Vraag & Antwoord
melding dat ik spyware of een virus heb van Google
43 antwoorden
- oke,
Hier is het logje :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:52:39, on 14-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 3348 bytes
Het enigste wat ik hierin nooit eerder ben tegengekomen is de laatste regel maar volgens Google is het wel vertrouwd.
Groetjes,
Roelof - Nou ik mis in je logje de O2 en O20 regels. Dat wijst normaal gesproken op een vundo infectie.
Maar die zou zichtbaar moeten zijn omdat je de beta versie van hjt draait. Dus die is het niet.
Wil je deze doen aub.
Download win32delfkil.exe.
Plaats het op je bureaublad en dubbelklik op win32delfkil.exe om het te installeren.
Er wordt een map op je bureaublad geplaatst: win32delfkil.
sluit alle open vensters en alle bestanden die open staan.
Open de map win32delfkil en dubbelklik op fix.bat.
De computer zal herstarten.
Als de computer opnieuw gestart is zoek je het bestand c:\windelf.txt.
Post de inhoud van dit bestand. - Hai, verwijder even alle tools die ik had aangeboden en start dan opnieuw op.
Doe dan onderstaande aub.
Download [b:0651770cb8]Combofix[/b:0651770cb8] naar je Bureaublad.[list:0651770cb8]
Dubbelklik op [b:0651770cb8]Combofix.exe[/b:0651770cb8]
Volg de instructies, aanvaard de disclaimer door [b:0651770cb8]1[/b:0651770cb8] (continue) te typen.
Tijdens het runnen van de fix, [b:0651770cb8]NIET[/b:0651770cb8] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:0651770cb8]
Wanneer de fix voltooid is en na herstart, zal de log [b:0651770cb8]combofix.txt[/b:0651770cb8] openen.
[i:0651770cb8]Plaats deze log in je volgende post samen met een nieuw HijackThis log.[/i:0651770cb8]
Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren. - Hoi,
Hier alvast het combofix logje :
ComboFix 07-06-13.3 - CScript-fout: Toegang tot Windows Script Host is op deze computer uitgeschakeld. Neem voor details contact op met uw beheerder.
"Roelof" - 2007-06-15 12:43:28 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))
2007-06-15 12:31 <DIR> dr-h—– C:\DOCUME~1\Roelof\Onlangs geopend
2007-06-13 21:05 <DIR> d——– C:\DOCUME~1\Roelof\DoctorWeb
2007-06-13 21:04 <DIR> d——– C:\WINDOWS\CSC
2007-06-13 14:06 49,152 –a—— C:\WINDOWS\nircmd.exe
2007-06-13 13:25 <DIR> d——– C:\Program Files\Hijack This
2007-06-12 14:29 0 –a—— C:\WINDOWS\nsreg.dat
2007-06-12 11:27 <DIR> d——– C:\Program Files\Microsoft Visual Studio 8
2007-06-12 11:27 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-06-11 18:56 <DIR> d——– C:\Program Files\FileZilla
2007-06-11 16:42 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc
2007-06-11 12:08 <DIR> d——– C:\DOCUME~1\Roelof\Contacts
2007-06-11 12:07 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
2007-06-11 12:07 <DIR> d——– C:\Program Files\MSN Messenger
2007-06-11 11:41 <DIR> d——– C:\PluginCommanderLight
2007-06-10 21:53 <DIR> d——– C:\Program Files\Lavasoft
2007-06-10 21:53 <DIR> d——– C:\Program Files\Common Files\Wise Installation Wizard
2007-06-10 21:53 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-10 20:17 <DIR> d——– C:\Program Files\Jasc Software Inc
2007-06-10 20:17 <DIR> d——– C:\Program Files\Common Files\SWF Studio
2007-06-10 20:17 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc Software Inc
2007-06-10 19:47 <DIR> d——– C:\Program Files\FTDv3.7.3
2007-06-10 19:34 <DIR> d——– C:\Program Files\NewsLeecher
2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\Downloads
2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\NewsLeecher
2007-06-10 19:04 <DIR> d——– C:\WINDOWS\system32\Lang
2007-06-10 16:18 <DIR> d——– C:\Program Files\MSXML 4.0
2007-06-10 16:13 17,920 –a—— C:\WINDOWS\system32\mdimon.dll
2007-06-10 16:12 <DIR> d——– C:\WINDOWS\SHELLNEW
2007-06-10 16:12 <DIR> d——– C:\Program Files\Microsoft.NET
2007-06-10 16:09 <DIR> dr-h—– C:\MSOCache
2007-06-10 15:58 502,368 –a—— C:\WINDOWS\system32\drivers\amon.sys
2007-06-10 15:58 270,336 –a—— C:\WINDOWS\system32\imon.dll
2007-06-10 15:52 157,184 -r——- C:\WINDOWS\system32\RtlCPAPI.dll
2007-06-10 15:51 69,632 -r——- C:\WINDOWS\Alcmtr.exe
2007-06-10 15:42 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-10 15:40 19,558 –a—— C:\WINDOWS\hpoins01.dat
2007-06-10 15:40 16,606 ——— C:\WINDOWS\hpomdl01.dat
2007-06-10 15:35 <DIR> d——– C:\WINDOWS\system32\NtmsData
2007-06-10 15:25 <DIR> d——– C:\Program Files\Hewlett-Packard
2007-06-10 15:25 <DIR> d——– C:\Program Files\Common Files\Hewlett-Packard
2007-06-10 15:24 <DIR> d——– C:\temp\HP All-in-One Series Web Release
2007-06-10 15:24 <DIR> d——– C:\temp
2007-06-10 15:09 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Corel
2007-06-10 15:08 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
2007-06-10 15:07 88 -r-hs—- C:\WINDOWS\system32\6C0F48D5B7.sys
2007-06-10 15:07 2,516 –ahs—- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-10 15:07 <DIR> d——– C:\Program Files\Corel
2007-06-10 15:03 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\WinRAR
2007-06-10 14:49 40,960 -r——- C:\WINDOWS\system32\ChCfg.exe
2007-06-10 14:49 <DIR> d——– C:\WINDOWS\system32\RTCOM
2007-06-10 14:48 9,710,592 -r——- C:\WINDOWS\RTLCPL.exe
2007-06-10 14:48 86,016 -r——- C:\WINDOWS\SoundMan.exe
2007-06-10 14:48 82,944 –a—— C:\WINDOWS\system32\drivers\wdmaud.sys
2007-06-10 14:48 7,552 –a—— C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-06-10 14:48 60,800 –a—— C:\WINDOWS\system32\drivers\sysaudio.sys
2007-06-10 14:48 60,288 –a—— C:\WINDOWS\system32\drivers\drmk.sys
2007-06-10 14:48 6,400 –a—— C:\WINDOWS\system32\drivers\splitter.sys
2007-06-10 14:48 54,272 –a—— C:\WINDOWS\system32\drivers\swmidi.sys
2007-06-10 14:48 52,864 –a—— C:\WINDOWS\system32\drivers\DMusic.sys
