukken?
  • Ik ga straks weer aan de slag met de laptop. Dan heb ik de laptop weer voor me. Zodra ik meer weet post ik nieuwe info. Alvast bedankt voor de hulp.
  • Hoi KaCey, even dit, misschien kan je er niks aan doen, maar het tijdsverloop tussen opdracht en uitvoeren daarvan moet niet te groot worden!
  • Heb opnieuw de combofix gedraaid en dit is de log: ComboFix 10-12-31.01 - Preinstalled user 31-12-2010 19:28:22.2.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.1526.1098 [GMT 1:00] Gestart vanuit: c:\documents and settings\Preinstalled user\Bureaublad\ComboFix.exe AV: Lavasoft Ad-Watch Live! Antivirus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . (((((((((((((((((((( Bestanden Gemaakt van 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))) . 2010-12-30 18:34 . 2010-11-16 11:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{80B904CC-AB9E-46F2-8BBB-5EF4D0D75921}\mpengine.dll 2010-12-27 22:15 . 2010-12-31 15:29 -------- d--h--r- c:\documents and settings\Preinstalled user\Onlangs geopend 2010-12-21 15:56 . 2010-12-27 13:05 -------- d-----w- c:\program files\CCleaner 2010-12-21 15:34 . 2010-12-21 15:35 388096 ----a-r- c:\documents and settings\Preinstalled user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-12-21 15:31 . 2010-12-21 15:31 -------- d-----w- c:\program files\Trend Micro 2010-12-21 13:47 . 2010-12-21 13:47 -------- d-----w- c:\documents and settings\Preinstalled user\Application Data\Malwarebytes 2010-12-21 13:46 . 2010-11-29 16:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-21 13:46 . 2010-12-21 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-12-21 13:46 . 2010-11-29 16:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-21 13:46 . 2010-12-21 13:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-21 06:50 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll 2010-12-21 06:50 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll 2010-12-21 06:49 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2010-12-21 06:49 . 2010-08-23 16:13 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll 2010-12-21 06:48 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys 2010-12-21 06:45 . 2010-11-16 11:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2010-12-21 06:41 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe 2010-12-20 22:14 . 2010-12-20 22:14 -------- d-----w- c:\documents and settings\Administrator 2010-12-20 20:13 . 2010-12-20 20:13 138496 ----a-w- c:\windows\system32\drivers\AFD.SYS 2010-12-20 20:00 . 2010-12-20 20:00 138496 ----a-w- c:\windows\system32\drivers\xxjuiddu.sys 2010-12-20 18:57 . 2010-12-20 18:57 138496 ----a-w- c:\windows\system32\drivers\rewqkrte.sys 2010-12-20 18:13 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-12-20 17:55 . 2010-12-20 17:57 -------- d-----w- c:\program files\Microsoft Security Client 2010-12-19 18:56 . 2010-12-19 18:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2010-12-19 17:32 . 2010-12-19 17:32 -------- d-----w- c:\documents and settings\Preinstalled user\Local Settings\Application Data\PCHealth 2010-12-16 18:03 . 2010-12-16 18:03 733184 ----a-w- c:\windows\system32\alk19.dll 2010-12-16 18:03 . 2010-12-16 18:03 0 ----a-w- c:\windows\system32\alk19.tmp 2010-12-16 18:03 . 2010-12-16 18:03 733184 ----a-w- c:\windows\system32\alk18.dll 2010-12-16 18:03 . 2010-12-16 18:03 0 ----a-w- c:\windows\system32\alk18.tmp 2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-21 06:38 . 2010-10-03 17:00 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-11-18 18:15 . 2006-05-31 07:30 86016 ----a-w- c:\windows\system32\isign32.dll 2010-11-18 16:17 . 2010-11-18 16:17 740864 ----a-w- c:\windows\system32\alk17.dll 2010-11-18 16:17 . 2010-11-18 16:17 0 ----a-w- c:\windows\system32\alk17.tmp 2010-11-18 16:17 . 2010-11-18 16:17 740864 ----a-w- c:\windows\system32\alk16.dll 2010-11-18 16:17 . 2010-11-18 16:17 0 ----a-w- c:\windows\system32\alk16.tmp 2010-11-18 16:16 . 2010-11-18 16:16 740864 ----a-w- c:\windows\system32\alk15.dll 2010-11-18 16:16 . 2010-11-18 16:16 0 ----a-w- c:\windows\system32\alk15.tmp 2010-11-09 13:49 . 2010-11-09 13:49 745984 ----a-w- c:\windows\system32\alk31.dll 2010-11-09 13:49 . 2010-11-09 13:49 0 ----a-w- c:\windows\system32\alk31.tmp 2010-11-09 13:49 . 2010-11-09 13:49 745984 ----a-w- c:\windows\system32\alk30.dll 2010-11-09 13:49 . 2010-11-09 13:49 0 ----a-w- c:\windows\system32\alk30.tmp 2010-11-07 18:07 . 2010-10-03 16:33 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-11-06 00:23 . 2006-05-31 07:19 916480 ----a-w- c:\windows\system32\wininet.dll 2010-11-06 00:23 . 2006-05-31 07:19 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-11-06 00:23 . 2006-05-31 07:19 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-11-03 12:27 . 