Vraag & Antwoord

Beveiliging & privacy

Help! worm volgens mij +hjklog

Anoniem
dewit
52 antwoorden
  • Ja

    Bedankt voor alle hulp 8)
  • Na opnieuw opstarten is het probleem gewoon weer terug :cry:
  • Maak een nieuwe hijackthislog en post deze.

    Download Silent Runners
    Unzip het naar een eigen map.
    Start SilentRunners.vbs
    Wanneer je antivirusprogramma een melding geeft, sta je toe om dit script uit te voeren.
    Er wordt een logje geplaatst in de map van waar je Silentrunners gestart hebt. Post de inhoud van dit logje.
  • De log:

    "Silent Runners.vbs", revision 41, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ———————————

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
    "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data]
    "Ulead AutoDetector" = "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" ["Ulead Systems, Inc."]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
    "USB2Check" = "RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController" [MS]
    "USBToolTip" = ""D:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"" ["Pinnacle Systems GmbH"]
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
    "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
    "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
    "KAVPersonal50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize" ["Kaspersky Lab"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {601ED020-FB6C-11D3-87D8-0050DA59922B}\(Default) = "Ipswitch.WsftpBrowserHelper"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll" [null data]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    "System" = (value not set)

    HKLM\System\CurrentControlSet\Control\Session Manager\
    INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]


    Active Desktop and Wallpaper:
    —————————–

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\De Wit\Application Data\Webshots\The Webshots Desktop\Wallpaper.bmp"
  • SS log is niet volledig. Je moet wachten tot je een melding krijgt dat het script klaar is.
  • De volledige log:

    "Silent Runners.vbs", revision 41, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ———————————

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
    "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data]
    "Ulead AutoDetector" = "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" ["Ulead Systems, Inc."]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
    "USB2Check" = "RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController" [MS]
    "USBToolTip" = ""D:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"" ["Pinnacle Systems GmbH"]
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
    "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
    "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
    "KAVPersonal50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize" ["Kaspersky Lab"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {601ED020-FB6C-11D3-87D8-0050DA59922B}\(Default) = "Ipswitch.WsftpBrowserHelper"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll" [null data]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    "System" = (value not set)

    HKLM\System\CurrentControlSet\Control\Session Manager\
    INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]


    Active Desktop and Wallpaper:
    —————————–

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\De Wit\Application Data\Webshots\The Webshots Desktop\Wallpaper.bmp"


    Startup items in "De Wit" & "All Users" startup folders:
    ——————————————————–

    C:\Documents and Settings\De Wit\Menu Start\Programma's\Opstarten
    "Webshots" -> shortcut to: "C:\Program Files\Webshots\Launcher.exe /t" [null data]

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten
    "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


    Winsock2 Service Provider DLLs:
    ——————————-

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ————————————

    Explorer Bars

    HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
    {21569614-B795-46B1-85F4-E737A8DC09AD}\ = "Shell Search Band" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

    {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ——————————————————————

    AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
    AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
    kavsvc, kavsvc, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"" ["Kaspersky Lab"]
    LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
    NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Print Monitors:
    —————

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


    ———-
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
    use the -supp parameter or answer "No" at the first message box.
    ———- (total run time: 70 seconds, including 7 seconds for message boxes)
  • Ik vrees dat je met een rootkitje zit.
    Probeer dit even:
    Download UnHackMe: http://www.greatis.com/unhackme.zip
    Unzip en installeer het.
    Start UnHackMe en klik op de knop "Check Me Now".

    Als er een rootkit (hidden trojan) gevonden wordt dan klik je op "Stop" om deze automatisch te verwijderen.
    Als UnHackMe klaar is, start je de computer opnieuw.