2007-06-10 14:48 5,376 –a—— C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-06-10 14:48 487,424 -r——- C:\WINDOWS\RtlExUpd.dll
2007-06-10 14:48 4,992 –a—— C:\WINDOWS\system32\drivers\MSPQM.sys
2007-06-10 14:48 4,096 –a—— C:\WINDOWS\system32\ksuser.dll
2007-06-10 14:48 356,352 -r——- C:\WINDOWS\RtlUpd.exe
2007-06-10 14:48 3,966,976 -r——- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2007-06-10 14:48 2,944 –a—— C:\WINDOWS\system32\drivers\drmkaud.sys
2007-06-10 14:48 2,807,808 -r——- C:\WINDOWS\alcwzrd.exe
2007-06-10 14:48 2,142,208 -r——- C:\WINDOWS\MicCal.exe
2007-06-10 14:48 172,416 –a—— C:\WINDOWS\system32\drivers\kmixer.sys
2007-06-10 14:48 142,464 –a—— C:\WINDOWS\system32\drivers\aec.sys
2007-06-10 14:48 14,854,144 -r——- C:\WINDOWS\RTHDCPL.exe
2007-06-10 14:48 <DIR> d——– C:\Program Files\Realtek
2007-06-10 14:21 <DIR> d——– C:\Program Files\xp-AntiSpy
2007-06-10 14:17 70,144 -ra—— C:\WINDOWS\system32\drivers\Rtlnicxp.sys
2007-06-10 14:16 <DIR> d——– C:\WINDOWS\system32\URTTEMP
2007-06-10 14:15 36,352 -ra—— C:\WINDOWS\system32\drivers\AmdK8.sys
2007-06-10 14:15 <DIR> d–h—– C:\Program Files\InstallShield Installation Information
2007-06-10 14:15 <DIR> d——– C:\Program Files\ATI Technologies
2007-06-10 14:07 208,896 –a—— C:\WINDOWS\system32\nvudisp.exe
2007-06-10 14:07 <DIR> d——– C:\WINDOWS\nview
2007-06-10 14:06 208,896 –a—— C:\WINDOWS\system32\NVUNINST.EXE
2007-06-10 14:06 <DIR> d——– C:\Program Files\Common Files\InstallShield
2007-06-10 14:06 <DIR> d——– C:\NVIDIA
2007-06-10 14:01 <DIR> d–hs—- C:\RECYCLER
2007-06-10 13:33 57,856 –a—— C:\WINDOWS\system32\drivers\redbook.sys
2007-06-10 13:33 3,072 –a—— C:\WINDOWS\system32\drivers\audstub.sys
2007-06-10 13:33 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-10 13:32 6,400 –a—— C:\WINDOWS\system32\drivers\enum1394.sys
2007-06-10 13:32 20,992 –a—— C:\WINDOWS\system32\drivers\rtl8139.sys
2007-06-10 13:31 76,288 –a—— C:\WINDOWS\system32\usbui.dll
2007-06-10 13:31 6,144 -ra—— C:\WINDOWS\system32\kbdtuq.dll
2007-06-10 13:31 6,144 -ra—— C:\WINDOWS\system32\kbdtuf.dll
2007-06-10 13:31 5,632 -ra—— C:\WINDOWS\system32\kbdazel.dll
2007-06-10 13:31 <DIR> dr——- C:\Program Files
2007-06-10 13:31 <DIR> d——– C:\Program Files\Common Files\SpeechEngines
2007-06-10 13:31 <DIR> d——– C:\Program Files\Common Files\ODBC
2007-06-10 13:30 9,936 –a—— C:\WINDOWS\system\LZEXPAND.DLL
2007-06-10 13:30 9,040 –a—— C:\WINDOWS\system\VER.DLL
2007-06-10 13:30 86,556 –a—— C:\WINDOWS\system32\dgsetup.dll
2007-06-10 13:30 82,944 –a—— C:\WINDOWS\system\OLECLI.DLL
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-10 14:17:16 81,436 —-a-w C:\WINDOWS\system32\perfc013.dat
2007-06-10 14:17:16 465,586 —-a-w C:\WINDOWS\system32\perfh013.dat
2007-04-25 14:22:52 144,896 —-a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 11:26:00 888,832 —-a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 11:26:00 86,016 —-a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 11:26:00 81,920 —-a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 11:26:00 794,624 —-a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-19 11:26:00 7,700,480 —-a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 11:26:00 581,632 —-a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 11:26:00 5,644,288 —-a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 11:26:00 5,619,712 —-a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 11:26:00 466,944 —-a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 11:26:00 45,056 —-a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 11:26:00 442,368 —-a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 11:26:00 425,984 —-a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 11:26:00 4,543,616 —-a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 11:26:00 311,296 —-a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 11:26:00 3,988,384 —-a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-04-19 11:26:00 3,035,136 —-a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 11:26:00 286,720 —-a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 11:26:00 229,376 —-a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 11:26:00 212,992 —-a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 11:26:00 2,924,544 —-a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-19 11:26:00 188,416 —-a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-19 11:26:00 159,810 —-a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-19 11:26:00 147,456 —-a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-19 11:26:00 1,703,936 —-a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-19 11:26:00 1,626,112 —-a-w C:\WINDOWS\system32\nwiz.exe
2007-04-19 11:26:00 1,474,560 —-a-w C:\WINDOWS\system32\nview.dll
2007-04-19 11:26:00 1,339,392 —-a-w C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 11:26:00 1,236,992 —-a-w C:\WINDOWS\system32\nvwss.dll
2007-04-19 11:26:00 1,019,904 —-a-w C:\WINDOWS\system32\nvwimg.dll
2007-04-19 11:26:00 1,011,712 —-a-w C:\WINDOWS\system32\nvcpluir.dll
2007-04-18 16:15:26 2,854,400 —-a-w C:\WINDOWS\system32\msi.dll
2007-04-13 13:19:52 7,680 —-a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-17 13:45:54 293,376 —-a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 07:36 C:\WINDOWS\RTHDCPL.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-10 15:58]
"muBlinder"="D:\muBlinder\muBlinder.exe" [2007-05-13 04:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-15 12:43:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-15 12:44:07
— E O F —
Als ik dit tooltje draai, krijg ik wel deze melding " findstr : zoekreeks te lang". IK heb alle vensters gesloten en doe verder helemaal niks als Combofix draait.