2006-05-31 07:19 385024 ----a-w- c:\windows\system32\html.iec 2010-11-02 15:17 . 2006-05-31 07:19 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys 2010-10-28 13:09 . 2006-05-31 07:19 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-10-26 14:00 . 2006-05-31 07:19 1853440 ----a-w- c:\windows\system32\win32k.sys 2010-10-24 20:25 . 2010-10-24 20:25 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http:" [X] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Preinstalled user\Menu Start\Programma's\Opstarten\ LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-7-8 503808] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-22 110592] RAMASST.lnk - c:\windows\system32\RAMASST.exe [2007-1-3 155648] SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe [2010-7-15 12375952] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Preinstalled user^Menu Start^Programma's^Opstarten^Antimalware Doctor.lnk] path=c:\documents and settings\Preinstalled user\Menu Start\Programma's\Opstarten\Antimalware Doctor.lnk backup=c:\windows\pss\Antimalware Doctor.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain] 2005-08-11 14:14 266240 ----a-w- c:\windows\system32\TPSMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3-10-2010 17:33 64288] R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\SMART Product Drivers\UCService.exe [15-7-2010 15:48 844688] R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18-4-2006 14:12 98816] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12-8-2010 13:15 1389400] R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12-8-2010 13:15 15264] S1 ikmpnqan;ikmpnqan;\??\c:\windows\system32\drivers\ikmpnqan.sys --> c:\windows\system32\drivers\ikmpnqan.sys [?] S2 AMService;AMService;c:\windows\TEMP\qaxr\setup.exe run --> c:\windows\TEMP\qaxr\setup.exe run [?] S2 enwcodjs;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Monitor;c:\windows\System32\svchost.exe -k netsvcs [31-5-2006 8:19 14336] S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe [15-7-2010 15:48 1662352] S4 kroover;kroover;c:\windows\system32\drivers\kroover.exe --> c:\windows\system32\drivers\kroover.exe [?] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs enwcodjs . Inhoud van de 'Gedeelde Taken' map 2010-12-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 06:37] 2010-12-31 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=127.0.0.1:5643 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp09.photoprintit.de/microsite/8/defaults/activex/ImageUploader3.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-31 19:35 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\¤–}|ÿÿÿÿÀ•}|ù•9~*] "3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(4388) c:\windows\system32\webcheck.dll . Voltooingstijd: 2010-12-31 19:38:11 ComboFix-quarantined-files.txt 2010-12-31 18:38 ComboFix2.txt 2010-12-27 15:34 Pre-Run: 10.014.375.936 bytes beschikbaar Post-Run: 10.227.773.440 bytes beschikbaar - - End Of File - - 562796C9276073ED32EB0919DEC6869D
  • Hoi KaCey, zo te zien heb je enkel ComboFix opgestart voor een nieuwe scan. Zie mijn vorige post en doe nu datgene wat ik er geschreven heb.
  • Dag Abraham54, Hier het ComboLog ComboFix 10-12-31.01 - Preinstalled user 31-12-2010 20:18:34.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.1526.955 [GMT 1:00] Gestart vanuit: c:\documents and settings\Preinstalled user\Bureaublad\ComboFix.exe gebruikte Opdracht switches :: c:\documents and settings\Preinstalled user\Bureaublad\CFScript.txt AV: Lavasoft Ad-Watch Live! Antivirus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} FILE :: "c:\windows\system32\alk15.dll" "c:\windows\system32\alk15.tmp" "c:\windows\system32\alk16.dll" "c:\windows\system32\alk16.tmp" "c:\windows\system32\alk17.dll" "c:\windows\system32\alk17.tmp" "c:\windows\system32\alk18.dll" "c:\windows\system32\alk18.tmp" "c:\windows\system32\alk19.dll" "c:\windows\system32\alk19.tmp" "c:\windows\system32\alk30.dll" "c:\windows\system32\alk30.tmp" "c:\windows\system32\drivers\rewqkrte.sys" "c:\windows\system32\drivers\xxjuiddu.sys" . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\alk15.dll c:\windows\system32\alk15.tmp c:\windows\system32\alk16.dll c:\windows\system32\alk16.tmp c:\windows\system32\alk17.dll c:\windows\system32\alk17.tmp c:\windows\system32\alk18.dll c:\windows\system32\alk18.tmp c:\windows\system32\alk19.dll c:\windows\system32\alk19.tmp c:\windows\system32\alk30.dll c:\windows\system32\alk30.tmp c:\windows\system32\drivers\rewqkrte.sys c:\windows\system32\drivers\xxjuiddu.sys . (((((((((((((((((((( Bestanden Gemaakt van 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))) . 2010-12-30 18:34 . 