    Laat me weten of er wat gevonden wordt.
  • UnHackMe kan niks vinden
  • Download F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
    Plaats het op je bureaublad.
    Dubbelklik blbeta.exe.
    Klik op "I accept the agreement".
    Klik op "Next".
    Klik op "Scan" en als het programma klaar is klik je daarna op "Next".
    Indien Blacklite iets vindt, zal het een lijst van bestanden weergeven.
    Laat nog niks hernoemen.
    Op je bureaublad staat een bestand met de naam fsbl.xxxxxxx.log (de x-en staan voor getallen)
    Dit is het logje dat blacklight gemaakt heeft. Post het.
  • Niks gevonden

    log:

    12/18/05 20:38:52 [Info]: BlackLight Engine 1.0.30 initialized
    12/18/05 20:38:52 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    12/18/05 20:38:52 [Note]: 7019 4
    12/18/05 20:38:52 [Note]: 7005 0
    12/18/05 20:38:59 [Note]: 7006 0
    12/18/05 20:38:59 [Note]: 7011 1600
    12/18/05 20:39:00 [Note]: FSRAW library version 1.7.1014
    12/18/05 20:39:55 [Note]: 7007 0
  • Download Rootkitrevealer.
    unzip het en dubbelklik op RootkitRevealer.exe
    Laat het programma zijn werk doen.
    Wanneer het klaar is ga je naar "File" en kies je voor "Save".
    Het log van RootkitRevealer wordt nu opgeslagen.
    Post de inhoud van dit logje.
  • nou, het is geen logje geworden…
    Volgens mij heb ik toch wel alles goed gedaan, maar het logje is behoorlijk groot geworden.
    Te groot voor het forum, ik heb het hier gezet: http://zfc-zaandijk.nl/anders/RootkitReveal.txt
  • Het lijkt wel of iets zich gehecht heeft aan al je bestanden.

    Probeer dit even:
    Open Hijackthis. Klik op de knop "Open de Misc tools section" en klik dan op de knop "Open ADS Spy…". Klik op Scan en als het klaar is sla je het logje op. (Knop Save log). Selecteer alle gevonden sleutels door ADSpy om te verwijderen en laat ze verwijderen. Scan een tweede keer met ADSSpy. Indien er nog wat gevonden wordt laat je alles weer verwijderen en scan je nog een keer. DOe dit tot ADS spy niets meer vindt.
  • ADSspy laten lopen, die vindt helemaal niets.
  • je krijgt nog steeds de melding dat er mails verstuurd worden?
    Doe dit nog even: http://forum.computertotaal.nl/phpBB/viewtopic.php?p=1061189#1061189
  • Hallo M@rc, de scan is uitgevoerd zoals in de post waar je naar verwees. De log staat hieronder.
    We krijgen geen melding meer dat er mails verstuurd worden, maar het is nog steeds niet goed. De AVG geeft nu als melding als we outlook express openen en onze mail willen binnenhalen aan dat hij verbinding probeert te zoeken met de server. Die kan hij vervolgens niet vinden. We hebben twee email adressen van verschillende providers, voor allebei lukt het niet om te verbinden met de pop3 server.
    De computer is na het opstarten ook nog heel lang aan het 'denken'. Dat is overigens ook zo na elke andere keer dat de computer wordt opgestart.
    Wanneer we dan de processen van windows taakbeheer bekijken, is ruwweg 90 procent van de CPU in gebruik voor niet actieve systeemprocessen. Ik heb geen idee of dit ook met ons probleem te maken heeft.

    Hier is de log:


    /————————————————————–\
    | Trend Micro Sysclean Package |
    | Copyright 2002, Trend Micro, Inc. |
    | http://www.trendmicro.com |
    \————————————————————–/


    2005-12-19, 15:51:57, Auto-clean mode specified.
    2005-12-19, 15:51:57, Running scanner "C:\Documents and Settings\De Wit\Bureaublad\sysclean\TSC.BIN"…
    2005-12-19, 15:55:01, Scanner "C:\Documents and Settings\De Wit\Bureaublad\sysclean\TSC.BIN" has finished running.
    2005-12-19, 15:55:01, TSC Log:

    Damage Cleanup Engine (DCE) 3.9(Build 1020)
    Windows XP(Build 2600: Service Pack 2)

    Start time : ma dec 19 2005 15:51:57

    Load Damage Cleanup Template (DCT) "C:\Documents and Settings\De Wit\Bureaublad\sysclean\tsc.ptn" (version 688) [success]

    Complete time : ma dec 19 2005 15:55:01
    Execute pattern count(4590), Virus found count(0), Virus clean count(0), Clean failed count(0)

    2005-12-19, 16:34:40, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp": Toegang geweigerd.
    2005-12-19, 16:46:24, An error occurred while scanning file "C:\Documents and Settings\De Wit\NTUSER.DAT": Toegang geweigerd.
    2005-12-19, 16:46:24, An error occurred while scanning file "C:\Documents and Settings\De Wit\ntuser.dat.LOG": Toegang geweigerd.
    2005-12-19, 17:33:02, An error occurred while scanning file "C:\Documents and Settings\De Wit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Toegang geweigerd.
    2005-12-19, 17:33:02, An error occurred while scanning file "C:\Documents and Settings\De Wit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Toegang geweigerd.
    2005-12-19, 18:24:31, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Toegang geweigerd.
    2005-12-19, 18:24:31, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Toegang geweigerd.
    2005-12-19, 18:24:31, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Toegang geweigerd.
    2005-12-19, 18:24:31, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Toegang geweigerd.
    2005-12-19, 19:50:02, Could not set file for reading on "C:\Program Files\Webroot\Spy Sweeper\Quarantine\cx3sa[1].ssq": Toegang geweigerd.
    2005-12-19, 19:51:35, An error was detected on "C:\System Volume Information\*.*": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\ACRORD32.EXE-20C463C1.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\AD-AWARE.EXE-0B387BE8.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\AGE3.EXE-203E5D99.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\AGE3.EXE-2AF981FD.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTOPATCHER.EXE-29F33733.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTORUN.EXE-08A9DED1.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\AVGEMC.EXE-361B4758.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\AVGW.EXE-00A2F684.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\BEARSHARE.EXE-35739D34.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\CCLEANER.EXE-09CFC2BC.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\CHKTRUST.EXE-08E53633.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\CLEANMGR.EXE-1F86EA8E.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\CWSHREDDER.EXE-2A5C78F3.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\DCSETUP.EXE-055EF2F9.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\DW15.EXE-14986EB8.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\DXDIAG.EXE-220E128D.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\EBU3.EXE-3272066A.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\EXCEL.EXE-1C75F8D6.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\FLMODMANAGER.EXE-175C1199.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\FREELANCER.EXE-33C1BB1C.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\GOOGLEEARTH.EXE-038E3B0E.pf": Toegang geweigerd.
    2005-12-19, 19:59:54, Could not set file for reading on "C:\WINDOWS\Prefetch\GOOGLEEARTHSETUP.EXE-2341BB29.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\HITMANPRO2.EXE-002E39B0.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\IDRIVER.EXE-078074A8.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\IDRIVER.EXE-20D017F5.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\IDRIVERT.EXE-28903C83.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\IEDW.EXE-1880380E.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\INS1F.TMP-1C05C75F.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\INS2.TMP-09561CC5.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\INS26.TMP-2E76DF5B.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\INSA6.TMP-061C47E6.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\INSTALL.EXE-3AEF1D3F.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\KONINGKERK.EXE-222AFBDC.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\LAUNCHER.EXE-2338774F.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\LIVEUPDATE.EXE-36641ECB.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGAGENT.EXE-027AF92B.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\LXBHJSWX.EXE-15444448.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\LXBHPSWX.EXE-1D80C624.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\MJ3PRO.EXE-07482CCB.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\MMC.EXE-39071BCC.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\MOVIETHUMB.EXE-1014CF6E.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\MSI25.TMP-1ACDCD58.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\MSI6E.TMP-3420B67E.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIMN.EXE-38BA891D.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\MSNMSGR.EXE-366A1A81.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\NERO.EXE-30D5F6F2.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\NEROSTARTSMART.EXE-3289D1AD.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\NTVDM.EXE-1A10A423.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\PACOMP.EXE-00B3DDB5.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\PACRYPT.EXE-2B5988BA.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\PAEXT.EXE-0CFF9873.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\PICASA2.EXE-071EE291.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\PICASAUPDATE.EXE-3AF4C542.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\POWERPNT.EXE-17CE3F4E.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\REGINCD2.EXE-04F8CC5F.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\REGINI.EXE-2BB3D52B.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-12E27DD0.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-132038E1.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-13503E51.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-14F3136F.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-18FA5081.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-193066A2.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-197DC677.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-1C2CBBF3.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-1E743BB3.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-1EDA2CF6.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-201C3196.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-23083AE6.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-241163D8.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-24DBE541.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-291868A7.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2A94BB85.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2DCEDB30.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2E5AF1D7.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2E63B614.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2EF1189C.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-3262DA63.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-33A78B25.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-39B7B8E6.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-3E4BB819.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-438F8D2A.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-43970586.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-48DADA97.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4957EBA5.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-0781A665.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-0F40F254.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-279EF08B.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SOL.EXE-1C0C14EB.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SPLASH.EXE-06215C03.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1344276B.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYSWEEPER.EXE-15D18B6A.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYWAREBLASTER.EXE-20CF1E62.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SWDOCTOR.EXE-3205F7BD.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\SWKOTOR2.EXE-27BE031F.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\TEAMSPEAK.EXE-3A2528B1.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-3076CD0A.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-10D55173.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMAD.EXE-300A8CDF.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIADAP.EXE-2DF425B2.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIAPSRV.EXE-1E2270A5.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMINF.EXE-18504990.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9D.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA2.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA3.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA5.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA6.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WRSSSDK.EXE-053DAB7A.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Toegang geweigerd.
    2005-12-19, 19:59:55, Could not set file for reading on "C:\WINDOWS\Prefetch\_WMANSCP.EXE-01383E00.pf": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Toegang geweigerd.
    2005-12-19, 20:04:18, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Toegang geweigerd.
    2005-12-19, 20:06:49, Running scanner "C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN"…
    2005-12-19, 21:36:33, Files Detected:
    Copyright © 1990 - 2004 Trend Micro Inc.
    Report Date : 12/19/2005 20:06:49
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 113 (116074 Patterns) (2005/12/18) (311300)
    Command Line: C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\De Wit\Bureaublad\sysclean