Hijjacklogje :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:48:13, on 15-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\hijackthis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 3302 bytes
Groetjes,
Roelof - Juisterr,
Heb je ook een idee wat er aan de hand kan zijn met mij computer?
Groetjes,
Roelof - Hoi,
Iedere keer als ik naar groups.google.nl wil gaan, krijg ik een bericht dat Google veel vragen krijgt en dat het wel eens vanaf mijn computer kan komen.
Nod32 kan niks vinden bij een diepgaande scan.
Ook heb ik een Hijjack file toegevoegd :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:53:45, on 13-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hijack This\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 3454 bytes
Kan iemand me vertellen of ik besmet ben of niet.
Groetjes,
Roelof - Start Hijackthis op en kies voor 'Do a system scan only'
Selecteer alleen de items die hieronder zijn genoemd:
[b:2d36a6d420]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
[/b:2d36a6d420]
Sluit alle vensters behalve Hijackthis
Klik op 'Fix checked' om de items te verwijderen.
1. Download ATF cleaner (gemaakt door Atribune)
Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij [b:2d36a6d420]Select All[/b:2d36a6d420].
Klik op de knop [b:2d36a6d420]Empty Selected[/b:2d36a6d420].
Het volgende doen als je ook FireFox als browser hebt:
Klik op tabblad "Firefox", plaats een vinkje bij [b:2d36a6d420]Select All[/b:2d36a6d420].
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit haalt het vinkje weer weg bij "Firefox saved passwords"
Klik op de knop [b:2d36a6d420]Empty Selected[/b:2d36a6d420].
Het volgende doen als je ook Opera als browser hebt:
Klik op tabblad "Opera", plaats een vinkje bij [b:2d36a6d420]Select All[/b:2d36a6d420].
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop [b:2d36a6d420]Empty Selected[/b:2d36a6d420].
Ga naar het tabblad "Main" en klik op de knop [b:2d36a6d420]Exit[/b:2d36a6d420] om het programma af te sluiten.
2. Download [b:2d36a6d420]Dr.Web CureIt[/b:2d36a6d420] naar je bureaublad:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
3. Start de computer in veilige modus.
4. Dubbelklik [b:2d36a6d420]drweb-cureit.exe[/b:2d36a6d420] en sta het toe om de express scan te starten.
Dit zal de bestanden scannen die momenteel in het geheugen geladen zijn en wanneer er iets gevonden wordt, klik de Yes to all knop bij de vraag 'cure it?'. Dit is enkel een korte scan.
Eenmaal de korte scan is beeïndigd, Klik [b:2d36a6d420]Options[/b:2d36a6d420] > Change Settings
Kies de "Scan"-tab en verwijder het vinkje bij "Heuristic analyse"
Terug in het hoofdvenster kan je de drives selecteren die je wilt laten scannen.
Selecteer hier alle drives. Een rood bolletje zal dan tevoorschijn komen op de drives die je laat scannen.
Klik daarna de [b:2d36a6d420]groene pijl[/b:2d36a6d420] rechts om de scan te starten.
Klik 'Yes to all' wanneer er gevraagd wordt om cure of move uit te voeren.
Wanneer de scan gedaan is, kijk of je volgende icoontje kan aanklikken dat staat naast hetgeen gevonden werd: [img:2d36a6d420]http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif[/img:2d36a6d420]
Indien wel, klik erop en daarna klik op het icoontje er net onder en kies: [b:2d36a6d420]Move incurable[/b:2d36a6d420] zoals je zal zien in volgende afbeelding:
[img:2d36a6d420]http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif[/img:2d36a6d420]
Dit zal de bestanden verplaatsen naar volgende map %userprofile%\DoctorWeb\quarantaine-folder indien het niet gedesinfecteerd kan worden. (dit in het geval dat we samples nodig hebben)
Na bovenstaande te selecteren, in het menu bovenaan van Dr.Web CureIt, klik [b:2d36a6d420]file[/b:2d36a6d420] en kies [b:2d36a6d420]save report list[/b:2d36a6d420]. Bewaar de log op je bureaublad.
Sluit daarna Dr.Web Cureit.
5. [b:2d36a6d420]Herstart[/b:2d36a6d420] je computer in normale modus!! Belangrijke stap, want het kan zijn dat Dr.Web Cureit bestanden zal verplaatsen/verwijderen tijdens herstart.
Na het herstarten, Kopieer en plak de inhoud van die log die je eerder hebt bewaard in je volgende post tesamen met een logje van Hijackthis - hoi Juisterrr,
Een logje van Dr. Web Cureit kan ik je niet geven, hij kon niks vinden.
Maar hier wel een nieuw logje van Hijack :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:42:56, on 13-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\hijackthis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 3405 bytes
De pagina van groups.google.nl doet het nu weer normaal.
Raar als er niks gevonden is .
Roelof - Download [b:4d137e99b4]Combofix[/b:4d137e99b4] naar je Bureaublad.[list:4d137e99b4]
Dubbelklik op [b:4d137e99b4]Combofix.exe[/b:4d137e99b4]
Volg de instructies, aanvaard de disclaimer door [b:4d137e99b4]1[/b:4d137e99b4] (continue) te typen.