2010-11-16 11:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{80B904CC-AB9E-46F2-8BBB-5EF4D0D75921}\mpengine.dll 2010-12-27 22:15 . 2010-12-31 19:17 -------- d--h--r- c:\documents and settings\Preinstalled user\Onlangs geopend 2010-12-21 15:56 . 2010-12-27 13:05 -------- d-----w- c:\program files\CCleaner 2010-12-21 15:34 . 2010-12-21 15:35 388096 ----a-r- c:\documents and settings\Preinstalled user\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-12-21 15:31 . 2010-12-21 15:31 -------- d-----w- c:\program files\Trend Micro 2010-12-21 13:47 . 2010-12-21 13:47 -------- d-----w- c:\documents and settings\Preinstalled user\Application Data\Malwarebytes 2010-12-21 13:46 . 2010-11-29 16:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-21 13:46 . 2010-12-21 13:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-12-21 13:46 . 2010-11-29 16:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-21 13:46 . 2010-12-21 13:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-21 06:50 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll 2010-12-21 06:50 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll 2010-12-21 06:49 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll 2010-12-21 06:49 . 2010-08-23 16:13 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll 2010-12-21 06:48 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys 2010-12-21 06:45 . 2010-11-16 11:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2010-12-21 06:41 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe 2010-12-20 22:14 . 2010-12-20 22:14 -------- d-----w- c:\documents and settings\Administrator 2010-12-20 20:13 . 2010-12-20 20:13 138496 ----a-w- c:\windows\system32\drivers\AFD.SYS 2010-12-20 18:13 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-12-20 17:55 . 2010-12-20 17:57 -------- d-----w- c:\program files\Microsoft Security Client 2010-12-19 18:56 . 2010-12-19 18:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2010-12-19 17:32 . 2010-12-19 17:32 -------- d-----w- c:\documents and settings\Preinstalled user\Local Settings\Application Data\PCHealth 2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-21 06:38 . 2010-10-03 17:00 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-11-18 18:15 . 2006-05-31 07:30 86016 ----a-w- c:\windows\system32\isign32.dll 2010-11-09 13:49 . 2010-11-09 13:49 745984 ----a-w- c:\windows\system32\alk31.dll 2010-11-09 13:49 . 2010-11-09 13:49 0 ----a-w- c:\windows\system32\alk31.tmp 2010-11-07 18:07 . 2010-10-03 16:33 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-11-06 00:23 . 2006-05-31 07:19 916480 ----a-w- c:\windows\system32\wininet.dll 2010-11-06 00:23 . 2006-05-31 07:19 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-11-06 00:23 . 2006-05-31 07:19 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-11-03 12:27 . 2006-05-31 07:19 385024 ----a-w- c:\windows\system32\html.iec 2010-11-02 15:17 . 2006-05-31 07:19 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys 2010-10-28 13:09 . 2006-05-31 07:19 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-10-26 14:00 . 2006-05-31 07:19 1853440 ----a-w- c:\windows\system32\win32k.sys 2010-10-24 20:25 . 2010-10-24 20:25 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http:" [X] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Preinstalled user\Menu Start\Programma's\Opstarten\ LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-7-8 503808] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-22 110592] RAMASST.lnk - c:\windows\system32\RAMASST.exe [2007-1-3 155648] SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe [2010-7-15 12375952] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Preinstalled user^Menu Start^Programma's^Opstarten^Antimalware Doctor.lnk] path=c:\documents and settings\Preinstalled user\Menu Start\Programma's\Opstarten\Antimalware Doctor.lnk backup=c:\windows\pss\Antimalware Doctor.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain] 2005-08-11 14:14 266240 ----a-w- c:\windows\system32\TPSMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3-10-2010 17:33 64288] R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\SMART Product Drivers\UCService.exe [15-7-2010 15:48 844688] R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [18-4-2006 14:12 98816] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12-8-2010 13:15 1389400] R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12-8-2010 13:15 15264] S1 ikmpnqan;ikmpnqan;\??\c:\windows\system32\drivers\ikmpnqan.sys --> c:\windows\system32\drivers\ikmpnqan.sys [?] S2 AMService;AMService;c:\windows\TEMP\qaxr\setup.exe run --> c:\windows\TEMP\qaxr\setup.exe run [?] S2 enwcodjs;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Monitor;c:\windows\System32\svchost.exe -k netsvcs [31-5-2006 8:19 14336] S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe [15-7-2010 15:48 1662352] S4 kroover;kroover;c:\windows\system32\drivers\kroover.exe --> c:\windows\system32\drivers\kroover.exe [?] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs enwcodjs . Inhoud van de 'Gedeelde Taken' map 2010-12-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 06:37] 2010-12-31 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=127.0.0.1:5643 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp09.photoprintit.de/microsite/8/defaults/activex/ImageUploader3.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-31 20:22 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\¤–}|ÿÿÿÿÀ•}|ù•9~*] "3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL" . Voltooingstijd: 2010-12-31 20:24:56 ComboFix-quarantined-files.txt 2010-12-31 19:24 ComboFix2.txt 2010-12-31 18:38 ComboFix3.txt 2010-12-27 15:34 Pre-Run: 10.243.289.088 bytes beschikbaar Post-Run: 10.221.101.056 bytes beschikbaar - - End Of File - - BC160E3AC24E34724467BCB5256BDD70
  • Hoi KaCey, dat ziet er beter uit! [b:d69dceed63]Herstart MBAM.[/b:d69dceed63] [list:d69dceed63][*:d69dceed63] Klik eerst op de tab 'Update'. [*:d69dceed63] Klik vervolgens op de knop 'Controleer op updates'. [*:d69dceed63] Indien een nieuwe versie van MBAM wordt aangeboden - ga hiermee akkoord. [*:d69dceed63] Nadat MBAM vernieuwd is eerst weer de updatecyclus opstarten. [*:d69dceed63] Daarna kies je voor 'Snelle Scan'[/list:u:d69dceed63] [list:d69dceed63][*:d69dceed63] Indien de scan voltooid is, klik dan op de knop 'OK'. [*:d69dceed63] Klik daarna op de knop 'Bekijk Resultaten' om de resultaten te zien. [*:d69dceed63] Zorg ervoor, dat alles aangevinkt is. [*:d69dceed63] Vervolgens klik je op: 'Verwijder geselecteerde'. [*:d69dceed63] Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten.[/list:u:d69dceed63] [list:d69dceed63][*:d69dceed63] Het log wordt automatisch bewaard door 'MBAM en dat kan je terugvinden door op de tab 'Logs' te klikken in 'MBAM'.[/list:u:d69dceed63] [list:d69dceed63][*:d69dceed63] Indien 'MBAM' moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven – dan telkens op 'OK' klikken! [*:d69dceed63] Daarna zal 'MBAM' vragen om de Computer opnieuw op te starten - dus sta toe dat de computer opnieuw opgestart wordt.[/list:u:d69dceed63] [b:d69dceed63]Hierna post je de inhoud van de volgende logs:[/b:d69dceed63] [list:d69dceed63][*:d69dceed63] een nieuw Hijackthis-log [*:d69dceed63] MBAM scanlog[/list:u:d69dceed63]
  • Hallo Kacey, waarom duurt het allemaal weer zo lang? Wordt er misschien niks meer gedaan?
  • Dag Abraham54, Ik had geen toegang meer tot de laptop. Hier is een HJT scan. Heb ik ook een MBAM log gepost eerder? Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 17:38:52, on 23-1-2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe C:\Program Files\SMART Technologies\SMART Product Drivers\UCService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\TODDSrv.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe C:\Program Files\SMART Technologies\SMART Product Drivers\Aware.exe C:\Program Files\SMART Technologies\SMART Product Drivers\Marker.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: ThreeShips IEHelper - {17FDB9F8-DCC4-4F6A-AE07-B16018A48469} - C:\Program Files\Common Files\Threeships Shared\DLL\ThreeShipsIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\SMART Notebook\NotebookPlugin.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMgBHADMASwAtADgANwBXAFUAVQAtADIAVABWAEgAQQAtAFgANgBEAEYAOAAtAEwANgBQAEEATgA"&"inst=NwA3AC0ANgA4ADAAMAA0ADUAMQAwAC0AVAA1AC0AQgBBACsAMQAtAEsAVgAzACsANwAtAEIAMgA0AC0ARgBMACsAOQAtAEYAOQBNADYAKwAxAC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AA"&"prod=90"&"ver=9.0.872 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79344.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp09.photoprintit.de/microsite/8/defaults/activex/ImageUploader3.cab O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AMService - Unknown owner - C:\WINDOWS\TEMP\qaxr\setup.exe (file missing) O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SMART Board-service (SMART Board Service) - SMART Technologies - C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe O23 - Service: SMART Display Controller - SMART Technologies ULC - C:\Program Files\SMART Technologies\SMART Product Drivers\UCService.exe O23 - Service: SMART SNMP Agent Service - SMART Technologies ULC - C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe -- End of file - 10413 bytes

Beantwoord deze vraag

Weet jij het antwoord op deze vraag? Registreer of meld je aan met je account

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.