    179517 files have been read.
    179517 files have been checked.
    164548 files have been scanned.
    310328 files have been scanned. (including files in archived)
    0 files containing viruses.
    Found 0 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/19/2005 21:36:33
    ———*———*———*———*———*———*———*———*
    2005-12-19, 21:36:33, Files Clean:
    Copyright © 1990 - 2004 Trend Micro Inc.
    Report Date : 12/19/2005 20:06:49
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 113 (116074 Patterns) (2005/12/18) (311300)
    Command Line: C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\De Wit\Bureaublad\sysclean

    179517 files have been read.
    179517 files have been checked.
    164548 files have been scanned.
    310328 files have been scanned. (including files in archived)
    0 files containing viruses.
    Found 0 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/19/2005 21:36:33 1 hour 29 minutes 38 seconds (5377.80 seconds) has elapsed.

    ———*———*———*———*———*———*———*———*
    2005-12-19, 21:36:33, Clean Fail:
    Copyright © 1990 - 2004 Trend Micro Inc.
    Report Date : 12/19/2005 20:06:49
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 113 (116074 Patterns) (2005/12/18) (311300)
    Command Line: C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\De Wit\Bureaublad\sysclean

    179517 files have been read.
    179517 files have been checked.
    164548 files have been scanned.
    310328 files have been scanned. (including files in archived)
    0 files containing viruses.
    Found 0 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/19/2005 21:36:33 1 hour 29 minutes 38 seconds (5377.80 seconds) has elapsed.