Tijdens het runnen van de fix, [b:4d137e99b4]NIET[/b:4d137e99b4] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:4d137e99b4]
Wanneer de fix voltooid is en na herstart, zal de log [b:4d137e99b4]combofix.txt[/b:4d137e99b4] openen.
[i:4d137e99b4]Plaats deze log in je volgende post samen met een nieuw HijackThis log.[/i:4d137e99b4]
Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.
Start Hijackthis op en kies voor 'Do a system scan only'
Selecteer alleen de items die hieronder zijn genoemd:
[b:4d137e99b4]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
[/b:4d137e99b4]
Klik op 'Fix checked' om de items te verwijderen. - Combofix logje :
ComboFix 07-06-13.3 - CScript-fout: Toegang tot Windows Script Host is op deze computer uitgeschakeld. Neem voor details contact op met uw beheerder.
"Roelof" - 2007-06-13 14:06:23 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))
2007-06-13 14:06 49,152 –a—— C:\WINDOWS\nircmd.exe
2007-06-13 13:25 <DIR> d——– C:\Program Files\Hijack This
2007-06-13 12:16 <DIR> dr-h—– C:\DOCUME~1\Roelof\Onlangs geopend
2007-06-12 14:29 0 –a—— C:\WINDOWS\nsreg.dat
2007-06-12 11:27 <DIR> d——– C:\Program Files\Microsoft Visual Studio 8
2007-06-12 11:27 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-06-11 18:56 <DIR> d——– C:\Program Files\FileZilla
2007-06-11 16:42 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc
2007-06-11 12:08 <DIR> d——– C:\DOCUME~1\Roelof\Contacts
2007-06-11 12:07 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
2007-06-11 12:07 <DIR> d——– C:\Program Files\MSN Messenger
2007-06-11 11:41 <DIR> d——– C:\PluginCommanderLight
2007-06-10 21:53 <DIR> d——– C:\Program Files\Lavasoft
2007-06-10 21:53 <DIR> d——– C:\Program Files\Common Files\Wise Installation Wizard
2007-06-10 21:53 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-10 20:17 <DIR> d——– C:\Program Files\Jasc Software Inc
2007-06-10 20:17 <DIR> d——– C:\Program Files\Common Files\SWF Studio
2007-06-10 20:17 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc Software Inc
2007-06-10 19:47 <DIR> d——– C:\Program Files\FTDv3.7.3
2007-06-10 19:34 <DIR> d——– C:\Program Files\NewsLeecher
2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\Downloads
2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\NewsLeecher
2007-06-10 19:04 <DIR> d——– C:\WINDOWS\system32\Lang
2007-06-10 16:18 <DIR> d——– C:\Program Files\MSXML 4.0
2007-06-10 16:13 17,920 –a—— C:\WINDOWS\system32\mdimon.dll
2007-06-10 16:12 <DIR> d——– C:\WINDOWS\SHELLNEW
2007-06-10 16:12 <DIR> d——– C:\Program Files\Microsoft.NET
2007-06-10 16:09 <DIR> dr-h—– C:\MSOCache
2007-06-10 15:58 502,368 –a—— C:\WINDOWS\system32\drivers\amon.sys
2007-06-10 15:58 270,336 –a—— C:\WINDOWS\system32\imon.dll
2007-06-10 15:52 157,184 -r——- C:\WINDOWS\system32\RtlCPAPI.dll
2007-06-10 15:51 69,632 -r——- C:\WINDOWS\Alcmtr.exe
2007-06-10 15:42 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-10 15:40 19,558 –a—— C:\WINDOWS\hpoins01.dat
2007-06-10 15:40 16,606 ——— C:\WINDOWS\hpomdl01.dat
2007-06-10 15:35 <DIR> d——– C:\WINDOWS\system32\NtmsData
2007-06-10 15:25 <DIR> d——– C:\Program Files\Hewlett-Packard
2007-06-10 15:25 <DIR> d——– C:\Program Files\Common Files\Hewlett-Packard
2007-06-10 15:24 <DIR> d——– C:\temp\HP All-in-One Series Web Release
2007-06-10 15:24 <DIR> d——– C:\temp
2007-06-10 15:09 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Corel
2007-06-10 15:08 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
2007-06-10 15:07 88 -r-hs—- C:\WINDOWS\system32\6C0F48D5B7.sys
2007-06-10 15:07 2,516 –ahs—- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-10 15:07 <DIR> d——– C:\Program Files\Corel
2007-06-10 15:03 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\WinRAR
2007-06-10 14:49 40,960 -r——- C:\WINDOWS\system32\ChCfg.exe
2007-06-10 14:49 <DIR> d——– C:\WINDOWS\system32\RTCOM
2007-06-10 14:48 9,710,592 -r——- C:\WINDOWS\RTLCPL.exe
2007-06-10 14:48 86,016 -r——- C:\WINDOWS\SoundMan.exe
2007-06-10 14:48 82,944 –a—— C:\WINDOWS\system32\drivers\wdmaud.sys
2007-06-10 14:48 7,552 –a—— C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-06-10 14:48 60,800 –a—— C:\WINDOWS\system32\drivers\sysaudio.sys
2007-06-10 14:48 60,288 –a—— C:\WINDOWS\system32\drivers\drmk.sys
2007-06-10 14:48 6,400 –a—— C:\WINDOWS\system32\drivers\splitter.sys
2007-06-10 14:48 54,272 –a—— C:\WINDOWS\system32\drivers\swmidi.sys
2007-06-10 14:48 52,864 –a—— C:\WINDOWS\system32\drivers\DMusic.sys
2007-06-10 14:48 5,376 –a—— C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-06-10 14:48 487,424 -r——- C:\WINDOWS\RtlExUpd.dll
2007-06-10 14:48 4,992 –a—— C:\WINDOWS\system32\drivers\MSPQM.sys
2007-06-10 14:48 4,096 –a—— C:\WINDOWS\system32\ksuser.dll
2007-06-10 14:48 356,352 -r——- C:\WINDOWS\RtlUpd.exe
2007-06-10 14:48 3,966,976 -r——- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2007-06-10 14:48 2,944 –a—— C:\WINDOWS\system32\drivers\drmkaud.sys
2007-06-10 14:48 2,807,808 -r——- C:\WINDOWS\alcwzrd.exe
2007-06-10 14:48 2,142,208 -r——- C:\WINDOWS\MicCal.exe
2007-06-10 14:48 172,416 –a—— C:\WINDOWS\system32\drivers\kmixer.sys
2007-06-10 14:48 142,464 –a—— C:\WINDOWS\system32\drivers\aec.sys
2007-06-10 14:48 14,854,144 -r——- C:\WINDOWS\RTHDCPL.exe
2007-06-10 14:48 <DIR> d——– C:\Program Files\Realtek
2007-06-10 14:21 <DIR> d——– C:\Program Files\xp-AntiSpy
2007-06-10 14:17 70,144 -ra—— C:\WINDOWS\system32\drivers\Rtlnicxp.sys
2007-06-10 14:16 <DIR> d——– C:\WINDOWS\system32\URTTEMP
2007-06-10 14:15 36,352 -ra—— C:\WINDOWS\system32\drivers\AmdK8.sys
2007-06-10 14:15 <DIR> d–h—– C:\Program Files\InstallShield Installation Information
2007-06-10 14:15 <DIR> d——– C:\Program Files\ATI Technologies
2007-06-10 14:07 208,896 –a—— C:\WINDOWS\system32\nvudisp.exe
2007-06-10 14:07 <DIR> d——– C:\WINDOWS\nview
2007-06-10 14:06 208,896 –a—— C:\WINDOWS\system32\NVUNINST.EXE
2007-06-10 14:06 <DIR> d——– C:\Program Files\Common Files\InstallShield
2007-06-10 14:06 <DIR> d——– C:\NVIDIA
2007-06-10 14:01 <DIR> d–hs—- C:\RECYCLER
2007-06-10 13:33 57,856 –a—— C:\WINDOWS\system32\drivers\redbook.sys
2007-06-10 13:33 3,072 –a—— C:\WINDOWS\system32\drivers\audstub.sys
2007-06-10 13:33 25,856 –a—— C:\WINDOWS\system32\drivers\usbprint.sys
2007-06-10 13:32 6,400 –a—— C:\WINDOWS\system32\drivers\enum1394.sys
2007-06-10 13:32 20,992 –a—— C:\WINDOWS\system32\drivers\rtl8139.sys
2007-06-10 13:31 76,288 –a—— C:\WINDOWS\system32\usbui.dll
2007-06-10 13:31 6,144 -ra—— C:\WINDOWS\system32\kbdtuq.dll
2007-06-10 13:31 6,144 -ra—— C:\WINDOWS\system32\kbdtuf.dll
2007-06-10 13:31 5,632 -ra—— C:\WINDOWS\system32\kbdazel.dll
2007-06-10 13:31 <DIR> dr——- C:\Program Files
2007-06-10 13:31 <DIR> d——– C:\Program Files\Common Files\SpeechEngines
2007-06-10 13:31 <DIR> d——– C:\Program Files\Common Files\ODBC
2007-06-10 13:30 9,936 –a—— C:\WINDOWS\system\LZEXPAND.DLL
2007-06-10 13:30 9,040 –a—— C:\WINDOWS\system\VER.DLL
2007-06-10 13:30 86,556 –a—— C:\WINDOWS\system32\dgsetup.dll
2007-06-10 13:30 82,944 –a—— C:\WINDOWS\system\OLECLI.DLL
2007-06-10 13:30 8,704 –a—— C:\WINDOWS\system32\batt.dll
2007-06-10 13:30 8,192 -ra—— C:\WINDOWS\system32\kbdhept.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-10 14:17:16 81,436 —-a-w C:\WINDOWS\system32\perfc013.dat
2007-06-10 14:17:16 465,586 —-a-w C:\WINDOWS\system32\perfh013.dat
2007-04-19 11:26:00 888,832 —-a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 11:26:00 86,016 —-a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 11:26:00 81,920 —-a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 11:26:00 794,624 —-a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-19 11:26:00 7,700,480 —-a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 11:26:00 581,632 —-a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 11:26:00 5,644,288 —-a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 11:26:00 5,619,712 —-a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 11:26:00 466,944 —-a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 11:26:00 45,056 —-a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 11:26:00 442,368 —-a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 11:26:00 425,984 —-a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 11:26:00 4,543,616 —-a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 11:26:00 311,296 —-a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 11:26:00 3,988,384 —-a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-04-19 11:26:00 3,035,136 —-a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 11:26:00 286,720 —-a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 11:26:00 229,376 —-a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 11:26:00 212,992 —-a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 11:26:00 2,924,544 —-a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-19 11:26:00 188,416 —-a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-19 11:26:00 159,810 —-a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-19 11:26:00 147,456 —-a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-19 11:26:00 1,703,936 —-a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-19 11:26:00 1,626,112 —-a-w C:\WINDOWS\system32\nwiz.exe
2007-04-19 11:26:00 1,474,560 —-a-w C:\WINDOWS\system32\nview.dll
2007-04-19 11:26:00 1,339,392 —-a-w C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 11:26:00 1,236,992 —-a-w C:\WINDOWS\system32\nvwss.dll
2007-04-19 11:26:00 1,019,904 —-a-w C:\WINDOWS\system32\nvwimg.dll
2007-04-19 11:26:00 1,011,712 —-a-w C:\WINDOWS\system32\nvcpluir.dll
2007-04-18 16:15:26 2,854,400 —-a-w C:\WINDOWS\system32\msi.dll
2007-04-13 13:19:52 7,680 —-a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-17 13:45:54 293,376 —-a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 07:36 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 12:43 C:\WINDOWS\Alcmtr.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-10 15:58]
"muBlinder"="D:\muBlinder\muBlinder.exe" [2007-05-13 04:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 14:07:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-13 14:07:33
— E O F —
Hijjack logje :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:53:00, on 13-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 3262 bytes - Download [b:557b4b83c2]VirtumundoBegone[/b:557b4b83c2], sla dit op op je bureaublad.