    ———*———*———*———*———*———*———*———*
    2005-12-19, 21:36:33, Scanner "C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN" has finished running.
    2005-12-19, 23:21:39, An error was detected on "D:\System Volume Information\*.*": Toegang geweigerd.
    2005-12-19, 23:22:36, Running scanner "C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN"…
    2005-12-19, 23:48:00, Files Detected:
    Copyright © 1990 - 2004 Trend Micro Inc.
    Report Date : 12/19/2005 23:22:37
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 113 (116074 Patterns) (2005/12/18) (311300)
    Command Line: C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\De Wit\Bureaublad\sysclean

    57025 files have been read.
    57025 files have been checked.
    49788 files have been scanned.
    56775 files have been scanned. (including files in archived)
    0 files containing viruses.
    Found 0 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/19/2005 23:48:00
    ———*———*———*———*———*———*———*———*
    2005-12-19, 23:48:00, Files Clean:
    Copyright © 1990 - 2004 Trend Micro Inc.
    Report Date : 12/19/2005 23:22:37
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 113 (116074 Patterns) (2005/12/18) (311300)
    Command Line: C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\De Wit\Bureaublad\sysclean

    57025 files have been read.
    57025 files have been checked.
    49788 files have been scanned.
    56775 files have been scanned. (including files in archived)
    0 files containing viruses.
    Found 0 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/19/2005 23:48:00 25 minutes 18 seconds (1518.33 seconds) has elapsed.

    ———*———*———*———*———*———*———*———*
    2005-12-19, 23:48:00, Clean Fail:
    Copyright © 1990 - 2004 Trend Micro Inc.
    Report Date : 12/19/2005 23:22:37
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 113 (116074 Patterns) (2005/12/18) (311300)
    Command Line: C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\De Wit\Bureaublad\sysclean

    57025 files have been read.
    57025 files have been checked.
    49788 files have been scanned.
    56775 files have been scanned. (including files in archived)
    0 files containing viruses.
    Found 0 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/19/2005 23:48:00 25 minutes 18 seconds (1518.33 seconds) has elapsed.

    ———*———*———*———*———*———*———*———*
    2005-12-19, 23:48:00, Scanner "C:\Documents and Settings\De Wit\Bureaublad\sysclean\VSCANTM.BIN" has finished running.
  • Ondertussen heb ik iets meer tijd gehad om de computer aan te zetten en te kijken wat er dan gebeurt.
    Na een tijdje (20-30 minuten), zonder outlook express te activeren, komt er weer de melding dat er mailtjes verstuurd worden…
  • Even willekeurig wat uit je logje gepikt:
    Kan je dit bestand vinden?
    D:\Brandweer\brandweer\FIREBOY.jpg
    (er is niks mis mee hoor, maar laat het me even weten)

    Ik dacht aan ADS op je systeem, maar de oorzaak is blijkbaar Kasperksy….. Dus dat lijkt ook weer ok.

    Kan je Kaspersky eens in veilige modus laten scannen?
    (wel eerst volledig updaten)
  • Kaspersky in veilige modus laten scannen… niets gevonden.
    Het bestandje fireboy.jpg is overigens een plaatje van een brandweermannetje.
    Er wordt na de scan ook weer aangegeven dat er weer berichten verzonden worden.

    En als we nou alles op c: deleten en windows en de hele meuk opnieuw installeren, lopen we dan de kans dat de boosdoener van ons probleem ook verdwenen is?
    En zou het mogelijk zijn dat de boosdoener meelift op back-up files van bijvoorbeeld documenten en filmpjes?

    Of zijn er nog dingen die we kunnen proberen om van het rotding af te komen?
  • Vanmorgen bij het opstarten kwam het programmatje UnHackMe spontaan met de melding dat een vermoedelijke trojan was gevonden (AFX2005 or FU rootkit).
    We hebben UnhackMe het ding laten verwijderen, maar het probleem blijft.

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.