Dubbelklik op [b:557b4b83c2]VirtumundoBeGone.exe[/b:557b4b83c2] en volg de aanwijzingen.
Schrik niet als je een blauw scherm met een foutmelding te zien krijgt - dit is normaal.
Als de fix klaar is, start je de pc opnieuw op.
Plaats de inhoud van het logbestand [b:557b4b83c2]VBG.TXT[/b:557b4b83c2], dat nu op je bureaublad staat, hier in je volgende bericht. - hoi Juisterr,
Hier het logje :
[06/14/2007, 12:50:59] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Roelof\Local Settings\Temporary Internet Files\Content.IE5\K1IV8123\VirtumundoBeGone[1].exe" )
[06/14/2007, 12:51:07] - Detected System Information:
[06/14/2007, 12:51:07] - Windows Version: 5.1.2600, Service Pack 2
[06/14/2007, 12:51:07] - Current Username: Roelof (Admin)
[06/14/2007, 12:51:07] - Windows is in NORMAL mode.
[06/14/2007, 12:51:07] - Searching for Browser Helper Objects:
[06/14/2007, 12:51:07] - Finished Searching Browser Helper Objects
[06/14/2007, 12:51:07] - Finishing up…
[06/14/2007, 12:51:07] - Nothing found! Exiting…
Weer niks gevonden dus.
Heb je een idee dat er ergens een besmetting zit ?
Groetjes,
Roelof - Ja ik zoek.
Mag ik een nieuw HJT logje aub. - hier het logje :
WIN32DELFKIL LOGFILE - by Marckie
version 3.128
za 16-06-2007 17:19:06,98
running from: "C:\Documents and Settings\Roelof\Bureaublad"
— File(s) found in Windows directory —
— File(s) found in system32 folder —
— Services —
— Export SharedTaskScheduler key —
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"
— Notify key —
— rebooting the computer —
Groetjes,
Roelof - mag ik een nieuw gemaakt HJT logje aub.
- Tuurlijk,
Hier komt die :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:29:40, on 17-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\hijackthis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 3465 bytes
Groetjes,
Roelof - Download [b:35a068a27c]Combofix[/b:35a068a27c] naar je Bureaublad.[list:35a068a27c]
Dubbelklik op [b:35a068a27c]Combofix.exe[/b:35a068a27c]
Volg de instructies, aanvaard de disclaimer door [b:35a068a27c]1[/b:35a068a27c] (continue) te typen.
Tijdens het runnen van de fix, [b:35a068a27c]NIET[/b:35a068a27c] in het venster klikken, want dit zal je pc doen vasthangen.[/list:u:35a068a27c]
Wanneer de fix voltooid is en na herstart, zal de log [b:35a068a27c]combofix.txt[/b:35a068a27c] openen.
[i:35a068a27c]Plaats deze log in je volgende post samen met een nieuw HijackThis log.[/i:35a068a27c]
Opmerking: Indien je virusscanner reageert met een melding van een scriptuitvoering, mag je dit negeren.
Start Hijackthis op en kies voor 'Do a system scan only'
Selecteer alleen de items die hieronder zijn genoemd:
[b:35a068a27c]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
[/b:35a068a27c]
Klik op 'Fix checked' om de items te verwijderen.
Download [b:35a068a27c]Gmer[/b:35a068a27c][list:35a068a27c]
[*:35a068a27c]Bewaar het op een veilige plaats en pak het uit naar je bureaublad
[*:35a068a27c]Verbreek je internetverbinding en sluit ALLE programma's
[*:35a068a27c]Er is een [b:35a068a27c]kleine[/b:35a068a27c] kans dat tijdens het runnen van deze applicatie de computer uitvalt, dus zorg dat je al je werk hebt opgeslagen
[*:35a068a27c]Dubbelklik [b:35a068a27c]gmer.exe[/b:35a068a27c] en selecteer de [b:35a068a27c]rootkit tab[/b:35a068a27c] > klik [b:35a068a27c]scan[/b:35a068a27c]
[*:35a068a27c]Als je een waarschuwing krijgt over "rootkitactiviteiten" en als er wordt gevraagd om toestemming voor de scan geef [b:35a068a27c]OK[/b:35a068a27c]
[*:35a068a27c]Klik [b:35a068a27c]rootkit[/b:35a068a27c] tab en klik [b:35a068a27c]scan[/b:35a068a27c]
[*:35a068a27c]als het scannen klaar is klik je [b:35a068a27c]copy[/b:35a068a27c]
[*:35a068a27c]Open kladblok (of word) en copy/paste de tekst en sla de tekst op je bureaublad op.
[*:35a068a27c]Herstel je internetverbinding en post de tekst in je volgende antwoord.
[/list:u:35a068a27c]
samen met een hjt logje. - Combofix logje :
ComboFix 07-06-13.3 - CScript-fout: Toegang tot Windows Script Host is op deze computer uitgeschakeld. Neem voor details contact op met uw beheerder.
"Roelof" - 2007-06-17 16:03:43 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))
2007-06-17 09:17 <DIR> dr-h—– C:\DOCUME~1\Roelof\Onlangs geopend
2007-06-16 21:02 <DIR> d——– C:\WINDOWS\pss
2007-06-16 19:31 <DIR> d——– C:\WINDOWS\ulead.dat
2007-06-16 19:30 9,136 ——— C:\WINDOWS\INETWH16.DLL
2007-06-16 19:30 4,528 ——— C:\WINDOWS\SETBROWS.EXE
2007-06-16 19:30 35,328 ——— C:\WINDOWS\INETWH32.DLL
2007-06-16 19:30 26,832 ——— C:\WINDOWS\CTL3DV2.DLL
2007-06-16 19:30 <DIR> d——– C:\WINDOWS\Noslip
2007-06-16 19:30 <DIR> d——– C:\Program Files\Ulead ArtTexture.Plugin
2007-06-16 19:29 304,128 –a—— C:\WINDOWS\IsUninst.exe
2007-06-16 19:29 <DIR> d——– C:\DOCUME~1\Roelof\WINDOWS
2007-06-16 17:19 <DIR> d——– C:\_backupD
2007-06-16 17:18 90,112 –a—— C:\WINDOWS\system32\regdacl.exe
2007-06-16 17:18 53,248 –a—— C:\WINDOWS\system32\process.exe
2007-06-16 17:18 4,096 –a—— C:\WINDOWS\system32\reboot.exe
2007-06-16 17:18 16,384 –a—— C:\WINDOWS\system32\restart.exe
2007-06-16 17:18 <DIR> d——– C:\WINDOWS\system32\regdacl
2007-06-16 15:52 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\vlc
2007-06-16 15:52 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\dvdcss
2007-06-16 15:51 <DIR> d——– C:\Program Files\VideoLAN
2007-06-13 21:05 <DIR> d——– C:\DOCUME~1\Roelof\DoctorWeb
2007-06-13 21:04 <DIR> d——– C:\WINDOWS\CSC
2007-06-13 14:06 49,152 –a—— C:\WINDOWS\nircmd.exe
2007-06-13 13:25 <DIR> d——– C:\Program Files\Hijack This
2007-06-12 14:29 0 –a—— C:\WINDOWS\nsreg.dat
2007-06-12 11:27 <DIR> d——– C:\Program Files\Microsoft Visual Studio 8
2007-06-12 11:27 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-06-11 18:56 <DIR> d——– C:\Program Files\FileZilla
2007-06-11 16:42 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc
2007-06-11 12:08 <DIR> d——– C:\DOCUME~1\Roelof\Contacts
2007-06-11 12:07 <DIR> d—-c— C:\WINDOWS\system32\DRVSTORE
2007-06-11 12:07 <DIR> d——– C:\Program Files\MSN Messenger
2007-06-11 11:41 <DIR> d——– C:\PluginCommanderLight
2007-06-10 21:53 <DIR> d——– C:\Program Files\Lavasoft
2007-06-10 21:53 <DIR> d——– C:\Program Files\Common Files\Wise Installation Wizard
2007-06-10 21:53 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-10 20:17 <DIR> d——– C:\Program Files\Jasc Software Inc
2007-06-10 20:17 <DIR> d——– C:\Program Files\Common Files\SWF Studio
2007-06-10 20:17 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Jasc Software Inc
2007-06-10 19:47 <DIR> d——– C:\Program Files\FTDv3.7.3
2007-06-10 19:34 <DIR> d——– C:\Program Files\NewsLeecher
2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\Downloads
2007-06-10 19:34 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\NewsLeecher
2007-06-10 19:04 <DIR> d——– C:\WINDOWS\system32\Lang
2007-06-10 16:18 <DIR> d——– C:\Program Files\MSXML 4.0
2007-06-10 16:13 17,920 –a—— C:\WINDOWS\system32\mdimon.dll
2007-06-10 16:12 <DIR> d——– C:\WINDOWS\SHELLNEW
2007-06-10 16:12 <DIR> d——– C:\Program Files\Microsoft.NET
2007-06-10 16:09 <DIR> dr-h—– C:\MSOCache
2007-06-10 15:58 502,368 –a—— C:\WINDOWS\system32\drivers\amon.sys
2007-06-10 15:58 270,336 –a—— C:\WINDOWS\system32\imon.dll
2007-06-10 15:52 157,184 -r——- C:\WINDOWS\system32\RtlCPAPI.dll
2007-06-10 15:51 69,632 -r——- C:\WINDOWS\Alcmtr.exe
2007-06-10 15:42 15,104 –a—— C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-10 15:40 19,558 –a—— C:\WINDOWS\hpoins01.dat
2007-06-10 15:40 16,606 ——— C:\WINDOWS\hpomdl01.dat
2007-06-10 15:35 <DIR> d——– C:\WINDOWS\system32\NtmsData
2007-06-10 15:25 <DIR> d——– C:\Program Files\Hewlett-Packard
2007-06-10 15:25 <DIR> d——– C:\Program Files\Common Files\Hewlett-Packard
2007-06-10 15:24 <DIR> d——– C:\temp\HP All-in-One Series Web Release
2007-06-10 15:24 <DIR> d——– C:\temp
2007-06-10 15:09 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\Corel
2007-06-10 15:08 <DIR> d——– C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
2007-06-10 15:07 88 -r-hs—- C:\WINDOWS\system32\6C0F48D5B7.sys
2007-06-10 15:07 2,516 –ahs—- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-10 15:07 <DIR> d——– C:\Program Files\Corel
2007-06-10 15:03 <DIR> d——– C:\DOCUME~1\Roelof\APPLIC~1\WinRAR
2007-06-10 14:49 40,960 -r——- C:\WINDOWS\system32\ChCfg.exe
2007-06-10 14:49 <DIR> d——– C:\WINDOWS\system32\RTCOM
2007-06-10 14:48 9,710,592 -r——- C:\WINDOWS\RTLCPL.exe
2007-06-10 14:48 86,016 -r——- C:\WINDOWS\SoundMan.exe
2007-06-10 14:48 82,944 –a—— C:\WINDOWS\system32\drivers\wdmaud.sys
2007-06-10 14:48 7,552 –a—— C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-06-10 14:48 60,800 –a—— C:\WINDOWS\system32\drivers\sysaudio.sys
2007-06-10 14:48 60,288 –a—— C:\WINDOWS\system32\drivers\drmk.sys
2007-06-10 14:48 6,400 –a—— C:\WINDOWS\system32\drivers\splitter.sys
2007-06-10 14:48 54,272 –a—— C:\WINDOWS\system32\drivers\swmidi.sys
2007-06-10 14:48 52,864 –a—— C:\WINDOWS\system32\drivers\DMusic.sys
2007-06-10 14:48 5,376 –a—— C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-06-10 14:48 487,424 -r——- C:\WINDOWS\RtlExUpd.dll
2007-06-10 14:48 4,992 –a—— C:\WINDOWS\system32\drivers\MSPQM.sys
2007-06-10 14:48 4,096 –a—— C:\WINDOWS\system32\ksuser.dll
2007-06-10 14:48 356,352 -r——- C:\WINDOWS\RtlUpd.exe
2007-06-10 14:48 3,966,976 -r——- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2007-06-10 14:48 2,944 –a—— C:\WINDOWS\system32\drivers\drmkaud.sys
2007-06-10 14:48 2,807,808 -r——- C:\WINDOWS\alcwzrd.exe
2007-06-10 14:48 2,142,208 -r——- C:\WINDOWS\MicCal.exe
2007-06-10 14:48 172,416 –a—— C:\WINDOWS\system32\drivers\kmixer.sys
2007-06-10 14:48 142,464 –a—— C:\WINDOWS\system32\drivers\aec.sys
2007-06-10 14:48 14,854,144 -r——- C:\WINDOWS\RTHDCPL.exe
2007-06-10 14:48 <DIR> d——– C:\Program Files\Realtek
2007-06-10 14:21 <DIR> d——– C:\Program Files\xp-AntiSpy
2007-06-10 14:17 70,144 -ra—— C:\WINDOWS\system32\drivers\Rtlnicxp.sys
2007-06-10 14:16 <DIR> d——– C:\WINDOWS\system32\URTTEMP
2007-06-10 14:15 36,352 -ra—— C:\WINDOWS\system32\drivers\AmdK8.sys
2007-06-10 14:15 <DIR> d–h—– C:\Program Files\InstallShield Installation Information
2007-06-10 14:15 <DIR> d——– C:\Program Files\ATI Technologies
2007-06-10 14:07 208,896 –a—— C:\WINDOWS\system32\nvudisp.exe
2007-06-10 14:07 <DIR> d——– C:\WINDOWS\nview
2007-06-10 14:06 208,896 –a—— C:\WINDOWS\system32\NVUNINST.EXE
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-10 14:17:16 81,436 —-a-w C:\WINDOWS\system32\perfc013.dat
2007-06-10 14:17:16 465,586 —-a-w C:\WINDOWS\system32\perfh013.dat
2007-04-25 14:22:52 144,896 —-a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 11:26:00 888,832 —-a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-19 11:26:00 86,016 —-a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-19 11:26:00 81,920 —-a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-19 11:26:00 794,624 —-a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-19 11:26:00 7,700,480 —-a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-19 11:26:00 581,632 —-a-w C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 11:26:00 5,644,288 —-a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-19 11:26:00 5,619,712 —-a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-19 11:26:00 466,944 —-a-w C:\WINDOWS\system32\nvshell.dll
2007-04-19 11:26:00 45,056 —-a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-19 11:26:00 442,368 —-a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-19 11:26:00 425,984 —-a-w C:\WINDOWS\system32\keystone.exe
2007-04-19 11:26:00 4,543,616 —-a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-19 11:26:00 35,840 —-a-w C:\WINDOWS\system32\nvcod.dll
2007-04-19 11:26:00 311,296 —-a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-19 11:26:00 3,988,384 —-a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-04-19 11:26:00 3,035,136 —-a-w C:\WINDOWS\system32\nvgames.dll
2007-04-19 11:26:00 286,720 —-a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 11:26:00 229,376 —-a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-19 11:26:00 212,992 —-a-w C:\WINDOWS\system32\nvapi.dll
2007-04-19 11:26:00 2,924,544 —-a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-19 11:26:00 188,416 —-a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-19 11:26:00 159,810 —-a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-19 11:26:00 147,456 —-a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-19 11:26:00 1,703,936 —-a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-19 11:26:00 1,626,112 —-a-w C:\WINDOWS\system32\nwiz.exe
2007-04-19 11:26:00 1,474,560 —-a-w C:\WINDOWS\system32\nview.dll
2007-04-19 11:26:00 1,339,392 —-a-w C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 11:26:00 1,236,992 —-a-w C:\WINDOWS\system32\nvwss.dll
2007-04-19 11:26:00 1,019,904 —-a-w C:\WINDOWS\system32\nvwimg.dll
2007-04-19 11:26:00 1,011,712 —-a-w C:\WINDOWS\system32\nvcpluir.dll
2007-04-18 16:15:26 2,854,400 —-a-w C:\WINDOWS\system32\msi.dll
2007-04-13 13:19:52 7,680 —-a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-17 13:45:54 293,376 —-a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 07:36 C:\WINDOWS\RTHDCPL.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-10 15:58]
"muBlinder"="D:\muBlinder\muBlinder.exe" [2007-05-13 04:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 16:04:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-17 16:04:59
C:\ComboFix2.txt … 2007-06-15 12:44
— E O F —
Hijjack logje na Combofix :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:06:47, on 17-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijack This\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 3388 bytes
Gmer logje :
MER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-17 16:22:34
Windows 5.1.2600 Service Pack 2
—- Kernel code sections - GMER 1.0.12 —-
? C:\WINDOWS\System32\DRIVERS\update.sys
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Het systeem kan het opgegeven bestand niet vinden.
—- User code sections - GMER 1.0.12 —-
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2232] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe
—- EOF - GMER 1.0.12 —-
Hijacklogje na Gmer :
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:29:34, on 17-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [muBlinder] D:\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181470017187
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.chat-united.com/controls/msnchat45.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 3388 bytes
Ik heb alles laten lopen in de normale modus van Windows Xp.
Groetjes,
Roelof - http://www.sysinternals.com/Utilities/RootkitRevealer.html
Unzip the download and run the exe file, swhich will nstall the RootkitRevealer folder. Go into that folder and run RootkitRevealeer.exe.
The scan will take a little time. When it completes the scan, use 'File > Save' to save the RootkitReveal.txt log file.
Send the contents of that text file back with your reply - Hoi Juisterr,
Ik heb drie keer geprobeerd, maar zodra ik op save druk, gaat mijn computer op slot.
Bij poging 1 vondt ik 25 verschillen, en bij het saven draaide een programma HJWQ.exe die alles opslokte.
Bij poging 2 vondt hij 23 verschillen , maar was het een programma PEH.exe die alles op slot gooide.
Bij poging 3 vondt hij 26 verschillen, maar was het een programma VN.exe die alles op slot gooide.
Groetjes en hopelijk heb je hier iets aan.
Roelof
Beantwoord deze vraag
Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.
